312-50V10 · Question #40
An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for bot
The correct answer is D. The employee should not provide any information without previous management authorization.. Sensitive company information about infrastructure, systems, and personnel must never be disclosed without explicit management authorization, as unsolicited callers may be conducting social engineering attacks.
Question
An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?
Options
- AThe employees cannot provide any information; but, anyway, he/she will provide the name of the
- BSince the company's policy is all about Customer Service, he/she will provide information.
- CDisregarding the call, the employee should hang up.
- DThe employee should not provide any information without previous management authorization.
How the community answered
(32 responses)- A6% (2)
- C3% (1)
- D91% (29)
Why each option
Sensitive company information about infrastructure, systems, and personnel must never be disclosed without explicit management authorization, as unsolicited callers may be conducting social engineering attacks.
Providing even one employee name without authorization can aid an attacker in targeting personnel through spear phishing or pretexting, making this response still a security risk.
A customer service policy cannot override information security policy; disclosing sensitive infrastructure and team details to any caller without verification and authorization creates serious risk.
Hanging up without explanation is unprofessional and unnecessary; the correct approach is to politely decline and seek management guidance rather than abruptly ending the call.
Even a trusted customer relationship does not grant automatic access to internal network infrastructure details or staff information. Providing such data without management authorization violates security policy and could facilitate a social engineering attack or unauthorized access, so the employee must escalate for approval first.
Concept tested: Social engineering defense and information disclosure policy
Source: https://csrc.nist.gov/publications/detail/sp/800-50/final
Topics
Community Discussion
No community discussion yet for this question.