The best thing to do here is write down what you do when someone leaves. This
will create the framework for a procedure.
This can then also provide guidance on your policy. The policy should be
general and will likely try to just say, "upon termination of employment (may
want to define this as being forced termination or mutual or employee leaving,
any sort of end to employment) all security access for that employee will be
revoked. Any information or tasks for that employee (file server data, emails,
files on their computer) should be backed up. Their direct manager should be
queried as to what to do with this information and who should get it."
You want to also outline the procedure to invoke this policy. You don't want to
start a termination sequence based on heresay, even if that is sometimes all
you get. You want an announcement from HR or from their direct manager or both,
in a documentable form (request ticket, signed paper hardcopy, email...). You
can then start the procedure, and then notify when completed and provide the
deliverables.
Your procedure is going to likely include several general areas:
- who is involved: identify notifing HR or their manager so you can ask
questions as needed. Get a date of termination, and if this is a firing, while
it is not necessarily our business to know the details, it may help to know
whether it is mutual or not, especially if you need to disable their account
while they are away being informed. HR should not let the employee back to
their desk or anywhere else in the company unsupervised after termination. They
must be escorted out and their personal belongings provided to them either at
that moment or later. This may be a bit beyond IT and more of an HR thing, but
also identify who needs ot be notified of a termination. Should Accounting be
notified? How about the DBA who controls SQL account? This should be defined in
the HR part of the procedure, possibly before you even hear about it.
- hardware: reclaim what has been checked out and assigned to that employee in
terms of computer equipment, PDAs, etc (work with HR to get this procedure for
employee hires to sign something). Did they have anything checked out like a
laptop or projector?
- accounts and access: revoke network accounts, remote access accounts, VPN
access and/or firewall rules; any internal systems that take an account they
may have used (intranets, email, wiki, CRM systems, salesforce, web apps...)
- physical access: retrieve keys/key cards they may have; revoke any biometrics
access and let receptionists know that the employee is no longer employed, so
they can be stopped at the door if they attempt to gain access again.
- information: be sure to back up their information and get permission from
their manager before wiping their old machine. Keep a copy of this backup for
an x amount of months in a locked room (either HR or IT) and provide whatever
the manager requires. Notify the manager before permanent disposal of the
backup. Imaging is nice, but possibly not required.
- desk/workspace: Bring their manager or HR along upon the first inspection and
clean-up of their workspace, or do not do anthing unless they ok it. Reclaim
company-owned equipment and identify any personal effects that need to be
returned to the employee, and provide those to HR. It is best to have HR do
this with your help to avoid possible issues later.
- evaluate the need to change any shared accounts or access. Do you have
wireless that now needs the key changed for? Did they know the
admin/root/enable password for any systems or devices? Was their name on the
contact for SSL certs? Was their possibly personal cell phone on the contact
list for data center service interruptions?
No form will ever catch everything unless you are in a 100% standards-compliant
company. Always leave some room to just sit back and evaluate what the person
did for their job, and what else may need addressed. You want to do this all in
one shot as opposed to remembering 2 weeks later that they had a key to a door
because 6 months ago you had a remodeling project that disabled the electronic
locks for a week.
Definitely work with your HR on this policy, as they are likely to be very
involved in it. They may even have their own procedures with Accounting or
internal stuff that needs to be done.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
