What are the practices you are using with respect to email user names to differentiate between employees and consultant/temps in order to limit co-employment risks associated with consultant/temps inadvertently being included in all company meetings, communications, etc.?

Security & GRCProcess Management
2.5k viewscircle icon4 Comments
Sort by:
Chief Information Security Officer in IT Servicesa year ago

Similar to what Yvonne posted - using an identifier like john.smith.ctr@xxxx.com

VP of IT in Educationa year ago

I've seen unique email addresses used - ie c-johnsmith@xxxx.com.  Then it is also easy to find them all when IT is asked.  

Director of IT in Retaila year ago

We use to give special named accounts for external, and consultant personnel.  The Full-time employees are the only ones that uses the corporate standard email addresses/network accounts.

Director of IT in Educationa year ago

We address co-employment risks by using a special subdomain for all mailboxes related to external, temporary, and consultant personnel. This approach makes it easier to distinguish them from full-time employees, and helps to filter them out from general company meetings or communications. 

Additionally, using a subdomain allows for more straightforward implementation of Role-Based Access Control (RBAC) and other types of filtering and differentiation querying across various components of our user and identity management ecosystem.

Content you might like

We are in the early stages of planning a Workday Financials implementation and are evaluating the best approach for a MVP deployment. Given the scale and complexity of Workday Financials, we're particularly interested in understanding if anyone recommends or observes as best practices for MVP deployment models. Specifically, we’d like to know: Does anyone have a suggestion a phased or modular rollout for core financial modules (e.g., GL, AP, AR)? Is there a baseline configuration or functional scope typically considered MVP for Workday Financials? How do organizations balance quick time-to-value versus long-term scalability and integration when adopting Workday Financials as MVP?

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

How many days in advance do you plan if you need to renew, change, or terminate a SaaS app?

Just before the renewal4%

A few days in advance37%

A few weeks in advance23%

A few months in advance32%

A few years or more in advance2%

View Results

We’re preparing for an IPO on the NYSE as a Foreign Private Issuer and evaluating CIS Benchmarks to measure OS and database hardening.

Our proposed tiers:
• Tier 1 (70–80%) baseline
• Tier 2 (85–90%) for sensitive data
• Tier 3 (95–100%) for mission-critical systems

Is 80% compliance defensible for IPO due diligence with SEC or SFC? Should Tier 3 be considered mandatory for critical systems? And can compensating controls (e.g., PAM, microsegmentation) offset gaps in legacy environments?

To simplify your IT, do you expect all the security controls (CASB, ZTNA, SEG and SWG) delivered by the same vendor?

Yes, I am looking at consolidating multiple vendor solutions80%

No, I am fine with managing multiple vendors20%