SANS Assessment of Student Learning Plan (ASLP) Security Awareness Training

If Felicia in Human Resources receives an urgent email asking for sensitive information, what should she do?

• A. Ignore the email
• B. Reply with the requested information
• C. Call her boss to confirm the request
• D. Send the information via a secure document

The correct answer is: Call her boss to confirm the request

When confronted with an urgent email requesting sensitive information, the best course of action is to verify the legitimacy of the request before taking any further steps. This aligns with security best practices aimed at preventing data breaches and protecting sensitive information. By calling her boss to confirm the request, Felicia ensures that she is not falling victim to a phishing attempt or any form of social engineering. Attackers often create a sense of urgency to provoke hasty decisions, which can lead to unintentional data exposure. Verifying the request directly with her supervisor allows Felicia to clarify whether the request is legitimate and prevents potential compromises of sensitive HR data. Taking this precaution reinforces the importance of communication and verification in maintaining security within the organization. Other approaches, such as ignoring the email or replying with the information, could lead to severe security risks—either leaving a potential threat unaddressed or exposing sensitive data. Sending the information via a secure document, while a better option than providing it outright, still assumes that the request was legitimate without confirmation, which could still expose Felicia and her organization to risks. Hence, confirming the request is the most prudent and secure action to take.