Tuesday, June 21, 2016

Report: Mendocino County employee email system has vulnerabilities

Mendocino County management allegedly has unrestricted access to employee email accounts, which the county grand jury says has led to abuses and creates an unnecessary liability.
The grand jury’s newest report released Friday afternoon chronicles county Information Technology “Policy 22,” adopted in 2003, which in part states the county has “an unlimited right to access any and all information and data stored on county owned, leased, or controlled computers, equipment or networks,” including email, according to the grand jury.
The manager of IT administers the county email system, known as “Unlimited Mailbox,” and has “super-user” access to the mail auditor function in the software. The grand jury said no employee can access the email of another employee without such super-user permissions or the employee’s password.
In the past, department heads and other management staff were able to gain access as a super-user by request for the purposes of monitoring or investigating whether employees in their department were using the system for work-related subjects, the grand jury report stated. Legal and common reasons for doing-so were cited as monitoring whether an employee was job seeking with a county email account, shopping, harassing others, gambling, sharing pornography or other illegal activities.
However, super-user access to employee email is unrestricted, meaning super-user access is unlimited to the entire county system, instead of department heads only having access to their department. Meaning in theory, any super-user may have access to confidential messages within the offices of county counsel, district attorney, human resources, sheriff, Board of Supervisors or the grand jury, for example, regardless of what department that super-user works in.
The grand jury said IT management drafted a revised Policy 22 in 2010 and presented it to the Executive Office. The grand jury reported no evidence existed that the Executive Office actually proposed the revision to the Board of Supervisors for consideration.
However, the grand jury pointed out that neither the 2003 version of Policy 22, nor the 2010 draft update, contained any actual policies or procedures regarding management access to employee email.
As of 2016, the Executive Office established an informal procedure covering management access to employee email that would require that manager to seek approval from the CEO or other designee before having access to employee, according to the grand jury. But the updated policy has yet to be formally presented to the Board of Supervisors for actual implementation.
The grand jury said it also found no log of email access requests or granted permissions made to either the IT Department or the Executive Office for the informal 2016 policy change.
Overall, the grand jury said the county’s current technology policy is outdated, and it is recommending that the county’s IT Department update Policy 22 as soon as possible with assistance from county administration, and officially be adopted by the Board of Supervisors.
The new policy should also detail which email access is allowable, and require a log of all accesses and by who. The grand jury is recommending that super-user mail auditor functions be delegated to only one employee.
Also, the grand jury said it found union members were able to use county email systems for union communications for the purpose of bargaining, which it said is contrary to Policy 22.
Because of which, the grand jury is also recommending that the county’s bargaining agent and union consider modifying its mutually agreed-upon ground rules to prevent unlimited employee use of the county’s email system for the purpose of bargaining.
Responses to this report are being requested from the Board of Supervisors, county CEO, county counsel and IT manager.
June 18, 2016
Ukiah Daily Journal
By Daily Journal staff


No comments: