• Choose a category
• All
• Classic-Fiction

Explanation/Notes: Computer intruders often contact computer operations employees to obtain valuable information such as system access procedures, external points for remote access, and dial-in telephone numbers that are of substantial value to the attacker.

In companies that have technical support staff or a help desk, requests to the computer operations staff for information about computer systems or related devices should be considered unusual. Any information request should be scrutinized under the corporate data classification policy to determine whether the requester is authorized to have such information. When the class of information cannot be determined, the information should be considered to be Internal.

In some cases, outside vendor technical support will need to communicate with persons who have access to enterprise computer systems. Vendors must have specific contacts in the IT department so that those individuals can recognize each other for verification purposes.

8-4 Disclosure of passwords

Policy: Computer operations staff must never reveal their password, or any other passwords entrusted to them, without prior approval of an information technology manager.

Explanation/Notes: In general terms, revealing any password to another is strictly prohibited. This policy recognizes that operations personnel may need to disclose a password to a third party when exigent situations arise. This exception to the general policy prohibiting disclosure of any password requires specific approval of an information technology manager. For extra precaution, this responsibility of disclosing authentication information should be limited to a small group of individuals who have received special training on verification procedures.

8-5 Electronic media

Policy: All electronic media that contains information not designated for public release shall be locked in a physically secure location.

Explanation/Notes: The intention of this policy is to prevent physical theft of Sensitive information stored on electronic media.

8-6 Backup media

Policy: Operations personnel should store backup media in a company safe or other secure location.

Explanation/Notes: Backup media is another prime target of computer intruders. An attacker is not going to spend time attempting to compromise a computer system or network when the weakest link in the chain might be physically unprotected backup media. Once backup media is stolen, the attacker can compromise the confidentiality of any data stored on it, unless the data is encrypted. Therefore, physically securing backup media is an essential process to protect the confidentiality of corporate information.

POLICIES FOR ALL EMPLOYEES

Whether in IT or human resources, the accounting department, or the maintenance staff, there are certain security policies that every employee of your company must know. These policies fall into the categories of General, Computer Use, Email Use, policies for Telecommuters, Phone Use, Fax Use, Voice Mail Use, and Passwords.

General

9-1 Reporting suspicious calls

Policy: Employees who suspect that they may be the subject of a security violation, including any suspicious requests to disclose information or to perform action items on a computer, must immediately report the event to the company’s incident reporting group.

Explanation/Notes: When a social engineer fails to convince his or her target to comply with a demand, the attacker will always try someone else. By reporting a suspicious call or event, an employee takes the first step in alerting the company that an attack may be under way. Thus, individual employees are the first line of defense against social engineering attacks.

9-2 Documenting suspicious calls

Policy: In the event of a suspicious phone call that appears to be a social engineering attack, the employee shall, to the extent practical, draw out the caller to learn details that might reveal what the attacker is attempting to accomplish, and make notes of these details for reporting purposes.

Explanation/Notes: