I fully endorse that the best method for a departure is to start with
the arrival.
My approach is to focus on the complete process, for employee
accounts, service accounts, and hardware.
For illustration, consider a new hire, who is granted privileges A, B,
C. (where the privileges may be physical like badges, computers,
phones / PDAs, or virtual like network access, VPN, App A, App B, App
C, etc...) There needs to be come mechanism (database) that tracks
what was given, and when. When the party leaves / terms / quits,
there should be a mechanism to check off closure for A, B, & C. This
real challenge is that often times, people get A, B, C on first day,
but over the progression of time in a given business, people also get
the privileges of D, E, & F ..... If the privilege storage mechanism
could produce a list of all the accumulated privileges at the
termination point, then a check off list could be produced to
methodicaly deactivate all of the privileges.
Now consider service accounts. How is the tracking managed for this?
How about the addition of servers to the data center, or the addition
of apps, and services to the server?
If this is not explicitly designed into the process, then it won't
happen by accident.
There needs to be specific controls that measure effectiveness, and
specific people assigned responsibility for the controls.
Dan Widger
----- Original Message -----
From: kevinlh@hotmail.com
Date: Wednesday, August 30, 2006 10:48 am
Subject: Re: Procedure for staff leaving
To: security-basics@securityfocus.com
I recommend you start the policy with the hiring process, not with
the termination process. Primarily of concern are non-disclosure,
information ownership (i.e everything developed, created, or
envisioned using the companies resources are property of the
company), and privacy agreements. When someone leaves you can make
the legal ramifications so stiff they are deterred enough to be on
good terms. Of course you should hire good people to begin with,
then you don't have such problems.
-------------------------------------------------------------------
--------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence
in Information Security. Our program offers unparalleled Infosec
management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this
esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
-------------------------------------------------------------------
--------
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
