312-50V11 · Question #752
An IT employee got a call from one our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both c
The correct answer is C. The employee should not provide any information without previous management authorization. Security policy requires management authorization before any internal network, system, or personnel information is disclosed, even to known customers.
Question
An IT employee got a call from one our best customers. The caller wanted to know about the company's network infrastructure, systems, and team. New opportunities of integration are in sight for both company and customer. What should this employee do?
Options
- AThe employee can not provide any information: but, anyway, he/she will provide the name of the
- BSince the company's policy is all about Customer Service. he/she will provide information
- CThe employee should not provide any information without previous management authorization
- DDisregarding the call, the employee should hand up
How the community answered
(62 responses)- A2% (1)
- B3% (2)
- C94% (58)
- D2% (1)
Why each option
Security policy requires management authorization before any internal network, system, or personnel information is disclosed, even to known customers.
Providing any information, including a staff member's name, without authorization can seed a social engineering attack by giving an attacker a foothold for further manipulation.
Customer service values do not override information security policies - disclosing sensitive infrastructure details violates the principle of least privilege and confidentiality.
Sensitive information about network infrastructure, systems, and team composition can be exploited in social engineering or targeted attacks. Even a trusted caller's identity cannot be verified over the phone without a proper verification process. Requiring management authorization ensures accountability and prevents unauthorized disclosure of confidential company data.
Hanging up without explanation is unprofessional, unnecessary, and does not follow proper security protocol, which requires polite redirection and escalation to an authorized person.
Concept tested: Social engineering prevention and information security policy
Source: https://www.nist.gov/cyberframework
Topics
Community Discussion
No community discussion yet for this question.