Outside POP Email Accounts 753



  • I have received a request from a newly hired corporate executive to have messages sent to his corporate email account automatically forwarded to his outside personal email account at AOL. After working on SOX compliance for the past year from an IT perspective, this request is setting off alarm bells in the back of my mind. I cannot find any reference to this type of scenario. It would seem to me that allowing sensative email to be automatically forwarded to an uncontrolled, unencrypted, outside pop account would be a violation of some sort. Considering that this user also has a Blackberry and secure access via Citrix I have to question the reason for the request, anyway.
    Does anyone have any thoughts on this? Could honouring this request result in a SOX audit violation?
    Thanks, all.



  • Do you have a company policy on this?
    Regardless of whether anyone believes this is a SOX issue, it is still a security risk for all the reasons you stated. I’d suggest putting this issue through your risk management process. Management will need to decide on what to do about it. This could result in writing/updating the policy to address this specific issue.
    I’ve seen a policy at most companies address forwarding of company email stating that is is NOT allowed.



  • Thanks for the reply. Yes, as far as corporate IT policy goes it is definately a no-no. Usually when high-ranking corporate executives are involved I find it easier to quote SOX regulations. It helps to control the I’m-Executive-so-I-can-violate-company-policy-if-I-want-to mentality. Risk Mgmt and Change Control all agree that it will not be done. I have told the person in question. I haven’t had a reply yet. I still have my job. All is well. 😉
    Cheers.



  • I have received a request from a newly hired corporate executive to have messages sent to his corporate email account automatically forwarded to his outside personal email account at AOL. After working on SOX compliance for the past year from an IT perspective, this request is setting off alarm bells in the back of my mind. I cannot find any reference to this type of scenario. It would seem to me that allowing sensative email to be automatically forwarded to an uncontrolled, unencrypted, outside pop account would be a violation of some sort. Considering that this user also has a Blackberry and secure access via Citrix I have to question the reason for the request, anyway.
    Does anyone have any thoughts on this? Could honouring this request result in a SOX audit violation?
    Thanks, all.
    I am not an attorney. It is my understanding that email on a third party email system may be recoverable during law-enforcement investigation. Your legal department may have something to say about this.
    Executives use 3rd party email services as a convenience.
    Your questions should prompt a review of your own security policy. If you are uncomfortable, find a business case on the net and present your case through your corporate chain of command. Since the executive is newly-hired, perhaps he should be trained about the company’s security policies.
    I have lost jobs for following best practices. Be tactful.


Log in to reply