control, and governance
Internal Controls to Examine When Auditing Backend Operations of Messaging Systems
Establishing proper access controls, e-mail archiving, and antivirus safeguards can help organizations move closer toward a secure messaging system.
The ability to communicate effectively and efficiently is a critical component in running a successful organization. To meet this need, organizations rely on some form of an electronic messaging or e-mail. For such organizations, losing this resource for a few hours can impact productivity, while for others, minutes without this resource can result in significant financial losses. Businesses rely on e-mail for everything from discussions of important issues and scheduling meetings to corresponding with clients and distributing vital information. In addition, electronic evidence now plays a major role in regulatory investigations and court cases. These factors have elevated e-mail to the level of a critical corporate asset. A company's messaging system should be audited regularly to ensure that proper controls are in place.
There are different kinds of messaging systems, each with its own unique attributes; therefore, the information presented here is intentionally generic so that it is as universally applicable as possible. All messaging systems consists of the front end component, the e-mail client, and the backend component — the messaging server and other parts not visible to the e-mail users. To help mitigate risk in the organization's communication infrastructure, IT auditors should assess backend messaging operations and corresponding policies and procedures for compliance with best practices. This article discusses controls in accessing messaging systems, e-mail archiving, and spam filters.
MONITORING E-MAIL CONTENT AND ACCESS
Most chief information officers realize that even with Web filters and firewalls, monitoring an organization's corporate messaging system is necessary to control the risk of security breaches, litigation, and other electronic disasters. These controls not only keep attackers from stealing information from corporate systems, but also are required, in some instance, to monitor what employees are sending to other employees or outside of the company. For instance, a financial services organization may be required to monitor messages sent by employees to ensure that they do not violate insider trading laws or regulations, such as those set forth by the New York Stock Exchange Rule 342 and National Association of Securities Dealers Rule 3010, which specify that securities firm have a procedure for supervising electronic communication. Firms should also monitor the communication between their employees and customers so that proper language is used and there are no unrealistic promises.
To comply with these regulations, there should be a monitoring tool for e-mail and instant messaging of specific people to be supervised periodically or as needed. Auditors should review the configuration of any supervisory application. How are people to be supervised selected? Who conducts the supervision, and how are they monitored to ensure that they are actually supervising the e-mail? To verify that the message selection criterion is working, run some sample messages through the system to confirm that they are correctly detected.
An inherent risk of messaging systems is that messaging administrators have the potential to read the e-mails of users and learn about information from which they are restricted because they have access to acounts that have system administration level rights. It is important that all administrator access is closely monitored. Organizations should maintain a documented list of messaging administrators that delineates their roles, responsibilities, and access to the messaging system. The systems group should provide an entitlement report of current administrator rights and privileges. The auditor should take a sample of administrators and confirm that the correct access is in place and that the access specified in the access document is consistent with the segregation of duties as defined by the organization's IT policy. Standard industry best practices can be used to evaluate procedures, for example, there should maker/checker roles, messaging developers or architects should not have change access to production, etc. In addition, system accounts should be created for specific tasks. Table 1 shows some examples:
Auditors should examine the log report of the messaging system; data mining scripts can be used to verify that the different operational accounts are not used for localized login without a specific trouble ticket to justify this. Use of the various system task accounts should be checked against change management for correlation. The auditor should scan the access logs for what date the support_account was used, and then compare it to the dates on the change request forms to see if it is close. Any exceptions should be explained. The system account, which has super user rights to the messaging system, should not be used by anyone, and the systems group should show evidence that there is a periodic review of the activity of this account.
BACK UP AND RESTORE
E-mail archiving has become an important part of organizations' document retention policies because of recent court cases where companies have been ordered to produce e-mail messages. Capturing e-mail communications is also crucial for compliance with legislative requirements and industry regulations. Perhaps most important, the organization must ensure that it has sufficient data backups to recover from a catastrophe. Without strong data retention policies, organizations may not be able to resume operations after a serious disruption.
Even without regulatory retention periods, e-mail is such an integral part of business communications and operations that there must be adequate messaging system backup policies and procedures or service level agreements (SLA) in place. Auditors should first examine the SLA and find out if the organization's backup schedule is consistent with its requirements. If the SLA specifies recovery time, for example, that mail will be recovered in two hours, then current backups should be stored onsite. If the SLA states that mail can be recovered to the previous hour before failure, then the systems group should show evidence that the mail is being backed up every hour. If the backup system fails, then another backup must be done immediately. The auditor should examine what is done in case of backup failures. Is there an escalation tree? Are the data owners informed?
If the organization has no SLA (as with a small or midsized company), the auditor should interview the data owners and find out what their expectations are for data recovery. The auditor should examine critical business operations and check what role the e-mail system has in the process execution. If the e-mail system is down for two hours, is there a potential cost to the company? By examining the defined risk amount thresholds in the company operational risk report to determine if the cost falls in the high- or medium-risk category, the auditor will be able to determine whether the organization is at risk by not having an SLA. Also, if the expectation of the data owners is that e-mail will be restored in four to six hours, find out if that has been communicated to the e-mail administrators.
The entire messaging system should be restored periodically to test the reliability of the backup procedure. If the restore is taking longer than the SLA specifies, the business should be informed or changes should be made to the backup architecture. The systems group should provide a report to the auditor showing that the e-mail backup is periodically restored in the lab to prove the integrity of the backup process. The restore time should be consistent with that stated in the SLA.
For companies that don't have an SLA, it is important to have some kind of signed agreement between IT and the business regarding when data will be restored. The agreement should provide appropriate expectations from management and be included in the recovery plans of the business.
E-MAIL RECORDING AND DATA RETENTION
In the past, messaging system users could delete e-mail after reading or sending, or move e-mail to offline storage systems, and at the end of the day, the only data that was backed up was the e-mail left in the mailbox. Companies often used this as an excuse for not providing e-mails requested by the courts. Recent legal developments, however, have redefined the retention of electronic communication. U.S. Securities and Exchange Commission 17(a)-4, NASD Rule 3110, NYSE Rule 440, and Commodity Futures Trading Commission Rule 1.31 all talk about data retention periods for books and records. E-mail and instant messaging both fall under this category.
Auditors should find out if the systems group has a process in place for recording each e-mail that is sent or received, regardless of whether or not they are deleted. Companies should request this feature from their messaging vendor. There are also vendor tools for this specific task. If there is no process in place, the auditor should find out from the legal department what risks the company faces. Each business has its own data retention specifics from its regulators, but even for companies outside regulation, it is good practice to implement a policy on data retention. Auditors should review the data retention policy and make sure it is consistent with regulatory requirements.
Because key business operations may depend upon e-mail delivery to complete transactions, it is important to define mail delivery expectations and track results. Groups within the business may use e-mail to ensure timely and efficient communications with customers with the expectation that the customer receives the message within seconds. This is not always the case, however, because of the e-mail system's configuration or the vagaries of the Internet.
The SLA should specify the expected delivery time for e-mail. For instance, "Mail will be delivered in a maximum of fifteen minutes, if all things are equal." There should be a periodic report showing the average mail delivery (AMD) time; this report should be sent to the business for sign-off. If the AMD exceeds the time specified in the SLA, there should be an exception report. The e-mail administrator should supply the auditor with a report showing that the e-mail delivery was tested and that the SLA is still valid. There may also be a daily report produced by the e-mail administrators. Using statistics, the auditor can find the mean value over a period. If it is consistently above SLA time, an explanation should be obtained from the e-mail administrator.
For companies that do not have an SLA specifying delivery time, there should still be a periodic report from the e-mail administrator to the business showing AMD so that there are appropriate expectations. The auditor should check to see if there are any business processes that depend on prompt e-mail delivery. For instance, if customer orders are received via e-mail, what would be the cost to the company if it takes four hours to deliver e-mail? This kind of information will help the auditor determine if the lack of an SLA or of monitoring e-mail delivery times should be flagged as an audit issue.
SPAM DETECTION AND ANTI-VIRUS SOFTWARE
E-mail spam, or unwanted and unsolicited messages, has increased exponentially so that is now makes up 80-90 percent of all e-mail received by companies. These messages may contain viruses, worms, spyware, or any number of more sophisticated hacking methods that have made the management of organizational e-mail such a risky business.
Auditors can help mitigate these risks by first making sure that there is a spam interface between the gateway to the internet and the messaging system. This serves as a filter to remove most of the “junk” mail sent to the business users. The auditor should test the effectiveness of the application by obtaining the detection logic from the e-mail administrator and sending several test messages to see if they are detected. Spam senders change their methods daily, so the spam logic should be updated frequently. There should be a monthly metrics report sent to the business showing the effectiveness of the spam filter. The auditor should verify this report with the help desk logs to see if there is a correlation with the number of calls regarding spam-related problems.
There should be an antivirus tool on every messaging server to check mail messages and attachments for virus-related issues. The auditor should test the detection logic by using sample virus messages. The configuration should be reviewed by the auditor — for example, he or she should check if the virus database is updated periodically, at least daily, due to the increasing number of virus-related problems. The auditor should also review the periodic metrics report demonstrating the effectiveness of the virus tool.
This article focuses on mitigating risk in backend operations of messaging systems by monitoring access, backing up data, and testing antivirus controls. A follow up article, which will be featured in the next issue of ITAudit, will discuss other key controls of backend security, including messaging system documentation, file storage, and disaster recovery.
Ike Ugochuku is president of TLK Enterprise, an IT consulting firm. He has over 15 years' experience in the technology industry, working in areas such as IT risk assessment, systems design, integration, and infrastructure management. He has spent a significant part of his career on messaging systems, designing for global corporations, and reviewing and defining process controls to mitigate risks associated with e-mail systems.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.