|
 Template: Social Engineering Avoidance Procedure
|
| tarix | 24.12.2023 | | ölçüsü | 13,87 Kb. | | #159569 |
| TemplateSocialEngineeringAvoidanceProcedure
Social Engineering Avoidance Procedure
In order to protect the assets of the [Organization], all employees need to defend the integrity and confidentiality of [Organization]’s resources. These procedures outline steps that will educate the end user to better defend against social engineering attacks.
Purpose
The purpose of this procedure is to bring awareness to employees that fraudulent social engineering attacks occur and that there are techniques that can be used to avoid these attacks.
Scope All staff, employees, and entities working on behalf of [Organization], are subject to this procedure.
Procedure Use caution with sensitive information if the following terminology or techniques by unrecognized sources are used:
Request is of an “urgent matter”
Indication of a “forgotten password”
Warnings of a “computer virus emergency”
Threat of intimidation from “higher level management”
“Name dropping” by the individual which gives the appearance that it is coming from legitimate and authorized personnel
The requestor requires release of information that will reveal passwords, model, serial number or brand or quantity of [Organization] resources.
The techniques are used by an unknown (not promptly verifiable) individual via phone, email, online, fax, or in person.
The techniques are used by an individual who claims to be “affiliated” with [Organization], such as a sub-contractor.
The techniques are used by an individual that says he/she is a reporter from a well-known press editor or TV/radio company.
The requestor is using ego or vanity seducing methods. For example, rewarding the front desk employees with compliments about his/her intelligence, capabilities or making inappropriate greetings (coming from a stranger).
Action
All staff must attend security awareness training within 60 days of the start of employment and annually thereafter.
If any suspicious techniques referenced are noted, the identity of the requestor MUST be verified before continuing the conversation or replying to email, fax or online.
If any suspicious techniques referenced are noted, then staff must immediately contact their direct supervisor or manager.
If the supervisor or manager is not available, then the Cybersecurity team must be notified.
If the security personnel are not available, the recommendation is to drop the conversation, email or online chat immediately and report the episode to their supervisor before the end of the business day.
Enforcement
Violation of this procedure could be reported to the appropriate supervisor and could be subject to potential disciplinary action, up to and including termination.
The [Department] will verify compliance to this procedure through various methods, including but not limited to: periodic walk-throughs, business tool reports, internal and external audits and device restrictions.
Definitions
Dostları ilə paylaş: |
|
|
