Solved

Protect company confidential data when employee is on leave to set up his own company

Posted on 2015-02-23
6
103 Views
Last Modified: 2015-03-04
Hi

We have an employee who just handed in the notice of leaving. That person has access to company computer and laptop and also has usb drive with some of the data. He is using company's emails hosted on our Exchange 2003 server.
I need to be able to monitor/audit the information he is accessing and the emails he is deleting/forwarding. It would be good if I could wipe his laptop/smartphone remotely. Additionally, I need to be able to retain control over our data so he just doesn't walk away with it and doesn't do any damage.

I welcome all the ideas but would prefer checked and tested solutions.

Thank you
Tom
0
Comment
Question by:it10
6 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Tom,

Auditing enabled on all document shares if your firm does not already using a document anagement system that records all access.

You should check with legal.  If the firm is not concerned, why are you?

Presumably, the firm has a legal framework ..............
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 167 total points
Comment Utility
Two words.

Gardening Leave.

Well three.. lawyers.

This is one of those things that IT should not be driving. If he has handed in his notice to start his own company then he should be escorted from the building.
Although it is probably too late. If there was anything he wanted he has already lifted copies of it and will not touch anything else while on notice.

Ultimately you are going to be limited on what you can do. While it is possible to audit access, particularly with Exchange you cannot do so at an item level. Furthermore you cannot audit an individual easily. Auditing is one of those things that needs to be planned carefully, otherwise you end up with a lot of lots (and I mean a LOT) which you cannot do anything with.

Simon.
0
 

Author Comment

by:it10
Comment Utility
Hi Simon

Luckily my customer understands the situation and the IT position a little bit more than I thought they will as I have just spoken to the MD and was informed that they are seeking legal advice. The point is that  they are fully aware that everything he needed he has already copied (probability of that is 99%). It is just the case of knowing the options I guess. I talked to the about the following:
* we can recover his deleted emails on exchange so we can review anything he was trying to hide
* we can remotely delete the files on his work laptop and his pc (I am using Logmein Pro)
* we can set the Deny permission on the files and folders he should not have access to
* we can limit his vpn access
Saying that, I was wondering if there is anything else I can do that I am not aware of?

Also, could you please answer the additional questions I have at the moment:
* what is the default policy on Exchange 2003 for keeping Deleted Items?
* can I set up auto forwarding of the sent items to somebody else? Maybe using rules in OWA?
* I would like to use Deny permission for minimising the possibility of the need to restore files from backup shall the employee turn nasty. Do you think that is a good idea?
* is there a permission to prevent user from deleting items while keeping the read/write access?

regards,
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:it10
Comment Utility
Arnold, we only use standard/default auditing on the SBS 2003 file server. From my experience, this is not enough to record the access to the documents, is it?  
Can you give me few example of document management systems that record all access to files?

It is possible that we can use this situation as the lesson to improve the systems and put policies in place. I would appreciate any information which could make it all easier in the future.

regards,
0
 
LVL 11

Assisted Solution

by:andreas
andreas earned 167 total points
Comment Utility
You only can prevent data stealing if.

1. All emails outgoing are audited
2. Employees do not have access to any external mass storage such as usb drives or dvd burners
3. All files need to be saved encrypted and can only be encrypted with a smartcard. Users should not be able to save to unebcrypted files/folders.

So once you want an employee to block access you cancel his smartcard.
Unencrypted copies couldnt be saved b4.

And all outgoing mailings can be monitored. So you could check if employee sends out sensitive informations.

All other things leaves possibilities for leakage. Usually hostile employes on leaving will steal data of use in long run b4 they file leave notices. Once they file they already have what they need/want.

Remite deletion of laptops might not be sucessful if never conected online again.
He already might have images of the harddisk.

Smarthpone content can also be fully backuped if he jailbreaked\ rooted the device.

When employees are able to take files out during employment time you cant prevent stealing.

For current case cancel all logins of that employee and put him on paid leave until contract ends.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 166 total points
Comment Utility
Most document management systems opentext ECM, documentum, alfresco.  Each document has to be checked out by the user. Alterations are maintain through versioning.

Trying to restrict now access to file the individual should have had rights to access is .....

Check a share on the sbs, check its properties, advanced, auditing tab, is there It enabled?

This enables the auditing on a file basis, you could enable auditing just for this user to any/all shares.  These events are recorded in the eventlog (security I believe) so you have to make sure it is large enough as well as .........

Splunk is a tool that can aggregate event log entries and is searchable, etc.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now