Corporate Information Security Policies

Nine out of every ten large corporations and government agencies have been attacked by computer intruders, to judge from the results of a survey conducted by the FBI and reported by the Associated Press in April 2002. Interestingly, the study found that only about one company in three reported or publicly acknowledged any attacks. That reticence to reveal their victimization makes sense. To avoid loss of customer confidence and to prevent further attacks by intruders who learn that a company may be vulnerable, most businesses do not publicly report computer security incidents.

It appears that there are no statistics on social engineering attacks, and if there were, the numbers would be highly unreliable; in most cases a company never knows when a social engineer has "stolen" information, so many attacks go unnoticed and unreported.

Security policies are clear instructions that provide the guidelines for employee behavior for safeguarding information, and are a fundamental building block in developing effective controls to counter potential security threats. These policies are even more significant when it comes to preventing and detecting social engineering attacks.

Effective security controls are implemented by training employees with well-documented policies and procedures. However, it is important to note that security policies, even if religiously followed by all employees, are not guaranteed to prevent every social engineering attack. Rather, the reasonable goal is always to mitigate the risk to an acceptable level.

A data classification policy is fundamental to protecting an organization's information assets, and sets up categories for governing the release of sensitive information. This policy provides a framework for protecting corporate information by making all employees aware of the level of sensitivity of each piece of information.

Operating without a data classification policy—the status quo in almost all companies today—leaves most of these decisions in the hands of individual workers. Naturally, employee decisions are largely based on subjective factors, rather than on the sensitivity, criticality, and value of information. Information is also released because employees are ignorant of the possibility that in responding to a request for the information, they may be putting it into the hands of an attacker.

Information thieves commonly use deceptive tactics to access or obtain confidential business information by masquerading as legitimate employees, contractors, vendors, or business partners. To maintain effective information security, an employee receiving a request to perform an action or provide sensitive information must positively identify the caller and verify his authority prior to granting a request.

The recommended procedures given in this chapter are designed to help an employee who receives a request via any communication method such as telephone, email, or fax to determine whether the request and the person making it are legitimate.

The following policies pertain to management-level employees. These are divided into the areas of Data Classification, Information Disclosure, Phone Administration, and Miscellaneous Policies. Note that each category of policies uses a unique numbering structure for easy identification of individual policies.

The information technology department of any company has a special need for policies that help it protect the organization's information assets. To reflect the typical structure of IT operations in an organization, I have divided the IT policies into General, Help Desk, Computer Administration, and Computer Operations.

Telecommuters are outside the corporate firewall, and therefore more vulnerable to attack. These policies will help you prevent social engineers from using your telecommuter employees as a gateway to your data.

Human resources departments have a special charge to protect employees from those attempting to discover personal information through their workplace. HR professionals also have a responsibility to protect their company from the actions of unhappy ex-employees.

Though social engineers try to avoid showing up in person at a workplace they want to target, there are times when they will violate your space. These policies will help you to keep your physical premises secure from threat.

Receptionists are often on the front lines when it comes to dealing with social engineers, yet they are rarely given enoughsecurity training to recognize and stop an invader. Institute these policies to help your receptionist better protect your company and its data.