Pub. 3 2012 Issue 1

spring 2012 21 controlled email solutions. However, if an employee is using webmail to access their personal email from the office, a back door is created for introducing malicious software and inappropriate emails to the bank’s infrastructure. • Data Leak. Certain policies have been implemented to prevent data from leaving the organization and automation is used where possible and appropriate, to enforce those policies. With webmail, a bank has an increased risk of data leaks as confidential and sensitive information could be exported from your workplace through webmail. In summary, controls that you have invested significant resources in can be circumvented with the use of webmail. • Password Recovery. Another issue is that the password recovery options provided by many webmail services offer a way to compromise accounts. Think of how you recover your passwords internally. If you need to recover your password, you contact the bank’s internal IT staff to reset your password. The reset password is known by one other person until you access your account and change it. Webmail password resets could involve the use of an online form where you answer a security question. In many cases, these security questions can be easily answered by someone other than the owner. • Secure Site. For Bank’s with employees who consistently work out of the office, there may be a business need to establish a method to access their email. In some cases, they may only be able to access their email by setting up a web-based email site. It is important to ensure that the bank secure the web-based email site. However, if the site is secured with a self-signed digital certificate or no certificate at all, the bank has just created a security issue. In addition, productivity issues could be encountered if employees are accessing their personal email accounts for an excessive amount of time during regular business hours. Controls to be Considered. There are a limited number of controls available to a bank that elects to use webmail as either their primary email service or to provide employees the con- venience of accessing their personal email through a webmail account. A few best practices are listed below: • If setting up a web-based email site, you need to obtain and install a digital certificate from a trusted source to protect the bank’s data and to provide the users a sense of security. Also, indicate through policy that only bank owned computers (i.e. bank laptop) can be used to access email in this manner. • Ensure your risk assessment considers the risk of providing webmail as an email service to your employees for accessing personal email. The risks must be weighed against the employee convenience. If you elect not to allow this option, consider setting up group policy through Active Directory to block access to these services from the bank network. • Do not allow access to bank email through the use of webmail as an email service. The banking industry is subject to certain requirements as defined in the GLBA and the controls you have implemented can be rendered ineffective by an employee’s ability to use webmail as an email service. • Ensure that your email policy addresses both outgoing and incoming email as it relates to webmail as a service and the use of a web-based email site. The policy should be clear on the bank’s position and list the consequences of violating the policy. The bank should have the employee sign an acknowledgement form stating that they have read and understand the policy. Conclusion. Accessing and using webmail as a service pres- ent a number of risks to a bank that must be considered while conducting the bank’s risk assessment. While employee conve- nience can be satisfied, numerous risks exist to customer data that need to be considered. If considering a web-based email site, ensure proper controls have been considered and imple- mented along with detailed policy on its use. Q ChrisJoseph isaP.L.L.C.MemberofArnett&Foster,P.L.L.C.,CertifiedPublicAccountants, in Charleston, West Virginia. A Certified Public Accountant and Certified Information SystemAuditor, Mr. Joseph has over twenty-seven years experience in information tech- nology audit and security services in the financial institutions industry. Mr. Joseph can be contacted at 800-642-3601 or through email: chris.joseph@afnetwork.com. REACHYOURTARGETAUDIENCE AFFORDABLY Find out how targeted advertising can produce real, measurable results for your organization. ADVERTISE AND GET RESULTS Kris Montione, Advertising Sales 801.746.4003 | kris@thenewslinkgroup.com