Information security professionals often classify security threats based on if they are conducted by company insiders or outsiders. There is regular debate about which type of attacks are more severe to the ongoing health of a business but there is one intriguing time when insider and outsider threats blend together and that is at the employee termination process. How effective is your employee termination process with respect to maintaining the information security health of your company?
What kind of risk does your business face when an employee is terminated?
Your business is in a potentially vulnerable situation when an employee is terminated if you do not have effective procedures in place. The size of that risk is based on a number of factors including:
- How friendly were the terms of departure? Employees that leave on mutually satisfying terms present a much lower risk than employees who feel that they have been mistreated.
- How much inside information does the departing employee have? Trusted insiders with deep knowledge of your business or IT environments expose you to more risk vs. an average employee with limited knowledge of these sensitive activities.
- What kind of employees did you have working for you? If you hire well and focus on employees with integrity you will be at lower risk vs. if your hiring standards are not as strict. Treating employees fairly through a difficult life changing event also goes a long way to minimize your risk.
- What kind of ongoing relationship will the severed employee have with your company? If they are drawing a pension or other benefits from your company there is a lower risk because some of these benefits could be jeopardized if illegal actions occur after employment.
What kind of process do you need to secure your business from risks when an ex-employee moves on?
Your business should have an employee exit checklist that covers many of the items listed in the draft checklist below. It is important to promptly complete an employee exit procedure to minimize the risk of an ex employee misusing information assets after their term of employment. Many company’s have been victimized due to their own sloppy enforcement of policies to remove access to electronic accounts neglecting to turn off VPN or external email services that were provided to the employee.
Sample employee information security termination checklist
1. Disable employees ability to physically access the building
- Electronic access badge
- Parking pass
2. Arrange return of all company owned assets
- Laptops/Notebooks/Mobile Phones
- Originals of company owned software
- Calling Cards
- Credit Cards
3. Delete all system accounts of exiting employee
- VPN/Remote Access Accounts
- Email Account
- Network Account
- Voice Mail System
- Web-meeting & Collaboration accounts
- All application accounts
- Access to any company financial accounts
- Access to company information/data backups
- Access to company owned social media accounts or web properties
4. IT Privileged Users Process
For users with system administration privileges the account termination process must be even more extensive. A thorough analysis to determine the extent of the persons access should be conducted to validate that all access is terminated as expected. Special attention should be paid to:
- Database accounts
- Application level service accounts
- Accounts with shared passwords
- Network/Router passwords
- Generic test accounts
- Remote access accounts including VPNs, Jump boxes or even analog modem connections
Recent information security incidents illustrate the importance of auditing your employee termination process to validate that it is operating effectively. It is easy to rely on policy but if you do not check you can count on compliance issues that could leave your company’s information assets exposed.