OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Risk of Redirecting Email.

From: Barry Archer (archerbagmail.com)
Date: Mon Apr 06 2009 - 08:03:14 CDT

I'd probably go further and suggest that any company that has email
compliance requirements should have a policy that forbids automatic
forwarding of any email to an external address. A written exception
can be used to track those cases where it's necessary. And then set
up to check and archive copies of the exception emails.

For what it's worth, then some reasonably high manager has to accept
the risk - and there is an audit trail.

On Fri, Apr 3, 2009 at 9:53 PM, <dgonzalezmerituspayment.com> wrote:
> For the obvious already stated below, there is no reason why an employee who is no longer employed by a company should be allowed to have their company email redirected to a personal one. There are legal reasons that I'm not fully knwoledged on also.
>
> The only reason why would be if there was an extended consulting contract for the individual, but even so they would continue to use their company email.
>
> Regards.
> Sent on the Now Network™ from my Sprint® BlackBerry
>
> -----Original Message-----
> From: Joshua Gimer <jgimergmail.com>
>
> Date: Fri, 3 Apr 2009 10:06:08
> To: M.D.Mufambisi<mufambisigmail.com>
> Cc: <pen-testsecurityfocus.com>
> Subject: Re: Risk of Redirecting Email.
>
>
> On Tue, Mar 31, 2009 at 9:54 AM, M.D.Mufambisi <mufambisigmail.com> wrote:
>> Hi people.
>>
>> I have seen on some clients of mine, that when an employee leaves the
>> organisation, they request IT to redirect their emails to a particular
>> email address....personal.
>> What are the risks of this? I can only think of company information
>> being directed to this individual....which could be bad if he/she has
>> gone to work for a competitor. What other risks or security issues
>> could this give rise to?
>>
>> Thanks.
>>
>> Munyaradzi Dumisani Mufambisi
>>
>
> I think that you are on the right track. You run the risk of trade
> secrets being leaked, insider information, PII, PHI, and so on. There
> are also some regulatory standards that prevent messages containing
> certain types of information from leaving the "trusted" network. In
> addition to this some also require that this information be encrypted
> in transit as well as at rest, which may be difficult to guarantee if
> you do not run the mail servers in which the messages will rest.
>
> --
> Thx
> Joshua Gimer
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.
>
> http://www.infosecinstitute.com/request_online_training.html
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------