Security·4,708 discussions

HOW DO I DEFEND MYSELF

Locked

Dear TechRepublic Clooegues,
I have been entrusted to manage a whole LAN/Network of about 65 machines but of late, I noticed something stranged in my mail server. “There are certain managers whose e-mail messages are being forwarded to the MD’s address without the concerned people ‘s knowledge. I removed every forward mails I found in the system without telling anybody.
I am now seeking advice from anyone. Is this legal in any part of the world? How do I tell the people concerned what I found out?
Somebody else has access to this mail server who is contracted to do the necessary maintenance from time to time whom I beleived was used to do this forwarding.

Thanks.

Topic

Like key loggers

In reply to HOW DO I DEFEND MYSELF

This is sometimes a necessary thing, but there should always be a policy approved by senior management, and a process to enforce the policy. The process should include multiple signatures – one from a senior manager approving, and one from HR acknowledging.

There have been legal precedents in the US that show that all email sent on a corporate system is the property of the corporation, and they have the right to do with it what they will – there is no expectation of privacy held, unless of course the corporation writes an excplicit one, which some do. Micrsoft had some of their email brought into evidence despite their protests, on the anti-trust trial. In an earlier lawsuit one computer company discovered that a former emplyer had been sending a competitor information, and successfully used emails to prove it.

James

Opposite

In reply to Like key loggers

There is no expectation of privacy if there is a subpeona/warrant. This is whether you are a Corporation or a private citizen. If you recall Microsoft had to produce the information via a subpeona. The same information can also be discovered through a subpeona/warrant for any private citizen (be it work email or personal email or IRC/IM logs)

As far as internal practices go, policies should be exactly the opposite as what you state. A coporation should always have a “monitoring” statement included in the enterprise security policy. An employee can claim civil damages against an employer for privacy invasion. There is a “reasonable expectation” of personal privacy at work unless it is specifically stated in policy that monitoring occurs. I’m not saying I agree totally with this (especially if you’re using company resources for personal reasons)… But I am in IT Security and this is how it was explained by the Corporate legal counsel.

This is legal in most states…

In reply to HOW DO I DEFEND MYSELF

In most states, the employer needs not to inform its employees that anything is being monitoring this includes both voice and data (telephone calls, emails, etc.)….

Its legal for them to do with the info what they will…of course information protected by other laws come in to play if the info they are sharing is say your credit history, medical history, SSN, etc. THEN that is different because an employer CAN NOT legally do what they want with that kind of information.

So find out the existing policy from your local top dog there before you jump all over this issue and get yourself in trouble.

ps. you shouldn’t of deleted the forwarded messages btw..that was a bad move.

ALWAYS research in cases like this BEFORE you do any action.

Certainly

In reply to HOW DO I DEFEND MYSELF

If this has been outlined in your duties, even if vaguely, you have every right to prform your job duties.

If your company policy restricts this, then you have every right.

If it jeopardizes network security, then you have every right.

If you have recieved your job detals from one of these managers in question, I would ask him to his face if this type of forwarding is to be permitted by management? If so, you can explin that in the better interests of the networks security, you have removed forwarding until told otherwise.

If this is an OPEN relay forwarding system, your company WILL be blacklisted and outgoing email will be blocked to many of your customers.

OR

You may be better off to simply have the forwarded email sent to a different folder then the MD’s and then you still have all the email on record so it can be addressed if needed by the powers that be. Once you are collecting this email, you can then face your employer and say you noticed a relay and have redirected all email until confirmed okay or not. Then you can state your security case and reccommend it is stopped. If yor manager says it is alright, then let the mail flow, it’s no longer your problem.

Stupid Question…

In reply to HOW DO I DEFEND MYSELF

What’s an MD? Managing Director.. if these are internal emails (apparently a third user forwarding messages to the MD without the authors knowledge yes?), you’d probably be best served leaving them the heck alone. First, I’d find out who the third party is. If it’s the maintenance man.. lock him out. It’s your network, and then you should either take control of your mail server yourself after having that discussion with your boss, or let the powers know what’s going on, and if you must keep him, you should be present when the work is done. You taking upon the role of filtering/deleting mail really isn’t your place unless like others have mentioned, it’s a specific duty of yours.. You’ll just wind up getting yourself in a sticky situation; intentions might be good, but in the end, it means the network guy is snooping through other folks emails. My opinion, and HR issue..

Silly Response

In reply to Stupid Question…

Clearly the MD already knows. It sounds as though he has asked the outside contractor to configure the mail system in this way. That being the case, the MD is not going to be happy if you lock out the contractor.

Time to have a chat to the boss. Be nice.

Bad Move

In reply to Stupid Question…

I say bad move because every company I’ve worked for or consulted to has a policy that tells employees that email is company property and do not expect privacy, i.e., it can/will be monitored. You put yourself in harms way by deleting the emails without first verifying that there was not an ongoing investigation into those managers email usage. If one of my team members did something like that without researching why it was happening they would lose raise dollars as well as a write in the HR file. It would have not taken you very long to bring this to your managers attention at which point he/she should have taken it to HR. You have every right to protect the network but security was not the reason you stated for stopping the forwarding. You would be way out of line to discuss what you discovered with the people whose email was forwarded.

Right On

In reply to Bad Move

This is the one response that is totally correct. Deleting those emails was the worst choice. Employees have NO right to privacy on company owned computer systems, period. The onus is in the MD here, if he (she) abuses this security priviledge, the responsibilty is their’s. And the comment about discussion is absolutely correct also. Perhaps the MD has reason to review some staff e:mails. informing the staff might undermine the investigation.

Policy and procedure

In reply to Right On

In a large organization this would be covered by their It Sec policy. your company may not have documented policy. If it does not this is an opportunity to get one set.

the policy in this case should cover privacy and proper access control. the company may choose to extend greater privacy than the law allows, they may not. the access control policy should require approval for any access to systems or data.
This is just good governance.

No presumption of privacy at work..

In reply to Right On

I constantly remind my users that the should have “no presumption of privacy” when using any of the resources at work. This is part of the Useage policy and they are made well aware that their phone calls and emails can and are reviewed without their knowledge.

I advise my fellow employees to use a personal email account for personal email and to use their cell phone for their personal calls whenever possible.

SUPREME Court Ruling – Corporate Email not private

In reply to HOW DO I DEFEND MYSELF

The U.S. Supreme court has ruled that corporate Email is not private and belongs to the corporation. In Borland vs. Symantec it ruled that the company owns the Email. If you want something kept private Don’t use company provided Email. Use your own.

Good response

In reply to SUPREME Court Ruling – Corporate Email not private

Now that is an interesting and pertinent response, and good advice.

Use Your Own- Just Not From Work

In reply to SUPREME Court Ruling – Corporate Email not private

I agree that users concerned about privacy use their own email accounts… but don’t expect any more privacy if you are checking those accounts via web access over the corporate WAN. We have the same policies over web access as we do email.

Correct me if I am wrong

In reply to SUPREME Court Ruling – Corporate Email not private

I may be wrong about this, but I thought that according to the ECLA (Employee Communications Liability Act) that prior to the monitoring of any electronic communication, the company is legally obligated to notify the employees that it can and will do such a thing.

Usually this is done via HR Manual. But if the company does not explicitly state the manner in which the employees are to be monitored, then there could be even a greater legal issue here.

Not to mention this sounds incredibly fishy if only certain people’s Emails are being sent to a manager. I have only seen this happen in 2 cases. Either the employee has done something specific to merit suspicion, OR there is an overzealous manager who enjoys snooping on their employees.

Obviously, I have a bias in favor of employees, but I have seen far too many managers employ tactics like this to keep an “edge” over their employees by taking their ideas or things out of context. Leave the “snooping” to the IT department or HR when it is warranted.

Still need a valid reason to look at emails

In reply to SUPREME Court Ruling – Corporate Email not private

I work for the federal government and our regulation is: “Electronic mail messages are Departmental property and not personal property. The expectation of privacy or confidentiality does not apply to electronic mail messages stored, retrieved or exchanged. Accordingly, electronic mail messages shall only be authorized for examination during the course of audits, investigations and system administration functions.”
Also, in order to view someone’s emails official notification must be given. And the supervisor must have just cause.

Justification

In reply to Still need a valid reason to look at emails

It’s my impression that you don’t need to demonstrate cause of any kind, but not clearly informing your users that they are subject to such monitoring can lead to a suit you might have to successfully (or not) defend. Obviously, the janitor can’t be doing the monitoring unofficially and it would be a good idea to have monitoring policies spelled out both for your and your end-users’ sakes.

Remember Who Entrusted You

In reply to HOW DO I DEFEND MYSELF

Your intentions are noble but you were not entrusted buy the 65 users you support. There should be a policy in place that states the email is to be used for company business and may be subject to monitoring by management. Then you have a duty to management to manage the server as the policy states. Your duty to your users is a high level of service including uptime and backups etc? There would be nothing wrong with an email to the entire user comunity reminding them of the policy.

Wrong Move

In reply to HOW DO I DEFEND MYSELF

You shouldn?t deleted those e-mails without checking with your boss first. However, the forwarding should have not been set up without your knowledge. Your company needs to work on communication. Why didn?t the person who is contracted to do maintenance on the server inform you? Why do you have someone from the outside do maintenance?

Wrong Move

In reply to Wrong Move

As an IT Administrator for 50 Users, my company has outside contractor onsite once every 6 months to go over the Servers .. Just in case?? or incase I miss something?? .. I tried to convince my manager that I’am capable of doing all that the contractor does therefore get rid off and save us 5k a year …and that 5k would pay for some good training / equipment .. deaf ears.

Office politic’s .. what would we do without them, and the more senior the manager .. the worst it gets

Use Judo

In reply to Wrong Move

I?ve worked under the same conditions. Once a year, an outside consultant would review our network and make recommendations to our management. We established good communications so that there wouldn?t be any misunderstandings like this one. Anyway, use that contractor to your advantage. The advice from the ?expert for afar? usually carries more weight with management than what their own employees tell them. Use him as your advocate. Additionally, if the contractor finds nothing wrong with your network, remind your boss of what a good job your doing.

Pandora’s Box

In reply to HOW DO I DEFEND MYSELF

Hi Julaba, I live in Jamaica and this is perfectly normal. However as a matter of Corporate policy we tend to advise staff that they are to have absolutely no expectations of personal privacy whatsoever for communications sent/received on Company network and information stored on Company machines. If I was in your shoes my first response would have been to check the Company’s Technology Policy manual to see whether it adresses email privacy. If it states that all emails sent/received via the Company’s network are Company property or that there should be no expectation of personal privacy on Company property etc – then I would have left the email forwards as I found them. If on the other hand there was no policy addressing this issue I would create one that allow things to remain AS I FOUND THEM. This of course would need to be sent to the MD for discussion and ratification and IF S/HE AGREES then I would leave the forwards as I found them. Further, as with ALL policies, it would need to be circulated to ALL members of staff FOR THEIR INFORMATION. In my opinion think it was unwise to remove the forwards PRIOR to seeking advice.

DITTO

In reply to Pandora’s Box

MOST companies have policies regarding email being Company property,I have been doing this I.T. tango thing for almost ten years, currently running 400+ user shop,, ALWAYS have EVERYTHING in writing to cover your 6, but to step in & start UNDOING something before you have a clear understanding of WHAT it is doing there & WHO put it there you could be walking on VERY thin ice..

Wide Latitude

In reply to HOW DO I DEFEND MYSELF

I work in County government where the policy is clearly defined. Every employee has to sign an Equipment Policy and an Electronic Communication Policy prior to any access to or use of county equipment or communications. If your company has a policy, find out what it is. If they do not have one, take the time to research what it should cover and write one. Submit it to HR and/or the MD – it’s always better to have a policy than to leave things to chance.

Part of one of our policies states:

“Employees do not have a right, nor should they have an expectation, of privacy while using any County office equipment at any time, including accessing the Internet and/or using E-mail. By using County office equipment, Employees make
express agreement to consent to disclose the contents of any type of information maintained on
or passed through County office equipment.

“By using this office equipment, consent to monitoring and recording is implied with or without cause, including, but not limited to, accessing the Internet and using E-mail. Any use of County communication resources is made with the understanding that such use is generally not secure,is not private, and is not anonymous.

“System managers do employ monitoring tools to detect improper use. Electronic
communications may be disclosed within an agency or department to employees who have a
need to know in the performance of their duties. Agency officials, system managers and
supervisors, may access any electronic communications.”

While it may seem an infringement on privacy, companies must do what they can to protect themselves and their customers.

Missing some details

In reply to HOW DO I DEFEND MYSELF

I noticed that you did not reference where in the world you are, nor did you give us the industry you work in.

Both of these are important pieces of information when it comes to a discussion on employee monitoring of any kind.

In the United States, the usual standard is that monitoring of e-mails is permitted under law IF the users are aware of it or should be aware of it. Basicly there needs to be a policy that states that e-mail may be monitored, and the users need to have seen this policy or been made aware of it BEFORE the monitoring started.

Also, there are some industries where e-mail monitoring is considered almost manditory. I did some contractor work for a small brokerage firm several years ago, and ALL outbound e-mails had to pass through and be approved by one of the managers to prevent certain insider information or stock details. It was the firms way of covering their assets and preventing something like the Martha Stewart fiasco.

My advice would be to review your company policies (you do have them, right?) and see if any mention is made regarding e-mail monitoring.

Also, I would guess that the MD is going to notice really soon that something has changed. If everything is on the up and up, they should contact you about the problem, and you can discuss the issue with them (in private please).

Good luck! Let us know what happens.

Multiple Issues

In reply to HOW DO I DEFEND MYSELF

I agree with several people here that the problem is legal, if not ethical.

That said, there are several issues here.

1. If you are the person with responsibility for the mail server, someone has put you in a position of liability. Whether the MD had a right to do this or not (which I am not addressing), you, as the person responsible, should have been informed. This needs to be addressed to management, as a lawsuit would, almost by definition, include you as the IT person.

2. The contractor needs to be addressed. The reason for this is that their actions have shown them to be unreliable. Again, you should be informed of everything that is done to your network. If this cannot be done, then the contractor needs to be replaced. The MD should not be making decisions that can get lost at a later point.

Lastly, I agree with the folks that say evidence should be gathered to a neutral location that can be accessed if required. While it is legal to monitor an employee’s email, that monitoring must fall under certain standards. If it does not, the MD, in this instance, may be abusing his authority and putting the access to inappropriate use.

With this in mind, I would ask whether HR is aware of this? They should be, and, if they are not, it lends itself to a suspicion that the MD is in the wrong.

Remember the chain of command …

In reply to HOW DO I DEFEND MYSELF

You’re probably coming into the situation not knowing the company’s recent political history. You should assume that what’s taking place has a valid business reason and you should be supportive of that reason. To quiet the ethical qualms you might verify that the company has an e-mail policy stating that e-mail privacy is not to be expected. If you fail to find such, you can nonetheless be reassured that state law generally considers e-mail traffic passing received by an employers e-mail server is considered the property of the employer rather than the employee to whom it was addressed.

Were I you, I’d return the system to the previous configuration ASAP and make a note of what you did and why you did it. You might also consider discussing the matter fully with your immediate supervisor or the MD himself/herself, since you’re not privy to the business rationale for the configuration and might’ve inadvertently compromised whatever caused the configuration in the first place. Good luck.

Property of the Company

In reply to HOW DO I DEFEND MYSELF

Upon hiring I had to sign a document that basically stated that I had no privacy rights on any all systems that was conducted on their equipments. E-communications, voice communications conducted with the company’s equipment are theirs and may be subject to searches if needed.

I don’t think one should ever think that their communications are private on any medium and especially not in a corporate setting.

DUDE, YOU DID WRONG

In reply to Property of the Company

I agree entirely with ldehaan9. You should restore everything immediately, to save you 6. My opinion is that you should NEVER delete anything BEFORE considering the consequences.

I work for a South American Country Municipality and we use MS-Messenger, ICQ and company e-mail for our internal communications. I would NEVER write something that would compromise me on these services to begin with. And this too should be a policy!

There is no expectation of privacy if company supplies email…

In reply to HOW DO I DEFEND MYSELF

I worked for a company who frequently asked to see messages from employees. It’s how things were done. I always tell whomever will listen, do not expect privacy in email, or IM communications when the employer supplies services period!

No privacy

In reply to There is no expectation of privacy if company supplies email…

Our policy manual clearly states that there is no privacy in company supplied communications. Employees should not expect privacy. It’s also odd that people who are outraged that someone is monitoring their email, will freely communicate on a cell phone! Go figure!

The email system is owned by the company

In reply to HOW DO I DEFEND MYSELF

This is a hot topic of late, and you can read a lot about it in the “Trades” and even see stuff on TV, but the short of it is: The email system is owned by “The Company” so if they want to see what mail is being delivered to certain individuals’ mailboxes, they have every right to do so. Legal, most likely. Ethical, depends on who you ask. And I’m sure they have it spelled out somewhere in their company policies.

Policy and Company property

In reply to HOW DO I DEFEND MYSELF

First and formost, Get a policy in place to cover this topic!!!
Spell out proper use and who has authority to manage the system and who get’s the passwords to Admin accounts. Spell out Consquences for abuse of these privileged positions.

Second, anything any employee does with Company equipment should be considered as company property. Right down to your email telling the kids to get the homework done before you get home. After all, the Company paid you while you wrote it and they paid for the internet connection you used to send it using the email program they bought and paid someone to install on the PC they bought to put on the desk they bought in the building they are leasing.

Supervisors have the need and right to forward emails they receive with or without the knowledge of the original sender. Just like repeating a conversation.

However, if you have someone using an Admin level account to change setting to auto forward email that is a security leak and should be dealt with quickly.

If you had a Policy addressing it you point to the policy and say, “Hey, policy says this, if you want to be exempt, have the big guys change the policy and when it’s in writing, I’ll change it” It’s called transfer of risk. You uphold the policy until it is changed then if it’s changed you either live with it or walk.

Good luck.

Document

In reply to HOW DO I DEFEND MYSELF

I read and thought to myself that there is more going here than what it looks like. I had a job where I would forward all my work email to a personal address to document what was being said to me for future use. I ended up needing the emails to defend myself and something simular might being on here, just from other side where a case might be built fot future action against the senders. Keep your hands off.

RE: How Do I defnd myself.

In reply to HOW DO I DEFEND MYSELF

Where I work, I am the e-mail admin. HR published an e-mail policy that stated ‘All e-mail is owned by the company and can and will be read from time to time to verify compliance to company policies…’, so it is known by everyone that this can happen, I usually just scan for viruses and pron content, and do not read the message, but sometimes I see things that are written, and sometimes these very things have caused corrective actions to be taken by managers. My understanding is that as long as the policy is disclosed, this is legal. I have signed forms of this nature at my last three jobs. For the record, I am in California. I do not know how other states/countries handle this issue, but would like to know.

“my mail server”?

In reply to HOW DO I DEFEND MYSELF

I know net admins/sys admins are a territorial bunch, myself included, but by your post you feel that the mail server is yours when in fact it belongs to the company who entrusted you to manage the network. I don’t know if “removed every forward mails” means you deleted the messages or not, I’m not going to assume you did.

As for the legal part, you need to check your local and country (for lack of a better term than federal) laws. As mentioned in previous posts, you did not mention what country you’re in.

I agree with other posts about having policies in place, if there aren’t any definately heed the advice of others for creating the policies, not just an e-mail policy but others as well. TechRepublic is a great source for policy templates.

Well enough of my rant and 2cents.

Who is MD?

In reply to HOW DO I DEFEND MYSELF

If MD stands for Managing Director, a couple of reality checks:

1. That person is WAY too busy to read through every email being forwarded. Or should be.
2. The person is naive concerning the mail system – you as the admin have the capability of retrieving emails if necessary.
3. They should have notified you of the behavior.

As to the legality of the actions, it is legal to monitor communications in the workplace as long as the employees are aware the company may choose to do it. It sounds to me like the “MD” doesn’t trust the managers in question and is looking for an excuse to fire them.

You might want to confirm your email policy.

In reply to HOW DO I DEFEND MYSELF

Most companies now disclose their intentions regarding reading email in their company IT policy. It is quite normal for a company to consider any email generated from, or sent to a work address, company property. It is therefore the right of the company to read it.

When you consider this from a companies legal perspective, it makes good sense.

Ask questions THEN shoot… Not the other way around.

In reply to HOW DO I DEFEND MYSELF

Firstly, you should NOT have deleted those messages. How do you know that there’s not an internal investigation going on? You could have possibly ruined one if there was.

Secondly, it’s legal everywhere that *I* know of. If you spell it out in a policy, even loosely (the company reserves the right, blah blah, no expectation of privacy, blah blah…), then you’re covered.

Third, you should have ASKED about the situation BEFORE you did anything… And I would have asked the person ABOVE the MD you mention, in case the MD was doing something he wasn’t supposed to be doing. Always take it at least one level above the person involved. For example, I get requests now and then to have me look at people’s email messages. Some of these are from supervisors with an axe to grind. So, I ALWAYS get at LEAST a manager level or above to agree with the request. Know how many are actually done? If it happens once a year I’d be surprised… Involving the requestor’s manager makes “malicious” requests vanish into thin air. Part of your job is running interference for people, and going higher up in the management chain ensures that happens (assuming your HR department doesn’t address it, that is. Mine sure doesn’t…).

You came into a situation that was pre-existing, for whatever reason. I sure as hell wouldn’t go into a system and start making changes until I was sure I understood the reasoning behind the way it was set up. That was the same with this situation here: it was set up, and you should have left it alone until you understood what was going on.

I assume you are new at this. There is a lot to being an Admin, and a lot to learn. There is a lot of systems stuff but there is also a lot of ethical, policical stuff, as well. You have a power that a lot of people fear and envy, and you need to be RESPONSIBLE and ETHICAL with the way in which you use it. You were trying to be ethical however you were NOT being responsible. Find that line and get back on it.

Address this issue with someone HIGHER than the “MD” – their boss or perhaps the HR department (find a confidant in HR and bounce it off them – that works wonders… Make the conversation unofficial, and it gives you a better sense of direction with regards to what you should do. Bear in mind that any person who is told of a violation of law will be compelled to make an issue of it, though. So, for example, if you told someone that the MD was stealing from the company, they’d have to do something about it…).

Restore the messages. Put the forwarding back in place. Talk with someone ABOVE the MD about it. Then hash it out from there… And for your own sake, make sure to ASK before you do something like that again!

Best of luck. I believe you have the best of intentions, but your actions need to be prudent and not as “reactive”.

And, oh, if you were to discuss the forwarding with the people who were being spied on, I’d fire you. Like I said, for all you know it could have been part of an investigation…

Just my 2c. And, please, let us know how this all works out.

-Lando

Chain of Command

In reply to HOW DO I DEFEND MYSELF

Many people, incorrectly, assume notice has to be given (and given often) but HR policy for IT (or in general) ALWAYS includes:
1) You have no right to privacy when using any company asset.
2) Anything in this handbook can be changed at any time (it’s your responsibility to check).

Fact: Many companies do explicitly state “you might be monitored”.
Reality: US Supreme Court case law does not require it! Most corporate legal councils find their life far easier if they have it, should something go to court, but it’s not required.

FYI: Only Germany has laws on the books that require permission from the employee before anything can done. Trust me this I know for a FACT!

What you fail to account for is that management runs the company, not you; they have no oblation to tell you anything. They are above you in the chain of command (COC) (unless your the CIO.. forget point 3). It is not for IT to decide how much work someone has and what they are capable of processing (management does not have to tell you their priorities, your point 1). Management is aware that IT people have access to information (your point 2), but they better be able to prove they have been authorized to access that information.

Example: We just fired a site IT manager for accessing salary information for employees (outside of his COC), he had the access but ZERO authorization.

Since we are all making wild assumptions, let’s just assume the MD is involved in a lawsuit, or that a rival company is trying to steal his staff. His legal council has advised him to get the mails forwarded.

What if JULABA is a personal friend of one of the accused (how else could the statement “without the concerned people’s knowledge” be made if JULABA didn’t ask one of those people, if this is JULABA making a wild assumption that is even worse). Since JULABA is a friend of one of the suspects, the MD ordered the contractor to it (legal would prefer unaffiliated people doing the forwarding anyway, this in no way means the contractor is untrustworthy, maybe JULABA is the problem, and that is why the MD will not get rid of the contractor). By deleting the forwards JULABA has compromised any evidence that has been gathered, and probably tipped off at least one (if not all) of the suspects.

The way I see it, this falls firmly under “access but no authority”. JULABA should have gone directly to the MD when the forwards where found and inquire (providing of course the forwards were found during IT work that was authorized and not because they were just “looking around” or worse snooping for one of the suspects). JULABA has possibly committed an offence (deleting the forwards) that would be grounds for termination, and has compromised any investigation relating to the lawsuit.

Think of me as Internal Affairs of the IT department. I’m Friday… Sgt. Joe Friday – Internal Corporate Security and you are all suspects.

“A word to the wise ain?t necessary — it?s the stupid ones that need the advice.” –Bill Cosby

The power of accurate observation is commonly called cynicism ? George Bernard Shaw

Another point…

In reply to HOW DO I DEFEND MYSELF

We had a nosy and clever administrator who was eager to learn what the managers were up to so he could promote his own interests. He was clever enough to set up a forwarding system such as you mention…and he was also clever enough to point it to an e-mail account of someone who was timid with computers and didn’t really use his e-mail account.

Think about this type of scenario in your case. What if the hired guy pointed the forwarded mail to the director’s mailbox where no one would ask questions. He could go into the director’s account and set up rules that forward the e-mail to folders where the director might never look. What if the hired guy is looking at manager’s mailboxes to see what kind of projects are being proposed, and what kind of bids made, so he could propose lower bids, etc?

The point is that without asking the director, which is your responsibility as administrator, you cannot know if he is a wiley boss or an unaware one. Only the truth should exist between an administrator and the director. If it is true that the director has gone behind your back to set this up, he thinks either he cannot trust you or he thinks you don’t have the ability to set it up yourself. If he did this on purpose, you will erase both wrong impressions by telling him what you found. If he did not ask for this to be done, he needs to know it is happening.

Tell him.

Look before you leap?

In reply to HOW DO I DEFEND MYSELF

While it may be easier to get forgiveness than permission, I think you probably should have checked with the MD before reconfiguring that e-mail. What some people do not seem to realize (and/or accept) is that the equipment and facilities at your place of employment aren’t YOUR property–they’re your employer’s. And they’re there for you to help further your employer’s business, not for your personal convenience. YOUR EMPLOYER has the right to set the terms and conditions of their use. As such, YOUR EMPLOYER owns the communications that pass through them. If he/she allows you to mix in some personal use, that’s a favor–not a right–and you have no expectation of privacy.

Those forwards might have been in place for a very legitimate business-related purpose. While I understand your surprise and reaction, you may have overstepped your bounds–and if so, I hope your employer is also understanding. I’m writing this without reading any of the other posts–now I’ll go find out how my opinion stacks up against others’!

Have to agree, you made a mistake

In reply to HOW DO I DEFEND MYSELF

As others have said, you didn’t give enough detail about the situation here, but removing the forwards without having instruction from your manager to do so was a mistake. For all you know those specific managers whose emails are being forwarded to the MD may be under investigation for possible corporate espionage.

Or on the other hand, how do you know that those specific managers don’t know that their emails are being forwarded to the MD? Maybe they are working on an important project and that is the way they agreed to make sure the MD stays up to date with how those projects are progressing. There is not enough information but from what you wrote it reads like you are just assuming that those specific managers have no idea that their emails are being forwarded to the MD.

I would put the forwards back on. Then I would check the company policy and see what it states about email. If it says anything to the effect that all email is company property and may be monitored then just let it alone.

If there is nothing that states that, then you might bring up with your manager that you noticed the forwards set up while you were going through the mail server configuration and you also noticed that the company policy doesn’t say anything about emails being monitored, etc.

I might mention that for the company’s own CYA it might be a good idea to add a policy that says email is company property and may be monitored without notice. Then you should just let it go. I would not expect to be told WHY the monitoring was set up because it is really none of your business.

What were you thinking?

In reply to HOW DO I DEFEND MYSELF

Julaba, what were you thinking? I?d have to say you may have pretty much screwed up on this one. Personnel on a corporate system have no expectation of privacy, including email messages. As a Computer Security Investigator, it is not uncommon for email messages to be captured as part of ongoing investigations. You need to tell your boss what you did (for what you thought were the right reasons). Your boss can help get the collects back in place. Although you will get your wrist slapped (or worse), you need to fess up to your management. Your might even be thinking to yourself, ?Self, maybe if I put these forwards back in place, then no foul, no harm.? I?m afraid not, you have potentially compromised an ongoing investigation. Messages may have made it though that would have been of significance to an investigation. In the future perhaps you should not take unilateral action; you should always consult with your supervisor if you suspect something is wrong. Even if there were no ongoing investigation, your Computer Security personnel might have wanted to investigate the recipient of the emails. Perhaps the receiving manager was in the wrong; in which case you have tampered with the evidence of his/her wrong doing. Again, if you suspect something, talk to your supervisor. If you have a Computer Security staff, let them deal with this type of finding.

Missed point (and bad manners)

In reply to What were you thinking?

In the body of this, the person states that they are the admin for the server in question. That means that, unless they were under investigation, anyone who did ANYTHING to that machine should have kept them advised. They are automatically responsible for the box and its behavior.

Security is there to stop wrong doing against the company, not to act in a Gestapo-like fashion against someone doing their job.

More importantly, the person in question came to this community for support, not ridicule. You have taken the stance that the person in question is automatically in the wrong, and been insulting about it, without knowing that your stance is, in fact, valid.

Furthermore, your presumption is that the people that have initiated these activiites are in the right, again without knowing the circumstance.

[Author]

Replies