Your organization has the following statements regarding phishing/social engineering in the employee manual: All employees are required to complete annual security awareness training as provided by the Information Security team. Employees must successfully complete the training and achieve an established minimum score on any quizzes associated with the training. The organization will conduct routine evaluations of the effectiveness security awareness training through simulated phishing tests. Employees that incorrectly identify simulated phishing emails must complete additional security awareness training and their manager will be notified. If an employee incorrectly identifies 3 or more simulated phishing emails, additional action may be taken by the employee’s manager, up to and including termination. Employees are required to report any suspicious emails to the organization’s Information Security team using the Suspicious Mail button located in the organization’s email program. Employees clicking on malicious links will be required to complete additional security awareness training. Repeated occurrences will be subject to additional personnel action as determined by the employee’s manager and HR. The top salesperson in the organization (who brings in 22% of the company’s net sales) has completed the security awareness training but has failed 4 of the last 5 phishing tests and clicked on 3 bad links in the past 6 months. If you were the CIO, how would you address the situation?
Your organization has the following statements regarding phishing/social engineering in the employee manual: All employees are required to complete annual security awareness training as provided by the Information Security team. Employees must successfully complete the training and achieve an established minimum score on any quizzes associated with the training. The organization will conduct routine evaluations of the effectiveness security awareness training through simulated phishing tests. Employees that incorrectly identify simulated phishing emails must complete additional security awareness training and their manager will be notified. If an employee incorrectly identifies 3 or more simulated phishing emails, additional action may be taken by the employee’s manager, up to and including termination. Employees are required to report any suspicious emails to the organization’s Information Security team using the Suspicious Mail button located in the organization’s email program. Employees clicking on malicious links will be required to complete additional security awareness training. Repeated occurrences will be subject to additional personnel action as determined by the employee’s manager and HR. The top salesperson in the organization (who brings in 22% of the company’s net sales) has completed the security awareness training but has failed 4 of the last 5 phishing tests and clicked on 3 bad links in the past 6 months. If you were the CIO, how would you address the situation?
Management Of Information Security
6th Edition
ISBN:9781337405713
Author:WHITMAN, Michael.
Publisher:WHITMAN, Michael.
Chapter4: Information Security Policy
Section: Chapter Questions
Problem 2E
Related questions
Question
- A policy conundrum
Your organization has the following statements regarding phishing/social engineering in the employee manual:
- All employees are required to complete annual security awareness training as provided by the
Information Security team. Employees must successfully complete the training and achieve an established minimum score on any quizzes associated with the training. - The organization will conduct routine evaluations of the effectiveness security awareness training through simulated phishing tests. Employees that incorrectly identify simulated phishing emails must complete additional security awareness training and their manager will be notified. If an employee incorrectly identifies 3 or more simulated phishing emails, additional action may be taken by the employee’s manager, up to and including termination.
- Employees are required to report any suspicious emails to the organization’s Information Security team using the Suspicious Mail button located in the organization’s email program. Employees clicking on malicious links will be required to complete additional security awareness training. Repeated occurrences will be subject to additional personnel action as determined by the employee’s manager and HR.
The top salesperson in the organization (who brings in 22% of the company’s net sales) has completed the security awareness training but has failed 4 of the last 5 phishing tests and clicked on 3 bad links in the past 6 months. If you were the CIO, how would you address the situation?
Expert Solution
This question has been solved!
Explore an expertly crafted, step-by-step solution for a thorough understanding of key concepts.
This is a popular solution!
Trending now
This is a popular solution!
Step by step
Solved in 2 steps
Recommended textbooks for you
Management Of Information Security
Computer Science
ISBN:
9781337405713
Author:
WHITMAN, Michael.
Publisher:
Cengage Learning,
Principles of Information Security (MindTap Cours…
Computer Science
ISBN:
9781337102063
Author:
Michael E. Whitman, Herbert J. Mattord
Publisher:
Cengage Learning
Principles of Information Systems (MindTap Course…
Computer Science
ISBN:
9781305971776
Author:
Ralph Stair, George Reynolds
Publisher:
Cengage Learning
Management Of Information Security
Computer Science
ISBN:
9781337405713
Author:
WHITMAN, Michael.
Publisher:
Cengage Learning,
Principles of Information Security (MindTap Cours…
Computer Science
ISBN:
9781337102063
Author:
Michael E. Whitman, Herbert J. Mattord
Publisher:
Cengage Learning
Principles of Information Systems (MindTap Course…
Computer Science
ISBN:
9781305971776
Author:
Ralph Stair, George Reynolds
Publisher:
Cengage Learning
