How to Conduct an Email System Security Audit

Use of email for communicating is so standard that most users take its security for granted. You may assume that since you have your own password, and the email service provider uses encryption, your data is safe. But have you conducted a security audit to determine how vulnerable your communications may be to hacking?

Internal and External System Audits

There are two approaches to conducting audits – internal and external. In an internal audit, you and/or a team of inhouse personnel you assign, perform an analytical risk assessment and review of your current system, looking for protection vulnerabilities. An external audit, which is generally more costly but may be more thorough, involves outsourcing a professional auditor or audit team to conduct a comprehensive review your system based on the latest intel on cybercriminal access methods and known software/application vulnerabilities. Regardless of whether your audit is internal or external, audits should be conducted on a recurring schedule to maintain system integrity and to quickly discover and mitigate any functional abnormalities or negative changes that occur in the health of your system.

Security audits may also be conducted manually or using automation. A manual audit may be more time consuming but can be effective if conducted using an organized and thorough analysis approach and carefully logging the results for subsequent review. Likewise, a number of automation tools exist on the market to assist with performance of system security audits. These tools implement a set of checks and balances that monitor information processing, flag abnormalities or improper procedures, and log results into usable reports, all on a continuing basis. Additionally, automated tools can be used, for example, to warn users against unsafe website access or to restrict user access to specific servers, folders, and files, and flag/log attempted access events.

In advance of conducting an audit, you should have a set of compliance measures and standard operating procedures already in place so that your auditing system has protocols to reference in determining non-compliance or error.

Conducting Your Email System Audit

1. Ensure that your email system software is installed correctly and managed by a designated and certified system administrator or certified technical administration team to monitor system and firewall performance, install software, patches, and updates, provide helpdesk services, troubleshoot issues, and resolve functional problems. System administration sometimes requires at least one technician, usually the senior administrator, to have a “god account” – password knowledge and/or access to all accounts on your system for purposes of software maintenance, updates, and troubleshooting support. If god accounts are permissible, complete trust and confidence in your system administrator(s) is essential for your system to function securely and not be subject to insider threat.

2. Design and implement an education program to ensure that the personnel assigned to audit your system are well versed in the latest software/application vulnerabilities and intrusion methods and all system users are fully trained and knowledgeable of your standard operating procedures. Your audit should include recertification on at least an annual basis.

3. Restrict access to physical system and network equipment such as file servers to only those with designated permission. Your audit should review access logs to ensure no inappropriate access has been attempted or achieved.

4. If your system were to be breached, how much would it cost you in time, money, and effort to restore your operations? Conduct a thorough review of your email system to determine who is using your system and how it is being used. Compile a risk assessment to predict vulnerability scenarios and set up mitigation plans for any vulnerabilities discovered.

5. Based on your risk assessment, create and disseminate policies to your personnel governing transfer of proprietary, confidential, or otherwise sensitive information using email and enforce adherence to these guidelines. Ensure your system users are well-trained to recognize phishing and other malware attempts.

6. Ensure your email system has multi-level encryption and enforce the use of strong passwords, safe storage of passwords, and periodic password regeneration. Be sure to remove email accounts for personnel no longer employed or accounts no longer in active use.

7. Conduct regularly scheduled email system audits, review reports for areas to improve functionality and security, and maintain cognizance of new hacking trends, software vulnerabilities, and application updates. Ensure that your system users continue to adhere to safe email practices and disseminate alerts when any known breach attempts occur.

Remember that email can be an incredibly valuable and useful asset for your business but can also be a lucrative target entryway for cybercriminals to shut you down and steal your assets. Ensure that you don’t ever take the safety and security of your email system for granted.

And for real peace of mind regarding the security of your email system, use Gold Comet Secure Messaging. Our patented 256-bit encryption system offers a multi-layered authentication process to achieve access and no god accounts are allowed.