Educause Security Discussion mailing list archives

Re: Employees forwarding their email offsite

From: "Larry K. Emmons" <lkemmons () SVSU EDU>
Date: Fri, 29 May 2020 18:06:08 +0000

Hi Jonathon,

We are in the process of blocking all Staff and Faculty from forwarding to an external email address.  We plan to allow 
Staff and Faculty to forward to an internal email address.  We will allow students to forward.  We are an O365 
environment.  As a "policy", this is just beginning to take hold.

One of our System Admins is working on modifying a script he found to enforce the rules.  He has had some success in 
testing, but it is not yet perfected for production.

Thank-you,
Larry Emmons
Director of Technology and Support Services
Saginaw Valley State University
www.svsu.edu<http://www.svsu.edu>
mysupport.svsu.edu

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Paul Chauvet
Sent: Friday, May 29, 2020 1:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Employees forwarding their email offsite

Hi Jonathan,

We prevent employees - with the exception of adjunct faculty - from forwarding their mail.  The way we enforce this is 
an alert in Office 365 on when a forwarder is setup.  That policy is setup within the Office 365 Security & Compliance 
center.

  *   Condition: Activity is MailRedirect
  *   Action: notify admins

We then review:

  *   Does the forward look like it was applied by the user themselves?  If they are not an adjunct we then disable the 
forwarder and remind the employee of the policy.
  *   Does it look like a rule which may have been applied maliciously and is an IoC?  If so - we investigate.

The latter was more common pre-MFA.


Paul Chauvet, CISSP
Information Security Officer
State University of New York at New Paltz
845-257-3828
chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>
[cid:image001.png@01D635C2.4C1E25A0]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Kimmitt, Jonathan
Sent: Tuesday, May 26, 2020 12:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Employees forwarding their email offsite

CAUTION: Message from a non-New Paltz email server. Treat message, links, and attachments with extra caution.

Hi all,

  After an issue has come up, we are looking at a way to prevent employee's (but not students) from auto-forwarding 
their university email to personal email accounts.

I was curious to what other Universities were doing.


  1.  Are you blocking auto forwarding?
  2.  Do you have a university policy on what can and can't be sent?
  3.  Is anybody doing this in an office365?

Thank for anything you can share!

-Jonathan

~
Jonathan Kimmitt
CISSP, PCIP, CEH, CIPM, CDPSE
GPEN, CIPT, CIPP/E, GSNA
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Clkemmons%40SVSU.EDU%7Caba8cb40efa94c681acf08d803f287d8%7C550f45ff3e8342a197d970ad8935b0c5%7C0%7C0%7C637263687487497495&sdata=dp4J2FmSrbILCqTKzuZgjwseCCVg%2Bs6%2F7i6vcpMwOys%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Clkemmons%40SVSU.EDU%7Caba8cb40efa94c681acf08d803f287d8%7C550f45ff3e8342a197d970ad8935b0c5%7C0%7C0%7C637263687487507486&sdata=XiHVWJ0%2BpjMmkIXTlbGQPyylSoJ1ugVbxKGdSw7UrKU%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Employees forwarding their email offsite Kimmitt, Jonathan (May 26)
- Re: Employees forwarding their email offsite Pesino, Sherry (May 26)
- Re: Employees forwarding their email offsite Pete, Andrew (May 26)
  - Re: EXTERNAL: Re: [SECURITY] Employees forwarding their email offsite Spiars, Vince (May 26)
- Re: Employees forwarding their email offsite Karen Brown (May 26)
  - Re: [<External>]Re: [SECURITY] Employees forwarding their email offsite Kimmitt, Jonathan (May 27)
- Re: Employees forwarding their email offsite Paul Chauvet (May 29)
  - Re: Employees forwarding their email offsite Larry K. Emmons (May 29)