When an IT staff member told me that he was accepting a new job, I knew that filling his position was only one of my worries. I also had to worry about the security concerns that exist anytime an employee leaves the organization.
Years ago, ensuring security was a simple task. Your boss would retrieve your office keys, and a security guard would go through your box of personal effects, looking for the company’s office supplies. Now, you must also retrieve and secure a more complicated set of “keys” in the form of passwords and access rights. In this article, I’ll discuss the tasks you face to make sure your office and your system is secure when an employee leaves.
A to-do list for exiting employees
The exiting employee was working as a computer specialist in my department for about two and a half years. I hated to see him go, but I understood that his new job would help him meet his career goals.
Even though this employee was leaving on good terms, I made sure that security precautions were in place. I began by making a list of user accounts and passwords on local and remote servers. I was looking for any backdoor type of accounts. This task is tough because you need to be fairly familiar with the user accounts and files on your system to be able to spot anything out of place.
Obviously, the procedure for making a list of user accounts will differ, depending on whether your system involves a UNIX, Linux, or MS Windows NT server. Although tracking user accounts is a tedious task, I definitely became more familiar with the location of the accounts after this exercise. Some examples of servers to consider are Microsoft Exchange servers, FTP servers, Web servers, print servers, data storage servers (data warehousing), data backup servers, and file servers.
I also made a list of user accounts and passwords for any software applications requiring passwords including:
- PC Anywhere
- MS WinNT Admin
- UNIX Root
- UNIX SuperUser (sometimes referred to as Switch User or SU)
- End-user accounts (clients)
- Database accounts
You also need to deal with any biometric devices, such as hand scanners and optical or retina scanners. Your exiting employee’s record should be deleted from these types of databases. Other hardware/software to consider are user or administrator accounts on routers, switches, and CSU/DSU types of hardware.
Security checks before and after the departure
If would be really nice if you had a database or spreadsheet of your inventory. If your employee is not leaving on good terms, you may need to audit your hardware, software, peripherals, and even technical books just before he or she leaves and then again after he or she has gone. For larger shops, this might not be a big deal, but for some smaller shops, budgets are tight, and the loss of a 128-MB RAM module could cause distress to an IT operation.
The exiting employee’s electronic files are also important to check. Consider maintaining files for his or her contacts and information on his or her incomplete projects. Those projects could be doomed if this type of contact and task information disappears when an employee leaves. The ultimate nightmare would be if the exiting employee had access to other department files such as finance, R&D, or accounting. It is important to run backups or if possible archives of all systems that the exiting employee had access or security rights to. Taking a proactive approach is important to ensure that you keep all vital company information intact.
|Read More About Dealing with Employees at TechRepublic|
|Don't miss any of our 20 articles, columns, and downloads about dealing with exiting employees.|
|"Download our Employee Separation Checklist"|
|"Download our Computer Skills Information Form to help you prepare for new employees"|
|"Illegal interview questions"|
Check your list
There are a variety of issues to consider when an IT staff member leaves your organization. Here are a few of the questions you should ask.
Some organizations have a confidentiality agreement in place that is signed by an employee who is leaving. If you don’t have one, ask senior management or your organization’s legal advisor if a document of this type should be used. The agreement would include specific language stating that the exiting employee cannot discuss IP addresses, security holes, or specific hardware/software configurations that could cause a security breach.
Perhaps at your organization, employees signed a confidentiality agreement when they were hired. Should you or the HR representative remind an exiting employee about the terms of such an agreement?
Two-week notice or immediate release?
Do you respect the exiting employees' two-week notice, or do you thank them for their time with the company and let them go that minute? If the employee has been fired, your company policy likely requires the employee to leave immediately.
Other scenarios may be more difficult to judge. What if an employee is leaving voluntarily, but you suspect that the employee may have a negative attitude? In this case, you should consider asking the employee to leave immediately. You don’t need the additional stress of dealing with an unmotivated employee who is affecting the productivity of others in the office. You also don’t want to deal with an employee who cannot be trusted with the company’s sensitive information and inventory.
In a worst-case scenario, a disgruntled employee may purposely corrupt data files or damage hardware/software. Don’t be naive and think this can’t happen to you. I have personally heard employees who were planning on quitting say, “I am going to leave this place in a world of hurt when I leave.” Find out from your human resources department what the company policy is for asking an employee to exit before the two-week notice period ends.
Consider conducting an exit interview to find out why the employee is leaving your organization for a position with another company. This procedure may help you gather valuable retention information for the future.
Timing is everything
What is a reasonable amount of time for executing a plan when an employee is planning to leave? As for backing up or archiving files, I completed this during the final two weeks that he was on the job. In addition, I changed passwords locally and notified our remote sites to do the same.
It’s definitely to your advantage to maintain a good relationship with the employee who is leaving. You never know if you’ll need to call on the exiting employee when you can’t find a piece of software—or even the office three-hole punch.
Mark D. Gonzales is the IT manager for the department of emergency management with the county government in Pueblo, CO. Previously, he was director of technology for a Pueblo school district. He has a B.S. degree in Computer Information Systems (CIS), and he’s currently attending SUN University to obtain a Solaris Systems Administration I Certification. He’s also pursuing the Cisco Networking Academy certification program. His areas of specialty include LAN/WAN management, database management, and Web development.What steps do you take to deal with an exiting employee? Have you ever seen a coworker damage company property when they were leaving? Does Information Technology make this easier to do? Post a comment to this article or send us an e-mail.