Security Basics mailing list archives
Re: Procedure for staff leaving
From: krymson () gmail com
Date: 29 Aug 2006 19:41:38 -0000
The best thing to do here is write down what you do when someone leaves. This will create the framework for a procedure. This can then also provide guidance on your policy. The policy should be general and will likely try to just say, "upon termination of employment (may want to define this as being forced termination or mutual or employee leaving, any sort of end to employment) all security access for that employee will be revoked. Any information or tasks for that employee (file server data, emails, files on their computer) should be backed up. Their direct manager should be queried as to what to do with this information and who should get it." You want to also outline the procedure to invoke this policy. You don't want to start a termination sequence based on heresay, even if that is sometimes all you get. You want an announcement from HR or from their direct manager or both, in a documentable form (request ticket, signed paper hardcopy, email...). You can then start the procedure, and then notify when completed and provide the deliverables. Your procedure is going to likely include several general areas: - who is involved: identify notifing HR or their manager so you can ask questions as needed. Get a date of termination, and if this is a firing, while it is not necessarily our business to know the details, it may help to know whether it is mutual or not, especially if you need to disable their account while they are away being informed. HR should not let the employee back to their desk or anywhere else in the company unsupervised after termination. They must be escorted out and their personal belongings provided to them either at that moment or later. This may be a bit beyond IT and more of an HR thing, but also identify who needs ot be notified of a termination. Should Accounting be notified? How about the DBA who controls SQL account? This should be defined in the HR part of the procedure, possibly before you even hear about it. - hardware: reclaim what has been checked out and assigned to that employee in terms of computer equipment, PDAs, etc (work with HR to get this procedure for employee hires to sign something). Did they have anything checked out like a laptop or projector? - accounts and access: revoke network accounts, remote access accounts, VPN access and/or firewall rules; any internal systems that take an account they may have used (intranets, email, wiki, CRM systems, salesforce, web apps...) - physical access: retrieve keys/key cards they may have; revoke any biometrics access and let receptionists know that the employee is no longer employed, so they can be stopped at the door if they attempt to gain access again. - information: be sure to back up their information and get permission from their manager before wiping their old machine. Keep a copy of this backup for an x amount of months in a locked room (either HR or IT) and provide whatever the manager requires. Notify the manager before permanent disposal of the backup. Imaging is nice, but possibly not required. - desk/workspace: Bring their manager or HR along upon the first inspection and clean-up of their workspace, or do not do anthing unless they ok it. Reclaim company-owned equipment and identify any personal effects that need to be returned to the employee, and provide those to HR. It is best to have HR do this with your help to avoid possible issues later. - evaluate the need to change any shared accounts or access. Do you have wireless that now needs the key changed for? Did they know the admin/root/enable password for any systems or devices? Was their name on the contact for SSL certs? Was their possibly personal cell phone on the contact list for data center service interruptions? No form will ever catch everything unless you are in a 100% standards-compliant company. Always leave some room to just sit back and evaluate what the person did for their job, and what else may need addressed. You want to do this all in one shot as opposed to remembering 2 weeks later that they had a key to a door because 6 months ago you had a remodeling project that disabled the electronic locks for a week. Definitely work with your HR on this policy, as they are likely to be very involved in it. They may even have their own procedures with Accounting or internal stuff that needs to be done. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Procedure for staff leaving phion wong (Aug 29)
- <Possible follow-ups>
- Re: Procedure for staff leaving krymson (Aug 30)
- Re: Procedure for staff leaving kevinlh (Aug 30)
- Re: Procedure for staff leaving dwidger (Aug 31)