Re: Risk of Redirecting Email.

Munyaradzi,

This kind of procedure (redirecting business email) is extremely risky.
The first and foremost risk is to consider that you would have an ex-
employee receiving email as if he still worked in your company, that's and
OBVIOUS mistake.

Job change and termination is a very important part of an effective human
resource policy you have to develop and enforce in every organization.

Some of the risk drivers to implement this kind of policy are:

• Unauthorised access when employees are terminated
• Lack of smooth continuation of business-critical operations

Here are some recommendations to test specific HR job termination
controls:

• Enquire and inspect whether exit procedures for voluntary termination of
employment are documented and contain all required elements, such as
necessary knowledge transfer, timely securing of logical and physical
access, return of the organisation’s assets, and conducting of exit
interviews.

• Enquire whether job change procedures are documented and contain
all required elements to minimise disruption of business processes.
Examples include the need for job mentoring, job hand-over steps and
preparatory formal training. Inspect job change procedures to determine
if the procedures are consistently followed.

• Acquire through HR a list of terminated/transferred users (for the past
six months to one year).

I hope this helps out, best regards,


David Schekaiban, CISA, CISSP
david@xxxxxxxxxxxxxxx
twitter.com/codigoverde



Hi people.

I have seen on some clients of mine, that when an employee leaves the
organisation, they request IT to redirect their emails to a particular
email address....personal.
What are the risks of this? I can only think of company information
being directed to this individual....which could be bad if he/she has
gone to work for a competitor. What other risks or security issues
could this give rise to?

Thanks.

Munyaradzi Dumisani Mufambisi

Attachment: signature.asc
Description: This is a digitally signed message part.

Relevant Pages

  • Re: Dismissal without giving reason
    ... would be glad to help keep you in business by being hard-headed and making ... I do know that's the risk, ... the employee left that day rather than staying around, ... It's better to tell the person about the termination at ...
    (misc.legal)
  • Re: [fw-wiz] VPN endpoints
    ... > "I don't know of any insurance company that has formulae to estimate such ... Some risk is measured by statistical methods, ... In the information security case, this is generally numbers pulled out ... > disgruntled employee steal valuable information or damage business systems. ...
    (Firewall-Wizards)
  • Re: Dismissal without giving reason
    ... > is perfectly valid as a business judgment. ... an employee is a potential danger or an actual criminal, ... a review schedule agreed upon by both employee and manager. ... I do know that's the risk, ...
    (misc.legal)
  • Re: Food for Thought
    ... > The concept is simple enough, but applying it in real life is often ... do is notify the SA who can then give the employee the needed access. ... All I'm saying is that if you are going to assume a risk then it ... should be based on a sound business reason. ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Food for Thought
    ... > The concept is simple enough, but applying it in real life is often ... do is notify the SA who can then give the employee the needed access. ... All I'm saying is that if you are going to assume a risk then it ... should be based on a sound business reason. ...
    (microsoft.public.win2000.security)
Quantcast