3rd party accessing email 2559



  • We are in the works of going public and we are working on all of our compliance issues. Currently we have a mailbox that a 3rd party claims management company accesses and reads emails sent to that mailbox. I am curious on the restrictions of 3rd parties logging into our mail system and access our resources like that. Can anyone shed some light on what the limitations of this really are? Thanks in advance.



  • Hi and welcome to the forums šŸ™‚ ā€¦ There are no hard-and-fast rules there as SOX compliancy is a self monitoring program that is adaptable to a wide range of industries and technological settings.
    Probably, there are many large companies allowing email access by consultants, vendors, and other 3rd parties. EMAIL access should be properly restricted based on roles, security policies, and other factors to ensure SOX compliancy.
    The links below might help:
    SOX 404 Guidelines are often validated by external SOX auditors using the COBIT standards
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1920
    COSO Guidelines also provide key Financial controls that external SOX auditors may use
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=2470



  • It is not good third party accessing our acount



  • Third party accessing your account? or is it an account that has been created for the third party.
    Third Party mail access should be subject to the same amount of security and monitoring as any organizational mail account is
    one possible additional security measure would be to track the mail box exclusively(if not already done for other mail accounts).
    Otherwise, mails become sensitive only if they form part of any business workflow(approvals etc)



  • ^ Definitely agree with NC, as sometimes external business parties are provided with an email account. Some key guidelines include:
    ā€“ Strict VPN access to environment where 3rd party has highly restricted rights (just enough to do their job)
    ā€“ Rigid policies for business use only, monitoring, not sharing accounts/passwords, maintaining proper security, etc.
    ā€“ Good to maintain an annual compliance signature on file for external parties that they will abide by policies


Log in to reply