IT Compnay deleting exchange mailboxes and storing in PST 1

[1DMF]

Hi,

Can anyone advise me why our IT support company is deleting user's mailboxes and storing the emails in unsecured PST files in multiple locations?

If emails are exported from Exchange to basic PST format doesn't this breach Sarbanes Oxley / Data Protection, as now anyone can access the mail store or even steal the PST file?

Also does this lose original ID's and so the email is no longer considered the original?

Why in a corporate environment running exchange and backing up exchange, would you do this?

Exchange is our email store, why would you store the emails anywhere else plus in multiple places and if you did want to archive mailboxes, doesn't it have to be done with software that is industry accepted to store the email in a secure, untamperable manner to meet Sarbanes Oxley?

Isn't keeping multiple copies of a PST file one on each user's computer that needs access to specific mailbox stores eating up disk space vs keeping them once in exchange, where permission to access the mailbox can be managed via Exchange under security policies?

Help understanding what they are doing, why they are doing it and it's potential impact on security is appreciated.

1DMF.





"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"
Free Electronic Dance Music

 

[strongm]

>Why in a corporate environment running exchange and backing up exchange, would you do this?

No idea. It certainly would be far from best practice. Why not ask the IT support company why they are doing it?

 

[1DMF]

Thanks Mike, that was exactly the reassurance I was looking for.

I have no idea why they are doing it and it is certainly not something they have been instructed to do.

My biggest concern is the potential breach in systems and controls under a regulated environment this may have caused.

I take financial services data protection and best practices very seriously and am confident this behaviour doesn't cut the mustard.

When you outsource services it is meant to give you peace of mind and free up time to concentrate on other priorities, not put you at risk and cause you more inconvenience distracting you from your objectives.

Looks like I have a mess to investigate next week!

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"
Free Electronic Dance Music

 

[ntinlin]

If you need to be SOX compliant you should really be doing e-mail journaling to something like an EMC Centera or equivalent and software like Symantec Enterprise Vault or EMC SourceOne.

However exporting to PST's may not be outwith your agreement with the support company, it could just be their standard practise, although putting in an insecure location is certainly a no-no.
Presumably if they are deleting mailboxes then these users have left your company, and thus you wouldn't really want the mailboxes to be hanging around?
If you are being charged per mailbox perhaps and have a high turnover of staff finance probably wouldn't want to keep paying for non-existent users.


Definitely something to get looked at though, this sort of thing should have been addressed in the contract when you signed up to their service, if it hasn't been explicitly addressed then that is your companies fault as much as the support company. If it is noted in contract and been ignored on their end then you'll probably need to get counsel involved.

Neill

 

[1DMF]

Hi Neil,

Well a requirement to be SOX is a bone of contention, especially as we are UK based not USA where it is actual legislation.

We already implement email archiving and filtering via a 3rd party service, which is meant to be in-line with SOX.

I have no idea what was agreed or signed upon regarding the support contact, the CEO out sourced and implemented this external company to free up my time and I was not involved with this.

However, I would have assumed it was required that they operate best practice regarding our data in a FCA regulated environment.

Deleting email audit trails and mailbox accounts relating to employe's whose data includes sensitive financial information relating to not just our member broker firms but their clients, is a total no-no in anyone's book.

To then duplicate and distribute such information with a total disregard to data protection and FCA regulatory best practice, is to me mind boggling.

Yes, they are an ex-staff, but we own our own in-house SBS server running Exchange, there is no additional cost for keeping this data, we do not have a high enough turnover of staff to warrant any archiving and I see no acceptable reason to destroy audit trails, system logs and original mail messages when disabling and leaving intact would meet any external audit should the regulators come knocking on the door.

The practice being employed by this company means we don't have the original email or the original mailbox store in Exchange, nor the associated audit trails or account history, nor do I know who has access to this data or who may have removed this data or edited it, filtered, manipulated or any other such unethical handling of very sensitive financial data.










"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"
Free Electronic Dance Music

 

[joblack23]

No reference to any audits but storing PSTs to a secure network location where only the IT and certain dedicated users have access , is no difference then securing your accounting files from anyone else. For most companies I've dealt with, is secure enough. However if the IT person is careless and places the files unrestricted, that is a different story.

 

[1DMF]

The emails are already in a secure place where only the IT and certain dedicated users have access, our SBS 2011 environment with Exchange 2010. Also if you don't export, manipulate, move, distribute or perform any other action on these emails, there is no way you can be accused of tampering, filtering, shredding or obfuscating anything by anyone.

Perhaps the problem is I care too much when no one else here seems too?


"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"
Free Electronic Dance Music

 

[1DMF]

Perhaps the problem is I care too much when no one else here seems too?

I just wanted to qualify this statement as when I re-read it, I may have given the wrong impression.

When I say 'no one else here', I'm referring to my place of employment, NOT the nice folk here at Tek-Tips!

"In complete darkness we are all the same, it is only our knowledge and wisdom that separates us, don't let your eyes deceive you."

"If a shortcut was meant to be easy, it wouldn't be a shortcut, it would be the way!"
Free Electronic Dance Music