312-50V11 · Question #40
An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for bot
The correct answer is D. The employee should not provide any information without previous management authorization.. Employees must never share network infrastructure, system, or personnel details with any caller without explicit management authorization, because unsolicited requests for sensitive information are a classic social engineering pretext.
Question
An IT employee got a call from one of our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?
Options
- AThe employees cannot provide any information; but, anyway, he/she will provide the name of the
- BSince the company's policy is all about Customer Service, he/she will provide information.
- CDisregarding the call, the employee should hang up.
- DThe employee should not provide any information without previous management authorization.
How the community answered
(22 responses)- C5% (1)
- D95% (21)
Why each option
Employees must never share network infrastructure, system, or personnel details with any caller without explicit management authorization, because unsolicited requests for sensitive information are a classic social engineering pretext.
Providing even a partial detail such as a team member's name without authorization still constitutes an unauthorized disclosure that can enable further targeted attacks.
A customer service culture or policy does not supersede the organization's information security policy, and customer relationships do not justify sharing sensitive infrastructure details without authorization.
Hanging up without explanation ignores proper security procedure, which requires politely declining the request and directing the caller through verified, authorized channels rather than simply disconnecting.
Providing sensitive organizational or technical information without management authorization violates the principle of least disclosure, regardless of how legitimate or familiar the caller appears. This scenario is a textbook social engineering scenario where an attacker poses as a trusted customer to gather reconnaissance data. Proper protocol requires verifying the request through official channels and obtaining explicit management sign-off before any sensitive details are shared.
Concept tested: Social engineering awareness and information disclosure policy
Source: https://csrc.nist.gov/publications/detail/sp/800-50/final
Topics
Community Discussion
No community discussion yet for this question.