Policy question

Hi,
I couldn't find an area for Policy questions so I'll start in Newbie. We have a situation here I don't like and am looking for a specific policy or CIA triad violation. We have a scenario where employee who has customer contacts gets terminated. Management wants termed employees incoming email from customers redirected to another employee so the customer doesn't get a mail routed failure message. This means we disable all the accounts for termed employee but keep their internet email address available. Also, the corporate directory will stay out of date.

I don't like this since customers don't know who the email goes to, directory is out of date, and it's just plain unprofessional looking. I'm looking for a specific policy or violation of basic security principles that I can site to stop the madness.

I don't want to re-invent the wheel so I'm sure other companies with customers do this different. Any ideas?

Thanks

Do you host your own mail server or is this remotely hosted/administered?

We need a lot more detail regarding the mail flow to determine how you can resolve this issue.

Well,

How about going at it completely differently?...............I assume that your corporation knows what its employees do, and which accounts they are responsible for..............the new employee should contact those accounts and inform them.............that is good PR anyway?...........new kid on the block and all that..........you might even get a few extra orders?

Then................fix an "out of office" permanent message for the former employee's e-mail, referring contacts to the new person.

You are right, your current process seems a little "unprofessional" :p

Tiger~ is right (as usual, the boring old fart :D ) we would need more information to advise you on exactly how to do this, but I am describing a general process I have seen work effectively in a number of situations.

Cheers

Our email is Lotus Notes (all in-house). The employees I'm referring to all work for different managers in different job functions. Some are sales, service, customer care, etc. I suggested that once an employee is termed then the manager should look through the email contacts and contact them personally but apparently, that is difficult to manage.

I like the 'out of office' idea. That might work out well.

Let me know what other info you need and I'll be happy to tell you more. Thanks again.

Lotus Notes?............. :D

You are home and dry mate!.............it fully supports the "out of office messages" We were using that feature for this purpose about 10 years ago!

I don't need any more info if you have Notes...................that will work for you :) OK you need to assign administrative responsibility to someone, to make sure it happens, but other than that it should be plain sailing.

Hi Sanctity,

Are you the management , the terminated employee , or an interested third party ...I don't think you clarified that.

Eg :)

Sanct!ty, sounds like the TECHNICAL aspect of your question got answered. As for policy, well, there's not much applicable from the Security Triad you mention. Confidentiality? Well, unless the sender encrypted the message to said terminated employee with his public key, it's Internet email...no real expectation of confidentiality there. Integrity? Again, if the sender is using something to ensure message integrity and coordinating that with the recipient, it's a moot point. Availability is where you *might* find a toe hold, but I doubt it.

It may be a bit 'hinky', but they can do what they want...it's there email system. I'd suggest a combination of what nihil suggested combined with having the email forwarded to said new-guy to respond and handle the customer.

Thanks everyone. I appreciate the advice. BTW, I'm the Security Manager and don't want to sit by and watch this go on. I was looking for some reason to butt in (policy) and maybe come up with an alternative solution for the email department. It didn't seem to be really a security issue so it was a stretch.

I'm not a fan of Notes but it is what it is. Thanks again!

Sanctity,

You've got the answer already. Out-of-office is definitely the way to go.

I can understand your management's wish not to have customers facing bounced emails, that feels so unprofessional when you are on the receiving end of that bounce. Also, you want to provide your customers with new contact information.

The advantage of the out-of-office is that you do not violate the privacy of the terminated employee either as no-one will be reading their email. Even when terminated, your ex-employees do retain certain basic rights.

Overall, you avoid all complications by using out -of-office rather than having someone unexpected answer emails.

Cheers,

BrainStop

Quote:

---

... Some are sales, service, customer care, etc...

---

As a security Admin, i would like to delete those accounts, but i can admit the "out of office" idea. However, im not sure that you can do that on Lotus Notes without having those accounts password or get a previous authorization from them prior fire them.

But as a regular customer, i will really hate a automated message saying "this person doesnt work for company XXX anymore. Please send your question to yyy@xxx.com or call...." I will just think "why the hell they didnt forward the message to the apropriated guy instead sent me that stupid question asking to do their jobs? :)"

Sometimes we need to focus on business too instead just on security. Seeing thru the customers perspective, i would appreciate a automatic forward, because i want my problem fixed, my goods delivered, etc. And on that point of view, i dont think that forward some dead guys e-mail will hurt a security policy.