Penetration Testing mailing list archives
Re: Risk of Redirecting Email.
From: David Schekaiban <david () codigoverde com>
Date: Fri, 3 Apr 2009 08:54:44 -0600
Munyaradzi, This kind of procedure (redirecting business email) is extremely risky. The first and foremost risk is to consider that you would have an ex- employee receiving email as if he still worked in your company, that's and OBVIOUS mistake. Job change and termination is a very important part of an effective human resource policy you have to develop and enforce in every organization. Some of the risk drivers to implement this kind of policy are: • Unauthorised access when employees are terminated • Lack of smooth continuation of business-critical operations Here are some recommendations to test specific HR job termination controls: • Enquire and inspect whether exit procedures for voluntary termination of employment are documented and contain all required elements, such as necessary knowledge transfer, timely securing of logical and physical access, return of the organisation’s assets, and conducting of exit interviews. • Enquire whether job change procedures are documented and contain all required elements to minimise disruption of business processes. Examples include the need for job mentoring, job hand-over steps and preparatory formal training. Inspect job change procedures to determine if the procedures are consistently followed. • Acquire through HR a list of terminated/transferred users (for the past six months to one year). I hope this helps out, best regards, David Schekaiban, CISA, CISSP david () codigoverde com twitter.com/codigoverde
Hi people. I have seen on some clients of mine, that when an employee leaves the organisation, they request IT to redirect their emails to a particular email address....personal. What are the risks of this? I can only think of company information being directed to this individual....which could be bad if he/she has gone to work for a competitor. What other risks or security issues could this give rise to? Thanks. Munyaradzi Dumisani Mufambisi
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Risk of Redirecting Email. M.D.Mufambisi (Apr 03)
- Re: Risk of Redirecting Email. Dotzero (Apr 03)
- Re: Risk of Redirecting Email. David Schekaiban (Apr 03)
- Re: Risk of Redirecting Email. Joshua Gimer (Apr 03)
- Re: Risk of Redirecting Email. dgonzalez (Apr 04)
- Re: Risk of Redirecting Email. Barry Archer (Apr 07)
- Re: Risk of Redirecting Email. dgonzalez (Apr 04)
- Re: Risk of Redirecting Email. Todd Haverkos (Apr 03)
- Re: Risk of Redirecting Email. JoePete (Apr 04)