Re: Procedure for staff leaving

[dwidger () houston rr com]

I fully endorse that the best method for a departure is to start with 
the arrival.  

My approach is to focus on the complete process, for employee 
accounts, service accounts, and hardware.  

For illustration, consider a new hire, who is granted privileges A, B, 
C.  (where the privileges may be physical like badges, computers, 
phones / PDAs, or virtual like network access, VPN, App A, App B, App 
C, etc...)  There needs to be come mechanism (database) that tracks 
what was given, and when.  When the party leaves / terms / quits, 
there should be a mechanism to check off closure for A, B, & C.  This 
real challenge is that often times, people get A, B, C on first day, 
but over the progression of time in a given business, people also get 
the privileges of D, E, & F .....  If the privilege storage mechanism 
could produce a list of all the accumulated privileges at the 
termination point, then a check off list could be produced to 
methodicaly deactivate all of the privileges.

Now consider service accounts.  How is the tracking managed for this?

How about the addition of servers to the data center, or the addition 
of apps, and services to the server?  

If this is not explicitly designed into the process, then it won't 
happen by accident.  

There needs to be specific controls that measure effectiveness, and 
specific people assigned responsibility for the controls.

Dan Widger



----- Original Message -----
From: kevinlh () hotmail com
Date: Wednesday, August 30, 2006 10:48 am
Subject: Re: Procedure for staff leaving
To: security-basics () securityfocus com

> I recommend you start the policy with the hiring process, not with 
> the termination process. Primarily of concern are non-disclosure, 
> information ownership (i.e everything developed, created, or 
> envisioned using the companies resources are property of the 
> company), and privacy agreements. When someone leaves you can make 
> the legal ramifications so stiff they are deterred enough to be on 
> good terms. Of course you should hire good people to begin with, 
> then you don't have such problems.
>
> -------------------------------------------------------------------
> --------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic 
> Excellence 
> in Information Security. Our program offers unparalleled Infosec 
> management 
> education and the case study affords you unmatched consulting 
> experience. 
> Using interactive e-Learning technology, you can earn this 
> esteemed degree, 
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> -------------------------------------------------------------------
> --------

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------