Skip to main content
Social Engineering in ISO 27799

Social Engineering in ISO 27799

$299.00
When you get access:
Course access is prepared after purchase and delivered via email
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Your guarantee:
30-day money-back guarantee — no questions asked
Who trusts this:
Trusted by professionals in 160+ countries
How you learn:
Self-paced • Lifetime updates
Adding to cart… The item has been added

This curriculum spans the design and operationalization of social engineering controls across a healthcare organization, comparable in scope to a multi-phase advisory engagement that integrates risk governance, policy, technical controls, third-party management, and continuous monitoring into existing ISO 27799-aligned security programs.

Module 1: Establishing Governance Frameworks for Human Risk

  • Define scope boundaries for social engineering controls within existing ISO 27799-aligned information security governance structures.
  • Select governance roles responsible for overseeing social engineering risk, including data protection officers and chief information security officers.
  • Integrate social engineering risk criteria into enterprise risk registers without duplicating phishing-specific entries.
  • Align social engineering policies with healthcare-specific regulatory mandates such as HIPAA and GDPR, focusing on patient data handling.
  • Develop escalation paths for reporting suspected social engineering incidents that bypass compromised communication channels.
  • Implement a formal approval workflow for exceptions to social engineering safeguards, such as authorized impersonation testing.
  • Establish thresholds for when social engineering incidents trigger board-level reporting based on data sensitivity and volume.
  • Document decision rationales for excluding certain user populations (e.g., third-party vendors) from baseline awareness training.

Module 2: Risk Assessment and Threat Modeling for Human Attack Vectors

  • Conduct threat modeling sessions that include pretexting, tailgating, and impersonation scenarios specific to clinical environments.
  • Map social engineering attack paths to critical healthcare assets such as electronic health record systems and medical IoT devices.
  • Assign likelihood scores to social engineering tactics based on historical incident data from peer healthcare organizations.
  • Adjust risk ratings upward for high-privilege roles (e.g., system administrators, billing managers) exposed to targeted spear-phishing.
  • Validate assumptions in threat models by reviewing red team findings from physical penetration tests in outpatient clinics.
  • Exclude low-impact scenarios (e.g., non-sensitive data baiting) from formal risk treatment plans to prioritize resources.
  • Update threat models quarterly to reflect emerging tactics such as deepfake voice calls targeting pharmacy staff.
  • Coordinate with legal counsel to assess liability exposure from unmitigated social engineering risks in patient communication channels.

Module 3: Policy Development for Behavioral Controls

  • Draft mandatory verification procedures for identity confirmation before releasing patient information over the phone.
  • Prohibit the use of personal email for work-related communications, with documented exceptions for telehealth providers in remote areas.
  • Define acceptable use of social media for healthcare staff, including restrictions on sharing workplace photos or schedules.
  • Require multi-person validation for financial transactions initiated via email, especially in accounts payable departments.
  • Specify consequences for policy violations involving unauthorized disclosure of access credentials during phishing simulations.
  • Include language in policies that permit monitoring of employee response rates to simulated social engineering campaigns.
  • Restrict physical access to server rooms and records storage areas through mantrap entries and visitor escort requirements.
  • Update policies to address risks from home-based staff, including secure handling of printed patient documents.

Module 4: Designing Targeted Awareness and Simulations

  • Select simulation frequency based on role criticality, with clinical leadership receiving quarterly vishing tests.
  • Customize phishing templates to reflect real-world healthcare themes such as fake lab results or vaccine supply notices.
  • Exclude recently compromised users from follow-up simulations for a cooling-off period of 30 days.
  • Deploy USB drop exercises in research departments with clear legal authorization and post-engagement disclosure.
  • Track click-through and reporting rates by department to identify units requiring remedial training.
  • Use A/B testing to compare effectiveness of different reporting interface designs within the EHR system.
  • Coordinate simulation timing to avoid clinical peak periods such as shift changes or patient admission surges.
  • Document consent protocols for including new hires in baseline assessment simulations during onboarding.

Module 5: Integrating Controls into Access Management

  • Enforce step-up authentication for remote access to patient databases after detection of suspicious login patterns.
  • Implement time-of-day restrictions for administrative access to minimize exploitation during off-hours.
  • Introduce role-based access review workflows that include verification of continued need-to-know for sensitive data.
  • Link access revocation processes to HR offboarding systems with automated triggers upon termination.
  • Require secondary approval for temporary access elevation requests submitted via email or messaging platforms.
  • Deploy context-aware access controls that flag logins from atypical locations or devices for manual review.
  • Integrate failed simulation responses into user risk scoring for adaptive authentication thresholds.
  • Configure privileged access management tools to block credential caching on shared clinical workstations.

Module 6: Physical and Environmental Safeguards

  • Install surveillance cameras at entry points to monitor for tailgating incidents in restricted areas.
  • Implement badge visibility policies requiring all staff and visitors to wear photo IDs at all times.
  • Conduct periodic audits of unattended workstations in nursing stations and administrative offices.
  • Deploy locking screen savers with short inactivity timeouts on devices handling protected health information.
  • Establish secure document disposal procedures for printed patient records in examination rooms.
  • Design visitor check-in workflows that include temporary badge issuance and escort requirements.
  • Place visual deterrent signage near entry points warning of monitoring for unauthorized access attempts.
  • Control delivery access to data centers and records storage by requiring pre-approved appointment slots.

Module 7: Third-Party and Supply Chain Risk Management

  • Require business associates to demonstrate social engineering training completion for their personnel with access to PHI.
  • Include incident notification clauses in contracts specifying timelines for reporting social engineering breaches.
  • Conduct on-site assessments of vendor facilities to verify physical security controls for shared data processing.
  • Restrict third-party remote access to healthcare systems through jump servers with session logging.
  • Validate background check procedures for vendor employees performing on-premises maintenance.
  • Perform social engineering simulations on third-party call center staff handling patient appointment scheduling.
  • Exclude vendors from accessing legacy systems without modern authentication if unable to meet control requirements.
  • Document risk acceptance decisions for high-dependency suppliers with limited security maturity.

Module 8: Monitoring, Detection, and Response

  • Deploy email header analysis tools to detect display name spoofing in messages targeting finance departments.
  • Configure SIEM rules to correlate failed login attempts with subsequent access from new geographic regions.
  • Establish a dedicated incident response playbook for business email compromise targeting executive staff.
  • Integrate helpdesk ticketing data to identify spikes in password reset requests as potential attack indicators.
  • Designate a secure out-of-band communication channel for reporting suspected impersonation attempts.
  • Implement automated quarantining of emails containing urgent financial requests with mismatched sender domains.
  • Conduct post-incident interviews with targeted individuals to reconstruct attacker tactics and improve detection.
  • Log and review all access to patient records made outside normal clinical workflows or care teams.

Module 9: Performance Measurement and Continuous Improvement

  • Track mean time to report simulated phishing emails by department and compare against industry benchmarks.
  • Calculate reduction in successful simulation rates over time to assess training effectiveness.
  • Conduct root cause analysis on actual social engineering incidents to identify control gaps.
  • Adjust training content based on failure patterns observed in vishing and smishing simulations.
  • Review policy exception logs quarterly to detect systemic non-compliance trends.
  • Measure adoption rates of secure reporting mechanisms such as phishing report buttons in email clients.
  • Compare control maturity across regional facilities to prioritize remediation investments.
  • Update governance metrics annually to reflect changes in threat landscape and organizational structure.
!