deleted

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    34
    ·
    edit-2
    6 months ago

    A couple additional thoughts:

    • You sent your boss an email using your company email server. You do not control this server. You cannot rely on this email as a paper trail, any email you send could be deleted by someone else with administrative access. In Outlook it’s possible to delete any email that was sent internally and the logs that it was sent.

    • You should write down the date(s) and time(s) that you sent emails about this to your boss, on paper. Keep it with your other work notes.

    • You should not include any specific technical information about your company’s systems in this paper record as this might expose you to liability in the future. Just record when you sent the emails and a general description of the subject (e.g. “email to boss about upgrading out-of-date operating system”), and a short description of any response (verbal or written).

    • You have offered to upgrade this system. Your boss said no. It’s not your responsibility anymore.

    • If I were in your position I would tell my boss explicitly that I won’t be responsible for the security of this system or anything connected to it, at least not without a signed risk acceptance statement. You might not feel comfortable doing that, it is potentially confrontational.

    • If you’ve been told that you’re responsible for this system (your employment is dependent on it) in spite of your objections, please take a look at this article about security hardening for Windows 7 and try to implement as much as you can. If you’re not responsible for it, don’t mess with it.