Contributed May 14, 2001 by Kalash Mohan Email System Audit Guidelines 1. Understand who is authorized to receive and send documents and messages through e-mail. Determine whether the use of e-mail is required by the job function. 2. Ascertain whether a policy had been established. This should include who should have e-mail access i.e job levels, grades and titles of jobs. 3. Inquire whether the e-mail system allocates default password to new users based on their initials. This should be discouraged. As with all system controls, there should be a process of allowing the user to change their password upon first log-on. 4. Find out whether the e-mail system requires both user ID and password to access it. 5. Determine if passwords are changed periodically. 6. Inquire on how e-mail documents are printed - this should be on authorized printers only 7. Determine how long e-mails reside on server. Standard practice is 2 weeks. 8. Ensure that security systems prevent an employee from getting into other's e-mail message boxes. 9. By taking a sample of receiving and sending mails, verify that employees are not using it for personal purposes. 10. Inquire whether critical messages can be encrypted. 11. Ensure that access to e-mail system is separate from access to other systems (i.e. applications and databases) 12. Evaluate whether the e-mail network is vulnerable to viruses, worms and other kind of security treat. NOTE: Ensure that anti-virus programs are enabled to scan e-mail attachments, particularly for worms. Bottom-line, it all boils down to a the e-mail policy and how effectively it has been enforced. Controls over electronic mail: 1. Implement a privacy and e-mail policy. There should ideally be an e-mail usage agreement. 2. Use Pretty Good Privacy (PGP) security program (encryption) 3. Implement standards such as Privacy Enhanced Mail.