Security Basics mailing list archives
Re: Procedure for staff leaving
From: dwidger () houston rr com
Date: Wed, 30 Aug 2006 11:08:29 -0500
I fully endorse that the best method for a departure is to start with the arrival. My approach is to focus on the complete process, for employee accounts, service accounts, and hardware. For illustration, consider a new hire, who is granted privileges A, B, C. (where the privileges may be physical like badges, computers, phones / PDAs, or virtual like network access, VPN, App A, App B, App C, etc...) There needs to be come mechanism (database) that tracks what was given, and when. When the party leaves / terms / quits, there should be a mechanism to check off closure for A, B, & C. This real challenge is that often times, people get A, B, C on first day, but over the progression of time in a given business, people also get the privileges of D, E, & F ..... If the privilege storage mechanism could produce a list of all the accumulated privileges at the termination point, then a check off list could be produced to methodicaly deactivate all of the privileges. Now consider service accounts. How is the tracking managed for this? How about the addition of servers to the data center, or the addition of apps, and services to the server? If this is not explicitly designed into the process, then it won't happen by accident. There needs to be specific controls that measure effectiveness, and specific people assigned responsibility for the controls. Dan Widger ----- Original Message ----- From: kevinlh () hotmail com Date: Wednesday, August 30, 2006 10:48 am Subject: Re: Procedure for staff leaving To: security-basics () securityfocus com
I recommend you start the policy with the hiring process, not with the termination process. Primarily of concern are non-disclosure, information ownership (i.e everything developed, created, or envisioned using the companies resources are property of the company), and privacy agreements. When someone leaves you can make the legal ramifications so stiff they are deterred enough to be on good terms. Of course you should hire good people to begin with, then you don't have such problems. ------------------------------------------------------------------- -------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------- --------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Procedure for staff leaving phion wong (Aug 29)
- <Possible follow-ups>
- Re: Procedure for staff leaving krymson (Aug 30)
- Re: Procedure for staff leaving kevinlh (Aug 30)
- Re: Procedure for staff leaving dwidger (Aug 31)