Policy question
Results 1 to 10 of 10

Thread: Policy question

  1. #1
    Junior Member
    Join Date
    Feb 2005
    Posts
    5

    Policy question

    Hi,
    I couldn't find an area for Policy questions so I'll start in Newbie. We have a situation here I don't like and am looking for a specific policy or CIA triad violation. We have a scenario where employee who has customer contacts gets terminated. Management wants termed employees incoming email from customers redirected to another employee so the customer doesn't get a mail routed failure message. This means we disable all the accounts for termed employee but keep their internet email address available. Also, the corporate directory will stay out of date.

    I don't like this since customers don't know who the email goes to, directory is out of date, and it's just plain unprofessional looking. I'm looking for a specific policy or violation of basic security principles that I can site to stop the madness.

    I don't want to re-invent the wheel so I'm sure other companies with customers do this different. Any ideas?

    Thanks

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Do you host your own mail server or is this remotely hosted/administered?

    We need a lot more detail regarding the mail flow to determine how you can resolve this issue.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Well,

    How about going at it completely differently?...............I assume that your corporation knows what its employees do, and which accounts they are responsible for..............the new employee should contact those accounts and inform them.............that is good PR anyway?...........new kid on the block and all that..........you might even get a few extra orders?

    Then................fix an "out of office" permanent message for the former employee's e-mail, referring contacts to the new person.

    You are right, your current process seems a little "unprofessional"

    Tiger~ is right (as usual, the boring old fart ) we would need more information to advise you on exactly how to do this, but I am describing a general process I have seen work effectively in a number of situations.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Junior Member
    Join Date
    Feb 2005
    Posts
    5
    Our email is Lotus Notes (all in-house). The employees I'm referring to all work for different managers in different job functions. Some are sales, service, customer care, etc. I suggested that once an employee is termed then the manager should look through the email contacts and contact them personally but apparently, that is difficult to manage.

    I like the 'out of office' idea. That might work out well.

    Let me know what other info you need and I'll be happy to tell you more. Thanks again.

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Lotus Notes?.............

    You are home and dry mate!.............it fully supports the "out of office messages" We were using that feature for this purpose about 10 years ago!

    I don't need any more info if you have Notes...................that will work for you OK you need to assign administrative responsibility to someone, to make sure it happens, but other than that it should be plain sailing.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    T̙͓̞̣̯ͦͭͅͅȂͧͭͧ̏̈͏̖̖Z̿ ͆̎̄
    Join Date
    Dec 2004
    Posts
    3,171
    Hi Sanctity,

    Are you the management , the terminated employee , or an interested third party ...I don't think you clarified that.

    Eg

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Sanct!ty, sounds like the TECHNICAL aspect of your question got answered. As for policy, well, there's not much applicable from the Security Triad you mention. Confidentiality? Well, unless the sender encrypted the message to said terminated employee with his public key, it's Internet email...no real expectation of confidentiality there. Integrity? Again, if the sender is using something to ensure message integrity and coordinating that with the recipient, it's a moot point. Availability is where you *might* find a toe hold, but I doubt it.

    It may be a bit 'hinky', but they can do what they want...it's there email system. I'd suggest a combination of what nihil suggested combined with having the email forwarded to said new-guy to respond and handle the customer.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    Junior Member
    Join Date
    Feb 2005
    Posts
    5
    Thanks everyone. I appreciate the advice. BTW, I'm the Security Manager and don't want to sit by and watch this go on. I was looking for some reason to butt in (policy) and maybe come up with an alternative solution for the email department. It didn't seem to be really a security issue so it was a stretch.

    I'm not a fan of Notes but it is what it is. Thanks again!

  9. #9
    Senior Member BrainStop's Avatar
    Join Date
    Jan 2002
    Posts
    295

    Thumbs up You've got the answer

    Sanctity,

    You've got the answer already. Out-of-office is definitely the way to go.

    I can understand your management's wish not to have customers facing bounced emails, that feels so unprofessional when you are on the receiving end of that bounce. Also, you want to provide your customers with new contact information.

    The advantage of the out-of-office is that you do not violate the privacy of the terminated employee either as no-one will be reading their email. Even when terminated, your ex-employees do retain certain basic rights.

    Overall, you avoid all complications by using out -of-office rather than having someone unexpected answer emails.

    Cheers,

    BrainStop
    "To estimate the time it takes to do a task, estimate the time you think it should take, multiply by two, and change the unit of measure to the next highest unit. Thus we allocate two days for a one-hour task." -- Westheimer's Rule

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    ... Some are sales, service, customer care, etc...
    As a security Admin, i would like to delete those accounts, but i can admit the "out of office" idea. However, im not sure that you can do that on Lotus Notes without having those accounts password or get a previous authorization from them prior fire them.

    But as a regular customer, i will really hate a automated message saying "this person doesnt work for company XXX anymore. Please send your question to yyy@xxx.com or call...." I will just think "why the hell they didnt forward the message to the apropriated guy instead sent me that stupid question asking to do their jobs? "

    Sometimes we need to focus on business too instead just on security. Seeing thru the customers perspective, i would appreciate a automatic forward, because i want my problem fixed, my goods delivered, etc. And on that point of view, i dont think that forward some dead guys e-mail will hurt a security policy.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides