Am I crazy what do you think.

ClmClm CISSP | CCSK | AWS x 4 | ITIL | Network+ | + MorePosts: 439Member ■■■■□□□□□□
I have a friend who is the COO of a small non profit he just started this position and one of his first agenda points is there IT Service contract they Out source all IT actions to a MSP and have had a-lot of issues. A major one for him is He recently had his O 365 Admin access revoked by the MSP he didn't break anything he was looking for old emails from his predecessor and others to catch up with work the MSP refuses to restore his access and consistently says they wont because they believe he shouldn't have it.

He is upset and I agree with him a Service provider cant just lock a client out of there systems there needs to be a accountability the msp constantly fails to meet SLA and refuse to service after 3pm EST we are MST. They have poor customer service he is talking to the CEO about bringing me on as the CIO in a part time capacity the MSP was providing that service but the non profit is extremely dissatisfied.

Do you think that im overreacting???

Ive worked in a MSSP before and we could never get away with stuff like this

Environment is 2 servers 44 workstations a few cloud apps.
I find your lack of Cloud Security Disturbing!!!!!!!!!
Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig


Comments

  • TechGromitTechGromit A+, N+, GSEC, GCIH, GREM, Ontario, NY Posts: 1,888Member ■■■■■■■□□□
    While normally looking at emails of other employees is a big no-no, technically management has the right to do so, if it's stated in the company policies. If so, him as a Operating officer, he should have that access. Now if no policy was in place explicitly stating this before, this is where things can get sticky. I suggest he contract his companies lawyers for legal advice on this. As for the MSP, I think it would depend on whether or not the COO has the right to look at the emails according to company policy, They could very well just protecting themselves legally by preventing an unauthorized user to access other employees email accounts.
    Still searching for the corner in a round room.
  • ClmClm CISSP | CCSK | AWS x 4 | ITIL | Network+ | + More Posts: 439Member ■■■■□□□□□□
    They don't have a specific policy stated either way but the CEO gave him full control over all IT aspects. The issue to me is that the email and everything in O365 is company property the COO is second in charge and IT falls under his control so how can a service provider who is a third party contractor tell the business owner no to there own property.
    I find your lack of Cloud Security Disturbing!!!!!!!!!
    Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig


  • ecuisonecuison CISSP, CCSP, TOGAF v9 Certified, Security+, Network+ Posts: 122Member ■■■□□□□□□□
    I look at it from a seperation of duties standpoint. At that level, your friend may be authoritative from a paper trail standpoint of authorization and usage of the SaaS environmnet as being a C-level exec that makes managment decisions, however, depending on what functions and abilities he has having "admin" level access, it would probably be in his best interest to delegate that level of work to the admins and request what he needs from them as opposed to doing that himself.

    I'm not saying he is incompetent, but people at that level best leave the operational work to those that was delegated to. Now of course, the contact for the MSP should be looked at as working with an MSP usually means, the MSP does as the client states per the contract. If your friend needs that access and it is required in the contract, then he should have it.

    From the MSP standpoint, they would be liable if they didn't follow the details in the contract as well as not adhering to the SLA's stated. But from the sound of things, it looks like you should be looking at other potential MSP's is this one isn't working well to deliver the business value.

    I work for a non-profit and we are very rigorous with our MSP contracts as well as adhering to those stipulations within.

    Just my 2 cents.
    Accomplishments: B.S. - Business (Information Management) | CISSP | CCSP | TOGAF v9.2 Certified | Security + | Network +
    In the 2019 Pipline: CRISC, AWS Certified Solutions Architect - Associate, Masters in Cybersecurity
  • yoba222yoba222 Posts: 960Member ■■■■■■□□□□
    The MSP not meeting their SLAs is a separate issue that definitely should be dealt with.

    But the COO snooping through old emails using admin rights so he can learn more about his predecessors and the job role on the premise that email is company property -- Wow.

    I'm surprised the MSP didn't declare a security incident--but it sounds like they need work too.

    Forensic investigations aside, C-suites don't get special, magic admin rights to whatever because they think they should and your friend's actions demonstrate why. Uber C-suites and God Mode demonstrate why, taken to abuse levels.
    Obtained: A+ | Network+ | Security+ | CySA+ | PenTest+ | CAPM | eJPT | CCNA R&S | CCNA CyberOps | GCIH | LFCS
    2019: Virtual Hacking Labs then OSCP
  • ClmClm CISSP | CCSK | AWS x 4 | ITIL | Network+ | + More Posts: 439Member ■■■■□□□□□□
    Every org i have ever been in have always kept accounts so that managers could go back in to the emails later now just to snoop but to gain information from past conversations so how would it be a security incident?

    employees shall have no expectation of privacy in anything theystore, send or receive on the company’s email system.
    I find your lack of Cloud Security Disturbing!!!!!!!!!
    Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig


  • TechGromitTechGromit A+, N+, GSEC, GCIH, GREM, Ontario, NY Posts: 1,888Member ■■■■■■■□□□
    Clm wrote: »
    They don't have a specific policy stated either way but the CEO gave him full control over all IT aspects. The issue to me is that the email and everything in O365 is company property the COO is second in charge and IT falls under his control so how can a service provider who is a third party contractor tell the business owner no to there own property.

    I think your missing my point, there was no explicit company policy stating management has the right to look at employees email, then former employees can assume that all there email is private and not subject to the company violating that privacy. You can't just say that I'm making a new company policy and have it apply to all former employees. That be like the government passing a no one is allowed to have tattoos and if you got them before this law was enacted, then your guilty of this new crime.

    In short the COO can dictate a new company policy that there no expectation of privacy when it comes to employees using company email, and it would apply to all employees email going forward, but NOT to emails that were sent in the past. That's invasion of privacy lawsuit territory. The service provider was well within there right to take away this guys admin access. The notice has to be clearly stated, usually when user log on to the system. A judge would have to issue a court order for a good reason to allow access to a specific employees email at this point. If it became publicly known this guy was reading private emails, CEO or not, it's potentially a huge Lawsuit liability for the company.
    Clm wrote: »

    employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.

    This has to be explicitly stated, it's not a blanket policy that applies automatically to all employees at all companies.

    The short answer to your question is yes, you are Crazy is you believe the COO has unrestricted access to former employee's private emails.
    Still searching for the corner in a round room.
  • ClmClm CISSP | CCSK | AWS x 4 | ITIL | Network+ | + More Posts: 439Member ■■■■□□□□□□
    TechGromit wrote: »
    I think your missing my point, there was no explicit company policy stating management has the right to look at employees email, then former employees can assume that all there email is private and not subject to the company violating that privacy. You can't just say that I'm making a new company policy and have it apply to all former employees. That be like the government passing a no one is allowed to have tattoos and if you got them before this law was enacted, then your guilty of this new crime.

    In short the COO can dictate a new company policy that there no expectation of privacy when it comes to employees using company email, and it would apply to all employees email going forward, but NOT to emails that were sent in the past. That's invasion of privacy lawsuit territory. The service provider was well within there right to take away this guys admin access. The notice has to be clearly stated, usually when user log on to the system. A judge would have to issue a court order for a good reason to allow access to a specific employees email at this point. If it became publicly known this guy was reading private emails, CEO or not, it's potentially a huge Lawsuit liability for the company.



    This has to be explicitly stated, it's not a blanket policy that applies automatically to all employees at all companies.

    The short answer to your question is yes, you are Crazy is you believe the COO has unrestricted access to former employee's private emails.


    I’ll concede that I might be crazy but not for this.
    Can you show me any cases where a compliantant successful made that case. Everything I have read shows the courts siding with the employer and viewing the emails as company property and as long as the company has a business cause it’s allowable

    if the leadership was snooping just to snoop I could see that part.

    If anyone can chime in it will be greatly appreciated I want to help them best I can
    I find your lack of Cloud Security Disturbing!!!!!!!!!
    Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig


  • paul78paul78 Posts: 3,013Member ■■■■■■■■■■
    Just my two cents - but I personally find the COO's actions to be distasteful. Granted, in the US, the organization could claim a legitimate business reason. But IMO - going through emails to "catch up" and get a sense of the organization demonstrates poor judgement and leadership.

    That said, I'm not aware of any case law in the US where snooping on work emails which is on the business's infrastructure has tested. To my knowledge, the line is broken only if the employer reaches into the employees personal messages.

    However, in other jurisdictions where privacy is considered a human right unlike the US, the case law most commonly cited on the topic can be found here - https://www.echr.coe.int/Documents/Press_Q_A_Barbulescu_ENG.PDF
  • 10Linefigure10Linefigure CCNP R&S, Security+ USAPosts: 366Member ■■■□□□□□□□
    paul78 wrote: »
    Just my two cents - but I personally find the COO's actions to be distasteful. Granted, in the US, the organization could claim a legitimate business reason. But IMO - going through emails to "catch up" and get a sense of the organization demonstrates poor judgement and leadership.
    ^ You know thats right.
    CCNP R&S, Security+
    B.S. Geography - Business Minor
    MicroMasters - CyberSecurity
    Professional Certificate - IT Project Management
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+ Posts: 314Member ■■■■□□□□□□
    This is a small non-profit. Doesn't sound like a large company. So, in my opinion, some of the practices of a large company should go out the window here. For all we know, this company has 50 employees and the C-level is the technical dude on site.

    If this COO is the one who cuts a check to the MSP, the MSP should be doing what he wants and give him access.

    edited to add: I don't see anywhere that the COO is going through emails from other users. I only see his predecessor being mentioned? That's not a necessarily uncommon occurrence in the US. Especially when it concerns contracts or vendor/customer contact and communications/promises, etc.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+
    2019 goals: GWAPT, Linux+, SLAE (possible: SEC573, CCSP, Splunk F&PU)
  • JoJoCal19JoJoCal19 California Kid Posts: 2,772Mod Mod
    I've worked at a couple of Fortune 50 financial firms and it is common practice for management to submit a formal request for access to the email of a leaver (at one company my team was the one who granted the access). Most often it was when an employee was terminated so that management can find what all the person was working on and assign out work or respond accordingly. Of course in these situations the email was was internal Exchange so no issues requesting and granting access. And of course being such large companies they have the obvious disclaimers about no right to privacy and all work and communications belonging to the company. So no gray areas there. Maybe it's because most of my work has been for large corporations where it's commonplace, but I'm a little surprised that people act like they're surprised this practice happens.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • DatabaseHeadDatabaseHead CSM, ITIL x3, Teradata Assc, MS SQL Server, Project +, Server +, A+, N+, MS Project, CAPM, RMP Posts: 2,453Member ■■■■■■■■■□
    I think it's really strange they won't give the COO admin access.
  • ITHokieITHokie GXPN | GPEN | GCIH | GPYC | CISSP | CEH | MCSE | CCNA | Others Posts: 158Member ■■■■□□□□□□
    I don't really deal with MSPs, but their response seems out-of-bounds unless the contract/MSA restricts admin access in some way. Email content itself belongs to the org, so it's their prerogative to do with it what they want. My guess is we don't know the full story.
  • ITHokieITHokie GXPN | GPEN | GCIH | GPYC | CISSP | CEH | MCSE | CCNA | Others Posts: 158Member ■■■■□□□□□□
    paul78 wrote: »
    That said, I'm not aware of any case law in the US where snooping on work emails which is on the business's infrastructure has tested. To my knowledge, the line is broken only if the employer reaches into the employees personal messages.

    Even if there were legal issues pertaining to employers accessing current or former employee email accounts, I'm unsure how an MSP would have the standing to enforce or adjudicate the particulars.
  • paul78paul78 Posts: 3,013Member ■■■■■■■■■■
    ITHokie wrote: »
    Even if there were legal issues pertaining to employers accessing current or former employee email accounts, I'm unsure how an MSP would have the standing to enforce or adjudicate the particulars.
    Agreed. The MSP would not have the right to do so - that wasn't my point. The stance from the MSP is somewhat bizarre but who knows what really happened and I'm sure there's a bit more to it.
    JoJoCal19 wrote:
    I've worked at a couple of Fortune 50 financial firms and it is common practice for management to submit a formal request for access to the email of a leaver (at one company my team was the one who granted the access). Most often it was when an employee was terminated so that management can find what all the person was working on and assign out work or respond accordingly. Of course in these situations the email was was internal Exchange so no issues requesting and granting access. And of course being such large companies they have the obvious disclaimers about no right to privacy and all work and communications belonging to the company. So no gray areas there. Maybe it's because most of my work has been for large corporations where it's commonplace, but I'm a little surprised that people act like they're surprised this practice happens.
    Likewise - you may recall that my own background is in financial services. You probably also know that communications monitoring in certain financial services segments is mandated to detect insider trading and inappropriate customer solicitations. But that monitoring is typically automated and doesn't result in management access to employee mailboxes. And if an investigation is warranted, there is typically a process that involves legal support. As head of security at several of financial services companies, I have never ever approved access to an employee mailbox for a manager simply because an employee leaves. Frankly, it's just not worth it. A manager that needs access to an employee's mailbox because the manager needs to know what work that employee was doing is a manager that is not managing the team. Email is not a project management tool or a contracts database. That's just a bad excuse from a line manager. If the employee was involuntarily separated, I have even less sympathy since that manager should have prepared for the separation by understanding the work of the employee. Typically, what I would approve is to have future inbound emails forwarded to the manager. If there is something in the mailbox that really needs to be retrieved, then I would approve having the forensics team perform a keyword search on the mailbox to extract a specific email or set of emails.

    I would never risk having some manager (and I don't care if that manager is the CEO) learn of some private detail of an employee's personal affair and repeating it. Or risk an accusation from an employee that the company violated some right - especially in a cross-border situation if the employee was a resident/citizen outside the US where privacy rights are stronger.

    Sorry folks about derailing the conversation. Back to the point of the MSP withholding access - personally I would just fire the MSP and be done with it.
  • JoJoCal19JoJoCal19 California Kid Posts: 2,772Mod Mod
    paul78 wrote: »
    Likewise - you may recall that my own background is in financial services. You probably also know that communications monitoring in certain financial services segments is mandated to detect insider trading and inappropriate customer solicitations. But that monitoring is typically automated and doesn't result in management access to employee mailboxes. And if an investigation is warranted, there is typically a process that involves legal support. As head of security at several of financial services companies, I have never ever approved access to an employee mailbox for a manager simply because an employee leaves. Frankly, it's just not worth it. A manager that needs access to an employee's mailbox because the manager needs to know what work that employee was doing is a manager that is not managing the team. Email is not a project management tool or a contracts database. That's just a bad excuse from a line manager. If the employee was involuntarily separated, I have even less sympathy since that manager should have prepared for the separation by understanding the work of the employee. Typically, what I would approve is to have future inbound emails forwarded to the manager. If there is something in the mailbox that really needs to be retrieved, then I would approve having the forensics team perform a keyword search on the mailbox to extract a specific email or set of emails.

    I would never risk having some manager (and I don't care if that manager is the CEO) learn of some private detail of an employee's personal affair and repeating it. Or risk an accusation from an employee that the company violated some right - especially in a cross-border situation if the employee was a resident/citizen outside the US where privacy rights are stronger.

    At one of the financial firms I worked I was in charge of the risk management function for an entire LOB, and part of that was handling the comms monitoring for entire line of business. While the DLP product did handle some upfront scrubbing, there was still manual review, which I did. In reading through emails and attachments obviously I came across sensitive health, financial, and other information. I was put in that position as I was highly trusted by exec management, and it's on companies to delegate those duties to people who can be trusted. As far as the risk of a manager learning of private details, it doesn't matter. Not only are there notices about no right to privacy and all communications being monitored, but part of the AUP is not using work technology for any personal use or communications. Obviously people do it, so that's where the respective right to privacy notice comes in. And again, there's also notices that all communications, documents, etc all belong to the company.

    Edit to add: I only handled US based employees in my LOB. Employees in EMEA, APAC and LATAM all had their own policies and procedures, like you mentioned privacy laws are more stringent in some areas overseas.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, CEHv8, CHFIv8, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • paul78paul78 Posts: 3,013Member ■■■■■■■■■■
    @JoJoCal19 - what you described is different than what I object to. It sounds like in your organization, there's upfront thinking of what the organization is trying to detect and prevent. And the implementation is consistent and narrow. And there is a formal process in place where the manual review are part of normal investigation. It's the right way to do it.
  • infosecsinfosecs Posts: 48Member ■■□□□□□□□□
    I think clm is missing a basic point - MSP is not a part of the company. If the email is handled by the company, sure they can allow someone to look at the past emails just as jojocal mentioned in his post. There has to be proper audit trails, permissions from CEO etc. so that it meets legal obligations.
    But MSP is a separate business entity, it needs to protect itself as well.
  • thomas_thomas_ CompTIA N+/S+/L+; CCNA R&S; CCNP R&S Posts: 861Member ■■■■■□□□□□
    infosecs wrote: »
    There has to be proper audit trails, permissions from CEO etc. so that it meets legal obligations.
    But MSP is a separate business entity, it needs to protect itself as well.

    This is what I was thinking. Get the CEO to sign a policy authorizing COO access to the mailbox(es). Give that policy to the MSP. If they refuse get the lawyers involved. Ideally, the lawyers would also review the policy granting the COO access the mailbox(es).

    My gut feeling is the MSP is a type of place which will try to hold the Office365 credentials hostage in order to stop the customer from going to another MSP.
  • ClmClm CISSP | CCSK | AWS x 4 | ITIL | Network+ | + More Posts: 439Member ■■■■□□□□□□
    infosecs wrote: »
    I think clm is missing a basic point - MSP is not a part of the company. If the email is handled by the company, sure they can allow someone to look at the past emails just as jojocal mentioned in his post. There has to be proper audit trails, permissions from CEO etc. so that it meets legal obligations.
    But MSP is a separate business entity, it needs to protect itself as well.


    The COO has the proper authorazation IT falls under his responsibility The CEO instructed the MSP to report to the COO. So what point am I missing ?

    And just to be clear there was no wide spread investigation or snooping in other accounts just the previous COO account. only thing i can possibly think they would have had a issue with is that the COO did reset a password for a employee after they escalated a ticket to him because the msp had not replied in two days (past SLA). thankfully the person was a volunteer who didnt require email everyday like a full time employee
    I find your lack of Cloud Security Disturbing!!!!!!!!!
    Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig


  • yoba222yoba222 Posts: 960Member ■■■■■■□□□□
    Hmmm. This is a small non-profit isn't it. I think I have been approaching this too much from a large institutional mindset and see what you're saying now Cim.
    Obtained: A+ | Network+ | Security+ | CySA+ | PenTest+ | CAPM | eJPT | CCNA R&S | CCNA CyberOps | GCIH | LFCS
    2019: Virtual Hacking Labs then OSCP
  • Danbert1.0Danbert1.0 Posts: 5Member ■□□□□□□□□□
    I would definitely advise checking the SLA and how they are handling the contract.
Sign In or Register to comment.