312-50V10 · Question #752
An IT employee got a call from one our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both c
The correct answer is C. The employee should not provide any information without previous management authorization. This question tests security awareness around information disclosure, specifically the requirement to obtain management authorization before sharing internal company details with any external party.
Question
An IT employee got a call from one our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?
Options
- AThe employee can not provide any information: but, anyway, he/she will provide the name of the
- BSince the company's policy is all about Customer Service. he/she will provide information
- CThe employee should not provide any information without previous management authorization
- DDisregarding the call, the employee should hand up
How the community answered
(30 responses)- B3% (1)
- C93% (28)
- D3% (1)
Why each option
This question tests security awareness around information disclosure, specifically the requirement to obtain management authorization before sharing internal company details with any external party.
Providing even the name of a technical contact without authorization is a partial disclosure that can enable social engineering by giving an attacker a named target.
A customer service orientation does not override information security policies; disclosing internal infrastructure details without authorization is a security violation regardless of the customer relationship.
Sharing network infrastructure details, system configurations, or team information with any external caller - even a known customer - without prior management authorization violates fundamental information security policy. Legitimate integration opportunities follow formal channels such as NDAs, authorized contacts, and managed disclosure processes. Acting without authorization exposes the company to social engineering exploitation and potential data breaches.
Hanging up is unnecessarily dismissive and unhelpful; the correct response is to acknowledge the inquiry and route it through proper authorization channels rather than ignoring it.
Concept tested: Information security policy and social engineering awareness
Source: https://csrc.nist.gov/publications/detail/sp/800-50/final
Topics
Community Discussion
No community discussion yet for this question.