As you analyze any modern corporate setup, you will see that companies want to ensure that all users are aware of their own individual responsibility to help protect the enterprise. Social engineering (SE) is becoming a more prevalent threat at all levels of business. To combat it, you first need to understand it. Therefore, you must complete the following:
- Describe what social engineering is and explain its existence and prevalence.
- Explain why SE is an important part of an information technology security course.
Discuss employee and management responsibilities with regards to Information Security and combatting SE. Make sure your work clarifies your opinion as to who carries more responsibility for preventing SE, the employees or management? Provide examples to back up your statements.
Prepare a 1-page Word document that covers the above areas.
Group Work
Your group is working for a global organization that handles highly classified intellectual property. In many situations and scenarios, the implementation and operations teams have been creating and setting up environments that violate your vision for security. After discussing the situation with various parties, they all admit they do not fully know or understand what is expected from them as they set up and configure the environment. To solve this situation, your group has been asked to create a network security policy for the organization.
Each group member will choose an element of the policy to design and the group will collaborate on what the overall design and outline should look like and include components from end user behavior and training plan, file and folder access, social engineering safeguards, bring your own device policies, use of external drives on company assets, security hardware, penetration testing, and affiliation of the information security department with law enforcement agencies. Students may either interview someone in the local FBI field office or research the FBI and DHS Web sites related to information sharing programs that the government offers, as this could be advantageous to the organization's information security program.
- To keep the scope narrow, your group should first describe what should be included and what should not be included in the policy (remember that a policy should clearly set management's expectations).
- After the scope has been defined, research the various components, and create an appropriate policy.