The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [141]
For transmission by fax machine, the recommended method calls for the sender to transmit a cover page; the recipient, on receiving the page, transmits a page in response, demonstrating that he/she is at the fax machine. The sender then transmits the fax.
The following means of communication are not acceptable for discussing or distributing Confidential information: unencrypted email, voice mail message, regular mail, or any wireless communication method (cellular, Short Message Service, or cordless).
2-4 Distribution of Private information
Policy: Private information, which is personal information about an employee or employees that, if disclosed, could be used to harm employees or the company, may be delivered only to a Trusted Person who is authorized to receive it.
Explanation/Notes: Private information in a physical form (that is, hard-copy or data on a removable storage medium) may be delivered:
• In person
• By internal mail, sealed and marked with the Private classification
• By regular mail
Private information in electronic form (computer files, database files, email) may be delivered:
• By internal email.
• By electronic transfer to a server within the company internal network.
• By facsimile, provided that only the intended recipient uses the destination machine, or that the intended recipient is waiting at the destination machine while the fax is being sent. Facsimiles can also be sent to password-protected fax servers. As an alternative, facsimiles can be sent without the recipient present if sent over an encrypted telephone link to a password-protected fax server.
Private information may be discussed in person; by telephone; by satellite transmission; by videoconferencing link; and by encrypted VoIP
The following means of communication are not acceptable for discussing or distributing Private information: unencrypted email, voice mail message, regular mail, and by any wireless communication method (cellular, SMS, or cordless).
2-5 Distribution of Internal information
Policy: Internal information is information to be shared only within the company or with other Trusted persons who have signed a nondisclosure agreement. You must establish guidelines for the distribution of Internal information.
Explanation/Notes: Internal information may be distributed in any form, including internal email, but may not be distributed outside the company in email form unless encrypted.
2-6 Discussing Sensitive information over the telephone
Policy: Prior to releasing any information that is not designated as Public over the telephone, the person releasing such information must personally recognize the requester’s voice through prior business contact, or the company phone system must identify the call as being from an internal telephone number that has been assigned to the requester.
Explanation/Notes: If the requester’s voice is not known, call the requester’s internal phone number to verify the requester voice through a recorded voice mail message, or have the requester’s manager verify the requester’s identity and need to know.
2.7 Lobby or reception personnel procedures
Policy: Lobby personnel must obtain photo identification prior to releasing any package to any person who is not known to be an active employee. A log should be kept for recording the person’s name, driver’s license number, birth date, the item picked up, and the date and time of such pickup.
Explanation/Notes: This policy also applies to handing over outgoing packages to any messenger or courier service such as FedEx, UPS, or Airborne Express. These companies issue identification cards that can be used to verify employee identity.
2-8 Transfer of software to third parties
Policy: Prior to the transfer or disclosure of any software, program, or computer instructions, the requester’s identity must be positively verified,