Re: Risk of Redirecting Email.

[Meenal Mukadam <meenal.mukadam () gmail com>]

Hello Munyaradzi,

I agree with your concern. But according to me, the real problem is
not "Personals requesting  to redirect their mails", but is actually
"having no proper controls in place to terminate the account" when a
person leaves the organization.

If there were proper controls implemented like:
1) Having a comprehensive and apt policy and procedures in place (to
guide the actions to be taken when any employee leaves the company)
2) Termination of account and access rights
3) Backup of the critical business information from the account
4) Not sharing default access credentials
5) Verifying if no backdoors are opened (having forwarding mails in
place can be considered as a type of backdoor)
6) Cleansing the system after employee leaves (many employee tend to
implant malicious codes to have a perpetual source of
information....so any organization has to guard against it....best
way, but not the easiest, is to take info backup and reinstall the
O.S. and applications again)

According to me if these controls were in place, even if  the
personals requested for redirecting their mail, it wouldn't be
possible to do so. Cause if an account was PROPERLY terminated, then
from where would they get the mails?

Risk faced were nicely covered by many. But I will add in a few:
1) Risks due to loss of confidential info (new product/service info)
2) Risks due to loss of mission critical or competitive info
(tender/contracts, R&D info)
3) Risks due to Internal secrets being leaked out
4) Risks due to Sales info being sold or used by competitors
5) Risk due to availability of info, etc


Hope this answers your question :)


Regards,

Meenal A. Mukadam



On Tue, Mar 31, 2009 at 9:24 PM, M.D.Mufambisi <mufambisi () gmail com> wrote:
> Hi people.
>
> I have seen on some clients of mine, that when an employee leaves the
> organisation, they request IT to redirect their emails to a particular
> email address....personal.
> What are the risks of this? I can only think of company information
> being directed to this individual....which could be bad if he/she has
> gone to work for a competitor. What other risks or security issues
> could this give rise to?
>
> Thanks.
>
> Munyaradzi Dumisani Mufambisi
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
> courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
> hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.
>
> http://www.infosecinstitute.com/request_online_training.html
> ------------------------------------------------------------------------



-- 
Meenal A. Mukadam

-----------------------------------------------------------------
http://www.linkedin.com/in/meenalmukadam
-----------------------------------------------------------------
Far away there in the sunshine
are my highest aspirations.
I may/maynot reach them,
but I can look up and see their beauty,
believe in them and try to follow
where they lead
-------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------