~3 page information security policy template on social engineering.
Workers must be alert and respond appropriately to the signs of possible social engineering attacks, and are forbidden from using social engineering techniques inappropriately.
Social engineering is a 'dual use technology'. Although information security professionals tend to think and speak of it in purely negative terms as a threat, marketing, security awareness, training, management, lobbying, debate and 'persuasion' are examples of social engineering being used legitimately and appropriately in the best interests of the business.
Raising awareness of the breadth of this topic is an obvious benefit of this policy. People who understand social engineering are more likely to spot and respond appropriately to the associated information risks. Managers should appreciate its potential as a form of security control (e.g. encouraging workers to behave ethically and responsibly through guidance, awareness and training).
Supplied as an MS Word document, readily customised for your organisation's specific situation.
Social engineering policy
Information security policy template on social engineering
See also the policies on:
- Information risk management
- Email and messaging security
- Insider threats
- Outsider threats
- Threat intelligence
- Cybersecurity
- Ethics
- Backups and archives
- Incident reporting
- Incident management
- Business Continuity Management
- Physical information security
- Monitoring and surveillance
- Security awareness and training
- Access control
- Protecting proprietary information
- Protecting intellectual assets