• Choose a category
• All
• Classic-Fiction

Policy: All persons employed by the company must complete a security awareness training course during employee orientation. Furthermore, each employee must take a security awareness refresher course at periodic intervals, not to exceed twelve months, as required by the department assigned with security-training responsibility.

Explanation/Notes: Many organizations disregard end-user awareness training altogether. According to the 2001 Global Information Security Survey, only 30 percent of the surveyed organizations spend money on awareness training for their user-community. Awareness training is an essential requirement to mitigate successful security breaches utilizing social engineering techniques.

4-18 Security training course for computer access

Policy: Personnel must attend and successfully complete a security information course before being given access to any corporate computer systems.

Explanation/Notes: Social engineers frequently target new employees, knowing that as a group they are generally the people least likely to be aware of the company’s security policies and the proper procedures to determine classification and handling of sensitive information.

Training should include an opportunity for employees to ask questions about security policies. After training, the account holder should be required to sign a document acknowledging their understanding of the security policies, and their agreement to abide by the policies.

4-19 Employee badge must be color-coded

Policy: Identification badges must be color-coded to indicate whether the badge holder is an employee, contractor, temporary, vendor, consultant, visitor, or intern.

Explanation/Notes: The color of the badge is an excellent way to determine the status of a person from a distance. An alternative would be to use large lettering to indicate the badgeholder’s status, but using a color-coded scheme is unmistakable and easier to see.

A common social engineering tactic to gain access to a physical building is to dress up as a delivery person or repair technician. Once inside the facility, the attacker will masquerade as another employee or lie about his status to obtain cooperation from unsuspecting employees. The purpose of this policy is to prevent people from entering the building legitimately and then entering areas they should not have access to. For example, a person entering the facility as a telephone repair technician would not be able to masquerade as an employee: The color of the badge would give him away.

INFORMATION TECHNOLOGY POLICIES

The information technology department of any company has a special need for policies that help it protect the organization’s information assets. To reflect the typical structure of IT operations in an organization, I have divided the IT policies into General, Help Desk, Computer Administration, and Computer Operations.

General

5-1 IT department employee contact information

Policy: Phone numbers and email addresses of individual IT department employees should not be disclosed to any person without a need to know.

Explanation/Notes: The purpose of this policy is to prevent contact information from being abused by social engineers. By only disclosing a general contact number or email address for IT, outsiders will be blocked from contacting IT department personnel directly. The email address for site administrative and technical contacts should only consist of generic names such as admin@companyname.com; published telephone numbers should connect to a departmental voice mailbox, not to individual workers.

When direct contact information is available, it becomes easy for a computer intruder to reach specific IT employees and trick them into providing information that can be used in an attack, or to impersonate IT employees by using their names and contact information.

5-2 Technical support requests

Policy: All technical support requests must be referred to the group that handles such requests.

Explanation/Notes: Social engineers may attempt to target IT