ABSTRACT
Tricking a security guard into giving access to a building, using social engineering techniques, does not directly obtain confidential information – the objective may be to disable a facility and deny access to information. To identify specific improvements to information technology (IT) security professional’s security it is vital that they can assess their vulnerabilities in a methodical way. Many organizations, wanting to develop an effective Information Security Management System, have looked to the ISO 27001 standard. This is a broad international standard covering many areas of security, including IT, human resources, physical security and business continuity. At the very early stages of IT security professional’s information security risk identification, it is worth spending some time thinking about their information assets. Many organizations underestimate the risk associated with third parties who can access their information. The personnel department can be a significant source of social engineering risk, as they are often responsible for establishing identity checks.
