nerdexam
EC-Council

312-50V11 · Question #752

An IT employee got a call from one our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both c

The correct answer is C. The employee should not provide any information without previous management authorization. Security policy requires management authorization before any internal network, system, or personnel information is disclosed, even to known customers.

Social Engineering

Question

An IT employee got a call from one our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?

Options

  • AThe employee can not provide any information: but, anyway, he/she will provide the name of the
  • BSince the company's policy is all about Customer Service. he/she will provide information
  • CThe employee should not provide any information without previous management authorization
  • DDisregarding the call, the employee should hand up

How the community answered

(62 responses)
  • A
    2% (1)
  • B
    3% (2)
  • C
    94% (58)
  • D
    2% (1)

Why each option

Security policy requires management authorization before any internal network, system, or personnel information is disclosed, even to known customers.

AThe employee can not provide any information: but, anyway, he/she will provide the name of the

Providing any information, including a staff member's name, without authorization can seed a social engineering attack by giving an attacker a foothold for further manipulation.

BSince the company's policy is all about Customer Service. he/she will provide information

Customer service values do not override information security policies - disclosing sensitive infrastructure details violates the principle of least privilege and confidentiality.

CThe employee should not provide any information without previous management authorizationCorrect

Sensitive information about network infrastructure, systems, and team composition can be exploited in social engineering or targeted attacks. Even a trusted caller's identity cannot be verified over the phone without a proper verification process. Requiring management authorization ensures accountability and prevents unauthorized disclosure of confidential company data.

DDisregarding the call, the employee should hand up

Hanging up without explanation is unprofessional, unnecessary, and does not follow proper security protocol, which requires polite redirection and escalation to an authorized person.

Concept tested: Social engineering prevention and information security policy

Source: https://www.nist.gov/cyberframework

Topics

#social engineering#information disclosure#security policy#pretexting

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice