4.2 Tasks Expected from Horizon Employees
In order to reach the goal, Horizon employees need to:
- Prevent unauthorized access to financial information of donors
- Prevent unauthorized access to names and personal details of donors.
This requires to know:
- where sensitive information is stored
- how to restrict its access
- what is a legitimate purpose to access sensitive information
- how to replace sensitive information with aggregates or anonymous information
when sensitive details is not necessary for the task.
Preventing Exploitation of Employee Privileges Through Phishing
In order to fend off phishing attempts, Horizon employees must:
- not provide credentials to untrusted sources
- not run programs sent by untrusted sources
- not follow instructions of untrusted sources
- confirm any unexpected request received by email through a different channel
- discard or report any suspicious email
- ignore and close pop-up messages unrelated to your current activity
- refuse to run any associated program or script when opening an attachment.
They may also:
- configure a password manager to provide credentials only to trusted sources
This requires to know how to:
- differentiate phishing emails from legitimate work emails
- differentiate trusted from untrusted web pages
- differentiate trusted from untrusted senders of emails
- differentiate expected from unexpected requests for credentials
- differentiate expected from unexpected pop-up windows and notifications
- differentiate an attachment including executable code from a static file.