B
Premium,MVM
join:2000-10-28
| reply to midranger4
Re: MS Exchange admin auditing
Your auditors are misinformed and/or misguided. There are no safeguards that can be put in place if you don't trust the IT staff who are responsible for putting in the safeguards!
If the auditors wish to ensure that only mailbox owners can see their e-mail, then it should be a company-wide enforced policy that ONLY encrypted messages are sent, received, accepted, and viewed.
If you've got a mail store full of unencrypted messages it's an exercise in major stupidity to try to police your IT department. Who cares if they haven't accessed a message yet -- they can at any time! What if a backup is taken off site, or a disk or VM image cloned? Who watches the watchers?
Auditors are idiots. Try hard to avoid them.
-- B
--
In a realm outside causality and function |
|
midranger4
Stupid Is In Vogue
Premium
join:2002-01-18
Levittown, PA
| said by B  :Your auditors are misinformed and/or misguided. There are no safeguards that can be put in place if you don't trust the IT staff who are responsible for putting in the safeguards! If the auditors wish to ensure that only mailbox owners can see their e-mail, then it should be a company-wide enforced policy that ONLY encrypted messages are sent, received, accepted, and viewed. If you've got a mail store full of unencrypted messages it's an exercise in major stupidity to try to police your IT department. Who cares if they haven't accessed a message yet -- they can at any time! What if a backup is taken off site, or a disk or VM image cloned? Who watches the watchers? Auditors are idiots. Try hard to avoid them. -- B I am sadly aware that auditors are indeed the spawn of Satan but it does not preclude me from having to answer to them. I'm not so sure that they are looking to revoke authority per se but rather for the ability to see if authority inherent to being an admin is being abused.
I can understand their position on this. Sensitive and confidential emails are sent at the upper management level with little regard for any potential compromise as associated with the content of any given email. With that said I can't say I agree that trust in the administrative staff exclusively should be the only measure of security.
If as you describe the only alternative is encrypted messages than maybe that is the course that should be taken. What I believe the auditors seek is something in between that gives them the ability to spot check. For instance a report that might contain the name of any/all mailboxes accessed by anyone other than the owner along with a date and time stamp.
Is such a request really that unobtainable?
--
Democracy is the illusion of Freedom |
|
Steve
Security is inefficient
Consultant
join:2001-03-10
Tustin, CA
| reply to B
said by B : Auditors are idiots. Auditors have arranged it so the entire US economy has to purchase an unwanted service from them with essentially no recourse for bad performance. Just who are the idiots again?  |
|
B
Premium,MVM
join:2000-10-28
| said by Steve :said by B : Auditors are idiots. Auditors have arranged it so the entire US economy has to purchase an unwanted service from them with essentially no recourse for bad performance. No, worse, no metric by which to measure "performance" at all! It's an entirely no-news-is-good-news effort, and they can do what they want (or nothing at all) during the audit. They don't share the name with the IRS folks for nothing. At least with accounting there are some kind of rules, but when they delve into IT...
To the OP, sure you can check on logins as maxkool implied -- I use a standard IMAP client to check several Exchange mail accounts and each login is logged in Windows security logs -- but how, exactly, are the auditors going to be notified when a backup tape gets restored to a temporary server or a disk is swapped out or any number of OTHER ways an IT person can peruse the mail store at his or her leisure without ANY way of being tracked? Without cameras everywhere and cattle prods up their butts, IT people are free to... manage IT. Imagine that.
The auditors have to understand the scope of what they're asking. Sure, if they want to cordon off a tiny piece of the many possible ways, they are welcome to check the event logs. In fact, that's probably the bone that should be tossed their way. But if they had half a clue they'd realize how incomplete that is. Good luck!
-- B
--
In a realm outside causality and function |
|
