8. Case-Study: Implementation of Identity and Access Management in an Organization
8.5. Creation of shared generic mailbox
a. Current state of the process
Shared generic mailboxes are used for broad communication to wide audience representing the team. The shared mailbox will be available and accessible to all the team members.
The current state of the process involves the requester and implementer for creation of Shared Mailbox account.
Process to create a new Shared Mailbox account for the user:
When user needs a shared mailbox, requester contacts the implementer to create shared mailbox.
Verifies the business justification only with the requester.
Continue with the AD account creation and Shared mailbox creation
The AD account is created and will be synchronized with AD within 4 to 6 hours.
The Shared Mailbox is generated for the user.
When Mailbox is created, send an e-mail to the Account Owner asking the Account Owner to reset the default password
Risk and Control matrices should capture all relevant information pertaining to a given business/IT process. Important control activity information needs to be captured in the matrix includes:
Identified Risks
Control Objectives
Missing Control Activities
Risk and Control Matrix:Creation of shared generic mailbox Business Process &
Control Objectives
Risks Missing Control
activities S.no. Control Objectives Risks Impact Control activities 1 Controls provide reasonable
assurance that the shared mailbox accounts are created by authorized personal completely and accurately
Shared mailbox
accounts can be created with wrong
permissions and access and will not be able to serve its business purpose
Extreme Proper segregation of duties for the
operational personal must be set with assigned roles and responsibilities 2 Controls provide reasonable Messages from Shared Extreme Controls are such that
54 assurance that the shared
mailbox should be able to broadcast information to specific teams and emergency broadcast
mailbox will not reach the appropriate team 3 Controls provide reasonable
assurance that the authenticity of the shared mailbox and shared information is true
Cyber-attackers can create similar mailbox name and send false information to team
Extreme Controls such that the mailbox messages are encrypted and
mailbox owner digitally signs the email
4 Controls provide reasonable assurance that the AD account of the mailbox is not used for login to computers
Usage of AD account of the mailbox to login computers will reduce traceability user activities and identifying who is using the account
Extreme Controls such that the AD account of the mailbox is disabled so that no one can use it for login purposes
5 Controls provide reasonable assurance that the mailbox can be retrieved if mailbox owner forgets to change password
Forgetting to change password of the mailbox can lead to cyber attacks
Extreme Controls such that the mailbox owner should change the password of the mailbox once in every 30 days
Table 11: Risk and Control Matrix: Creation of shared generic mailbox
b. Risk map/table with scenarios, probability, impact
Below table we will see the risk and analyse the risk scenario associated with the creation &
usage of shared mailbox in the organization before implementation of IAM controls.
Risk Scenario Category Impact (1-5)
Likelihood (1-5)
Risk
Rating Baseline Un-traceability of users using shared
mailbox 3 5 15 9
IT operational infrastructure
incidents 3 4 12 9
Unauthorized actions
5 5 25 9
Unable to broadcast information to specific teams and emergency
broadcast 5 5 25 9
Third-party/supplier incidents
4 3 12 9
55 Mailbox Error Incidents
4 4 16 9
Noncompliance
3 5 15 9
Authenticity of the mailbox and
shared information 5 5 25 9
Usage of mailbox AD account for
login 5 5 25 9
Usage of mailbox for personal use
5 3 15 9
Vulnerable for cyber-attacks and
hacks 5 4 20 9
Forgot Password of the mailbox
5 4 20 9
Data & information management
4 4 16 9
Table 12: Risk Analysis of Shared Mailbox account before implementation of IAM control
c. Description of the suggested changes based on GDDB system with IAM controls
Shared generic mailboxes are used for broad communication to wide audience representing the team. The shared mailbox will be available and accessible to all the team members.
This chapter describes how to create a shared/generic mailbox in GDDB.
Procedure:
Check the request for creation of shared mailbox with a relevant Request form attached.
Verify all the fields in the Request form are filled in correctly.
Continue with the AD account creation and mailbox creation.
Once the AD account and mailbox are created, send an e-mail to the requester.
Disable an AD account of the shared/generic mailbox.
AD Account creation for a new Shared/ Generic mailbox:
The following are the steps to manually create an AD account for a new shared/generic mailbox.
To create an AD account for a new shared/generic mailbox:
56
Open a generic record of the Digital Identity you want to create an AD Account for and click Add Account.
The Account Insert Screen opens prompting you to select an account type.
Figure 15: Creation of shared mailbox account
To show the account types available, click choose.
A pop-up window opens listing the account types.
Figure 16: Selection of shared mailbox account
Choose AD Standard Generic User, click next.
57
The Insert Account Screen appears with the Container field where a default organization is filled in. The AD container is pre-populated.
Submit the pre-populated AD container by clicking next.
The Insert Account Screen appears with the Home Directory Template field where a default home directory path is filled in. The Home Directory Template value is also pre-defined.
Submit the pre-populated Home Directory Template container by clicking next.
The AD account is created and will be synchronized with AD within 4 to 6 hours.
When the AD account is created and synchronized with AD, proceed with creation of a mailbox.
Mailbox creation for a new Shared/ Generic mailbox
The following are the steps to manually create a mailbox for a new shared/generic mailbox.
To create a mailbox for a new shared/generic mailbox:
Open a generic record of the Digital Identity you want to create a mailbox for and click Add E-mail.
The E-mail Address Insert Screen opens prompting you to select a postoffice.
Figure 17: Creation of shared mailbox
In the pop-up window, for the primary mailbox select the Exchange BPOS post office.
58
Figure 18: Primary mailbox selection
Click Insert to create a mailbox.
Figure 19: Mailbox Creation
After the mailbox account has been created, send an e-mail to the Requestor.
Below are the listed advantages which will help to mitigate/reduce the risks after the implementation of IAM controls,
59
Shared mailbox’s owner will be responsible for the communication and mailbox permissions to other users.
AD account of the mailbox will be disabled to prevent login form the mailbox ID
Shared mailbox is password protected and encrypted, password change is mandatory for every 30 days.
Mailbox owner can monitor the mailbox usage logs.
d. Risk map/table with the same scenarios, probability, impact after the implementation of changes
Below table we will see the Risk analysis outcome how the implemented changes reduces the risk associated with the creation & usage of shared mailbox in the organization.
Risk Scenario Category Impact (1-5)
Likelihood (1-5)
Risk
Rating Baseline Un-traceability of users using shared
mailbox 2 2 4 9
Unable to broadcast information to specific teams and emergency
broadcast 2 2 4 9
Third-party/supplier incidents
2 2 4 9
Mailbox Error Incidents
3 2 6 9
Noncompliance
2 3 6 9
Authenticity of the mailbox and
shared information 2 2 4 9
Usage of mailbox AD account for
login 2 2 4 9
60 Usage of mailbox for personal use
3 2 6 9
Vulnerable for cyber-attacks and
hacks 2 1 2 9
Forgot Password of the mailbox
2 3 6 9
Data & information management
2 2 4 9
Table 13: Risk Analysis of Shared Mailbox account after implementation of IAM control