Monday, April 03, 2006

Termination Procedures

It is very important for businesses of any size to have in place specific procedures that must be followed whenever an employee leaves the company, whether of his own volition, or by the action of the company. As I mentioned in my previous post, these procedures must be followed no matter which employee is being terminated.

Some considerations for such a procedure:

1. Document it. It doesn't matter if your company has only 1 server that runs 1 critical application, and an email server; there should be a written document that explains how to remove access for any user, and how to disable or delete their email address.

2. Be comprehensive. On the flip-side of the coin, if you have 30 or 40 servers, 5 applications for each department or business unit, and email, VPN access, intranet applications, etc; you need to have a checklist for each item so that all access to each system can be verified and removed.

3. Know your users. This ties in to #2. If you don't know what accounts are out there, you may not be able to track them all down when you need to. Make sure all user accounts for each system are documented per employee, so that you can easily figure out which systems to go to first when disabling accounts. It's important to check the rest, just in case, but if it's going to take you the better part of an hour to get through everything, it helps to prioritize.

4. Beyond IT. Not unreasonably, we tend to focus on computer systems access, since that is our main responsibility. But it is important to think beyond the PCs and servers during terminations. For instance, access to voicemail boxes, teleconferencing systems, keycard entry systems, combination locks, even old-fashioned key locks. While not all these may be "owned" by IT, they must be part of the procedure, so the person or department responsible for restricting those means of access can be notified and respond in a timely fashion.

5. Independent verification. Not that I'm suggesting anyone shouldn't be trusted, but it is a good practice to have a second pair of eyes verify that access has been completely removed during the termination procedures. In that case of having 30 servers or so to go through, it can be a tedious process, and anyone can miss an obscure method of access. Human error should be taken into account in any process whenever possible.

That's the overview for terminations. These procedures should be part of the security manual of any company, large or small.


Post a Comment

Links to this post:

Create a Link

<< Home