GEN
Search Downloads Cloud Contact Status

Social Engineering Policy v1.001 2026-01-07

This Social Engineering Policy (the “Policy”) sets out how GEN provides social engineering security testing services to customers (“Customers”) to measure and improve cyber security posture, user awareness, and organisational resilience. This Policy is incorporated into, and forms an adjunct to, the Framework Agreement between GEN and the Customer. Capitalised terms not defined here have the meaning given in the Framework Agreement. If there is any inconsistency between this Policy and the Framework Agreement, the Framework Agreement takes precedence.


Service Overview (what the Service is)

Social engineering testing is a human-led service that simulates realistic adversary behaviour to assess how people, processes, and controls respond to persuasion, pretexting, and other influence techniques. Unlike “template spam”, our agents take an adaptive approach: they observe, ask questions, pivot, and leverage information discovered during the engagement (within the agreed scope) to determine whether access to systems, services, information, or locations can be obtained.

The Service may include (without limitation):

  • Email-based testing: targeted messaging and workflows intended to elicit responses, actions, or disclosure of information.
  • Telephone-based testing (vishing): live calls by trained agents to test identity verification, helpdesk processes, and staff response to persuasive requests.
  • Physical testing: attempts to gain access to Customer premises and controlled areas, to reach mission-critical systems or assets, and to assess physical security controls.
  • Follow-up and remediation guidance: recommendations to improve training, procedures, and technical/physical controls.

Definitions

  • Service: the social engineering security testing service described in this Policy.
  • Rules of Engagement (RoE): a written, Customer-approved document defining scope, constraints, authorised tactics, out-of-scope actions, testing windows, and emergency contacts.
  • Statement of Work (SOW): the commercial and operational document defining deliverables, timelines, and fees for a specific engagement.
  • Authorised Contact: the Customer’s nominated individual(s) with authority to approve RoE/SOW, authorise testing activity, and make binding decisions during the engagement.
  • Evidence: engagement artefacts including (without limitation) email headers, screenshots, photographs, access logs, or notes demonstrating interactions and outcomes.

Authorisation, Governance, and Preconditions

Social engineering is inherently intrusive by design. GEN will not commence testing without explicit written authorisation. Before any engagement begins, the Customer must ensure a signed SOW and signed RoE are in place, approved by an Authorised Contact.

Each RoE must define, as a minimum:

  • Scope: systems, users/roles, sites, and assets in scope, plus explicit exclusions.
  • Permitted methods: which of email/telephone/physical are authorised and any allowed pretexts.
  • Testing windows: business hours and/or after-hours attempts (if authorised), including timezone.
  • Safety constraints: on-site and operational safety rules, and any protected areas/items.
  • Evidence rules: photography permissions, recording constraints, and handling requirements.
  • Escalation contacts: names and numbers for Authorised Contacts and on-site security/reception for verification and emergency stop.
  • Stop conditions: circumstances requiring immediate pause/termination of testing.

Permitted Testing Activity (adaptive human-led approach)

Subject to the signed RoE, GEN agents may engage Customer personnel using realistic interaction and persuasion techniques. Agents may ask questions, request process exceptions, attempt to obtain internal information, and pivot based on responses. The objective is to assess real-world resilience and control effectiveness, not to shame individuals.

Where explicitly authorised in the RoE, GEN may use pretexting (for example as internal IT/HR, a supplier, or a contractor) to test identity verification and escalation procedures. All such activity must remain lawful, proportionate, and within the agreed scope.


Prohibited Activity (hard limits)

Regardless of any engagement scope, the following are hard prohibitions:

  • No threats or blackmail: agents must not threaten, intimidate, or coerce through fear or implied harm.
  • No bribery/inducements: agents must not offer money, gifts, or improper inducements to influence behaviour.
  • No impersonation of emergency services or law enforcement: agents must not claim to be police, ambulance, fire services, regulators, or similar authorities.
  • No violence, forced entry, or damage: agents must not break locks, force doors, damage property, disable alarms, or otherwise create unsafe conditions.
  • No unauthorised disruption: agents must not intentionally disrupt Customer operations (e.g., deny access to services, trigger alarms as a goal, or impede emergency exits).

Email Testing (phishing simulation)

Email testing may include targeted messages, reply handling, and controlled landing pages to measure user behaviour. Where credential capture is authorised, credentials must be handled in accordance with the Credential Handling section of this Policy. GEN will take reasonable steps to minimise harm (for example, avoiding payloads that could execute code).


Telephone Testing (vishing)

Telephone testing is conducted by live agents. The purpose is to assess identity verification, call handling, escalation paths, and susceptibility to persuasive requests. Calls are not audio recorded as standard under this Policy; evidence is captured through contemporaneous notes and outcomes.


Physical Testing (sites and offices)

Where authorised in the RoE, GEN agents may attend Customer sites and attempt to bypass physical controls through social engineering and observation. This may include attempts to gain access to restricted areas (including, where explicitly authorised, comms rooms or server rooms) to demonstrate whether mission-critical systems or assets could be reached.

Physical evidence may include (subject to RoE):

  • photographs of access points, door states, badge usage, tailgating susceptibility, and insecure assets;
  • photographs demonstrating proximity to mission-critical systems or areas;
  • notes describing interactions, challenges, and outcomes.

GEN will not perform forced entry, will not bypass locks by destructive means, and will comply with on-site safety requirements. If challenged by security or staff, agents will comply with instructions, disengage where required, and may use an agreed verification channel to confirm authorisation.


Credential Handling (secrets and access)

If the engagement results in disclosure of credentials, tokens, or other secrets (whether requested or volunteered), GEN will treat these as confidential secrets. Credentials may be used only to demonstrate access consistent with the RoE and only to the minimum extent required to evidence a finding.

  • No retention: credentials are not retained beyond the final report delivery and acceptance, unless a longer retention is required by law or expressly agreed in writing.
  • Minimise handling: credentials should be avoided where proof can be obtained by alternative means (e.g., screenshots of login prompts, access denial/allowance, or metadata).
  • Secure storage: where temporary storage is required, secrets must be stored encrypted with access restricted to the engagement team.
  • Customer remediation: GEN may recommend immediate rotation/revocation of disclosed secrets where risk is material.

Data Protection, Privacy, and Confidentiality

Social engineering engagements may involve processing of personal data (for example names, job roles, contact details, communications content, and interaction notes). Any processing of personal data is carried out in accordance with GEN’s Privacy Notice, the Framework Agreement, and applicable data protection law (including UK GDPR and the Data Protection Act 2018).

Evidence is collected on a data-minimised basis, retained only as long as necessary to deliver the report and satisfy auditability requirements, and stored securely with access controls.


Reporting, Evidence, and Outcomes

GEN will report on all meaningful interactions and outcomes, whether successful or unsuccessful. Reports typically include (as appropriate):

  • Executive summary and risk overview
  • Scenario descriptions and timelines
  • What worked / what failed (control effectiveness)
  • Evidence excerpts (e.g., screenshots, photographs, email artefacts)
  • Root cause themes (process gaps, training gaps, technical/physical control gaps)
  • Practical recommendations prioritised by impact and effort

Customer Responsibilities

  • Provide an Authorised Contact and ensure RoE/SOW are signed before testing begins.
  • Ensure internal approvals are obtained (including HR, legal, IT/security, and facilities/security as appropriate).
  • Provide emergency stop/escalation contacts and ensure they are reachable during test windows.
  • Inform relevant internal stakeholders where required to ensure safety (for example site security) whilst preserving test integrity as agreed in the RoE.
  • Implement recommended remediation actions and rotate/revoke credentials where compromise is identified.

Disclaimers and Limitations

Social engineering outcomes depend on human behaviour, timing, and environmental conditions. The Service is delivered using reasonable skill and care and on a best-efforts basis. No test can guarantee detection of all weaknesses or prevent real-world compromise. To the maximum extent permitted by law, GEN’s liability is limited as set out in the Framework Agreement.


Related Policies

This Policy operates in conjunction with the following GEN policies and agreements:

  • Framework Agreement – The master contractual terms governing all business relationships with GEN.
  • Privacy Notice – Details on how we collect, use, and protect personal data.
  • Acceptable Use Policy – Acceptable use and misuse prevention principles across GEN services.

Changes to this Policy

GEN may amend this Policy from time to time. Changes take effect prospectively from the stated effective date or, if none, from the date of posting.


Incorporation and Precedence

This Policy is incorporated into the Framework Agreement and does not operate as a standalone agreement. If there is any inconsistency between this Policy and the Framework Agreement, the Framework Agreement takes precedence.


Questions and Contact

Questions regarding social engineering engagements, authorisation, or RoE requirements should be directed via the HelpDesk at https://support.gen.uk.

Index v1.053 Standard v1.133 Module v1.001   Copyright © 2026 GEN Partnership. All Rights Reserved, Content Policy, E&OE.   ^sales^  0115 933 9000  Privacy Notice   329 Current Users, 46 Hits