Service Desk Caller Verification Process

This prevention mandates a standardized, enforceable identity verification process for all service desk interactions involving password resets, account unlocks, or access changes. It requires the use of multi-factor authentication (MFV), out-of-band confirmation (OOB), and structured workflow enforcement to ensure caller legitimacy. The process reduces susceptibility to impersonation, prevents policy bypass under pressure, and ensures auditability for investigative review.

Prevention Measures

All verification must use at least two distinct factors:

• A knowledge factor (e.g., pre-set PIN or a dynamic question).
• A possession factor (e.g., one-time passcode sent to a pre-registered corporate channel such as email or SMS).

For high-risk accounts, apply out-of-band confirmation:

• Perform a callback to a pre-registered phone number.
• Or request confirmation via an internal messaging platform (e.g., Microsoft Teams or Slack).

Verification steps must be enforced within the IT Service Management (ITSM) platform:

• Each verification checkpoint is prompted and must be completed before proceeding.
• Agents cannot override or skip steps manually.
• All actions must be logged automatically with time, actor, and outcome.

Escalation protocols must be followed when:

• Verification fails.
• A request seems inconsistent or suspicious.
• The subject is flagged in HR systems as inactive, offboarded, or under restriction.

Logs must include:

• Requestor’s claimed identity.
• Verifier’s identity.
• Verification methods used.
• Outcome of each step.

Service desk staff must undergo regular training and social engineering simulations:

• Focus on red flags such as urgency, executive name-dropping, or vague justifications.
• Reinforce the principle: verification is mandatory, regardless of pressure.