Security

10 important categories of employment transition security

Employment transition is an often overlooked danger to company security. Make sure you pay proper attention to protecting your business from security compromises when someone leaves your company.

As this is being written in early 2009, the United States and much of the rest of the industrialized world is subject to a growing economic disaster. Despite the blandishments of politicians and perpetual Pollyannas, most of us are not persuaded that a couple of pork-laden "stimulus packages" and increased meddling in business markets by legislators who helped create the problem in the first place will result in a swift recovery. As we face an uncertain economic future, many businesses are preemptively cutting back on corporate expenses, while others are responding to very real downturns in profits with attempts to stave off further damage.

Such reorganizations of business structure typically include rounds of employee layoffs to cut costs, sometimes even eliminating whole divisions. As much of a disruption as this is to your business model, it can also have unforeseen consequences for security if you aren't careful about how you handle employee departures.

The day a decision is made to transition employees out of a company is the wrong time to develop and apply security policies related to their departure. Being unprepared could result in security breaches, as well as resentment on the part of both former and current employees. Disgruntled employees create the very internal security problems against which you should protect your organization.

With that in mind, I've listed below 10 categories of security policy related to employment transitions. Some categories may overlap in certain areas, but each has its own, irreplaceable importance to overall policy effectiveness.

1. Access Controls

Biometric data, keycards, keys, parking or gate passes, and other physical access controls should be tracked and managed carefully. Many security precautions such as firewalls, deactivated remote access accounts, and strong password policy can be circumvented at times simply by walking up to a physical computer and doing things the "hard" way. Such items should be managed as carefully as possible without such management becoming intrusive into the work of employees, so that they are more easily recovered, deactivated, and/or replaced if and when the time comes. In extreme cases, locks may need to be changed and new keys reissued, but in many cases a well-managed system should allow most access control measures for a given employee to be simply deactivated with a few key presses or mouse clicks.

2. Accounts

Employee accounts must be carefully documented and centrally manageable as much as possible to ensure they can be secured once an employee transitions out of the company. When central management is not easily achieved, documentation becomes even more critical. Accounts that require special care include (but are not limited to) company credit cards, network logons, remote access accounts, server administration accounts, voicemail accounts, and workstation user accounts.

When an employee leaves the company, such accounts for the employee should all be deactivated as quickly as possible.

Don't forget that restoring from backups made before the employee's departure may restore that employee's remote access, user, and administrative accounts. Be sure you have policy in place to resolve such potential security issues in the event of disaster recovery operations.

3. Debriefing

Whenever possible, conduct detailed exit interviews with employees. Among the things you should want to know about are the employee's complaints about the company so you may improve things in the future, current work status, and encrypted file access. Don't let your ego stand in the way of improving conditions after a disgruntled employee leaves, or of gaining important insights into what kind of mess you may have to deal with when it comes to a departing employee's current work in progress. Such information may be quite important to ensuring future security or recovering important work from secured files.

4. Documentation

Company policy should, ideally and in most cases, require detailed ongoing documentation of employees' work on projects from day one of employment. This not only ensures easier transition of projects to other (perhaps new) employees and recovery of important data, but also provides something of an automatic audit trail for something the employee may later decide to maliciously alter if he or she becomes dissatisfied with his or her work conditions. Such documentation should be logged to a central, version control tracked, regularly backed up resource. It may seem unintuitive at first, but Web-based collaboration tools such as MediaWiki can actually serve these needs on some organizations' intranets.

Business documentation should be secured in other ways, as well -- such as by granular, need-dependent access authorization, so that outgoing employees may not easily engage in last-minute corporate espionage. If your documentation contains trade secrets, no employee should have automatic access to all documentation. Access should be limited to the documentation an employee needs, and properly secured against unauthorized access.

5. Inventory

Detailed, regularly (preferably in real-time) updated inventories of office and employee assigned resources should be maintained for many reasons. One of the most important is so that you know what still needs to be recovered from an employee's possession when he or she leaves the company. Maintaining careful inventories up front will help produce clear checklists down the line when they are needed, so start implementing your inventory policy sooner rather than later.

6. Lockdown

Various levels of physical, file, and account access lockdown should be set up to be quickly and easily enacted in the event that an employee leaves the company or is under suspicion of malicious activity. While this is in some respects just a reiteration of a key point of other categories of employment transition security policy, it deserves its own discrete mention because a clear, comprehensive, and well-managed policy for lockdown procedures should always be carefully planned and implemented to ensure there are no oversights when the time comes to act on that policy.

7. Logging

Good logging procedures are key to tracking security compromise incidents and shaping incident response. This applies to employment transitions as much as it does to protecting your network against less personal threats from the Internet. Good logging procedures implemented today can ensure that, when you have to lay off an employee tomorrow or lose one to a competitor, you will be able to track any suspect activity prior to the employee's departure as well as intrusions by a former employee after the fact.

Passive logging servers -- servers that "listen in" on network traffic and log data intended for the server without specifically identifying that particular server as the logged data's destination -- can be key to such precautions. Even in the absence of such resources, however, active and direct logging to systems outside the authorized access responsibilities of a given employee can help ensure a clean, secure record of any illicit activity.

8. Passwords

Policy should require that access codes, passwords, and similar measures will all be reset to a temporary value that a departing employee would have no way of knowing until the accounts can be deactivated or even deleted entirely. It is for this reason, among others, that such measures should be taken long before an employee leaves the company as using personalized administrative accounts -- so that a single employee leaving will not require that the entire IT department has to learn a new set of admin passwords. Careful records should be kept of what accounts are supposed to exist on all company IT resources so that unauthorized accounts can be quickly identified and dealt with, and so that previously authorized but newly obsolete accounts can be shut down and passwords changed as needed without fear of overlooking something.

In many cases, it may even be desirable to change passwords on accounts to which the departing employee was not supposed to have access. After all, employees sometimes share account passwords, store them on sticky notes affixed to their monitors, or keep them tucked under keyboards or in desk drawers, despite the best efforts of the IT department to disallow such practices and enforce strong password policies.

Don't make the mistake of resetting passwords to some default or easily-guess value (such as "1234"), either. Changing passwords when an employee departs doesn't help much if the "new" passwords are either widely-known defaults or subject to brute-force cracking in a matter of seconds.

9. Personal Electronics

Clear security policy with regard to personal electronics is often important to security. If the company deals in trade secrets, such electronic gear as cameras, USB flash media devices, and personal laptops may need to be carefully controlled or even disallowed. Disallowing cameras is becoming increasingly difficult with the ubiquity of cameras integrated into cellphones, and flash storage media may be difficult to regulate with the growing ubiquity of portable MP3 players, but that does not necessarily mean you should throw your hands up in frustration and ignore the potential problems. Leaving such matters unaddressed may lead to security compromise in the wake of an employment transition, such as in the case of an employee that has taken advantage of lax policies to copy sensitive documents and keep the copies stored off-site.

10. Privacy

Provide employees with clearly marked and limited private resources, such as a private directory each employee may use to store personal notes that are not specific to work project data. Doing so will ensure that personal data does not get mixed with company data, making it easier to clean out unnecessary data after an employee has departed and provide final personal data recovery access to an employee (such as to-do lists that may include personal matters). Whether such data will be backed up is, of course, up to the company, but employees should generally not rely on the company to provide backups of private data that is not directly related to the business.

Make sure that the company has a clearly articulated privacy policy. You will probably want to check data in an employee's private directory when that employee is terminated before providing access so he or she can recover personal notes -- and, to be certain there are no hard feelings, the employee should know that any data on company drives is subject to review in the event of termination as a matter of standard procedure. A lot of hard feelings, and potential for attempts to compromise security because of resentment, can be avoided by making it quite clear that there is "nothing personal" in company privacy policy.

Preparation and Incident Action

Policy for how to handle an incidence of employment transition -- whether someone is being fired, leaving in (self-)righteous fury, retiring after forty years, being laid off in tough economic times, moving on to a career development opportunity at another company, freeing up time for school or other projects outside the company, starting his or her own business, or leaving for some other reason entirely -- is important not only for business continuity, but also security against potential intrusions. Policies that at first glance may not be directly related to employment transition, that need to be enacted from day one of employment for maximum positive effect, are also important for the same reasons, however; they may mean the difference between smooth transition and a bureaucratic, security-ineffective nightmare.

Begin your policy development and implementation now. You'll be grateful for it later.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

25 comments
Playmakebe.com
Playmakebe.com

We are building big database about employment ant useful tips www.employment-tips.playmakebe.com Maybe you will find useful information here.

umzain
umzain

Unfortunately, not all employers have trained IT personnel. Our "IT" person is a woman who is less than adequate to the task, and while our department manager is at least computer literate, many of our employees were not when we updated from DOS machines three years ago to XP and related software. Not only have I found myself in the position of educating folks because the IT manager is incapable, but I'm unable to do anything about administrative decisions such as using portions of our SSNs for Net login passwords. These are stored on the servers, of course, and I seriously doubt they are ever changed - I know they haven't been in the three years since the 'new' system was installed. What is Tech Republic's, or for that matter, anyone other company's policy on using portions of SSNs for login passwords? Madelyn

apotheon
apotheon

Of course, the exact number is context-sensitive, but that strikes me as a good, general-purpose starting point for thinking about how much to gouge them for thinking about cutting costs before thinking about maintaining their systems and treating their employees well. It's not even about revenge: it's about making sure you have enough money to get by while you search for alternative income sources.

reisen55
reisen55

My daughter worked for a major real estate firm and they terminated 330 people in one day inclusive of the server technician. The server crashed and with it went their inventory data which they were in the process of evaluating for the return of laptops and digital cameras. They then asked the server tech if he could kindly return for a day and fix the server. He thought long and hard. Answer: NOPE, you fired me, live with the results, hasta lavista baby. Que sera sera.

rkuhn040172
rkuhn040172

We archive everything when letting an employee go. Good or bad, we archive it as you never know when and where the next lawsuit will come from. Examples are: their Windows profile, personal drives, Citrix profiles, email, etc. Everything gets thrown on an external hard drive just in case. And really, with external hard drives as cheap as they are you can store an awful lot on there quickly, easily and cheaply.

tom
tom

In many company's around the country people wait to see if they are next. Products like USB Lock RP provide the employer the ability to lock down the use of memory storage devices. More importantly because ports in many cases need to remain open some for everyday business duties the added feature available that provides a report of what files have been copied is very important as well. But the question is, do company administrators understand the potential damage and the extent of information such as e-mail contacts and so that are easily and quickly available?

apotheon
apotheon

What other categories of employment transition security policy come to mind? Do you have any suggestions for how some of these issues should be handled?

apotheon
apotheon

I don't speak for TR's IT policy (I'm just a contributing writer), but I'm pretty sure whoever is in charge of TR security policy would agree with me on this one: you shouldn't use part of your SSN in your password. There's another problem here that I noticed, though: What is Tech Republic's, or for that matter, anyone other company's policy on using portions of SSNs for login passwords? Am I reading this wrong -- or are you saying that the company assigns your passwords? If the company is assigning passwords, it's doing things wrong. Passwords should be individual, and known only to the individual. Without that kind of individuated password security, you can't effectively track security incidents, and you encourage disgruntled employees to perform malicious acts using others' passwords, and encourage laxity amongst employees with regard to security in general.

Neon Samurai
Neon Samurai

The SSN being personally identifiable information and meant for specific uses; I'd recommend avoiding it in full or in part at all costs. Such information should be limited to only where it's absolutely required. My ideal is five to eight random characters; numbers/letters all lower case. For the password you then do eight to ten characters; numbers/letters/capitals/symbols. The user email name is then based off there first initial/lastname or similar so that it does not match the login name in any way. login: jlkas:K321 email: bspringstien@medicalplace.com Since the login name should only be used over encrypted connections and the login prompt, it shouldn't get leaked on the network or guessed based on the email. If you are going to use a more human readable login name just be sure it does not match the email name and add some sort of extra characters to randomize it some. Being medically related raises the bar for you a little also as you inherently deal with sensitive information be it paper files or computer stored.

Tony Hopkinson
Tony Hopkinson

This is just business. Personal business. :D I would have charged a sum comsensurate with the value. 20% of the market value of the devices seems more than fair, to me. 30% if they wanted me to curb the name calling and laughter while doing it.

apotheon
apotheon

I probably would have charged them an exhorbitant -- nigh-extortionary -- amount of money to do the work. I certainly would [b]not[/b] have let them rehire me in the same job, though, since there's no guarantee they wouldn't just fire me again once I'd gotten the current problem fixed.

IronCanadian
IronCanadian

I don't think I've ever heard of Karma coming back around that quickly. That Tech's far more polite than me if all they said was nope!

apotheon
apotheon

. . . there's a follow-up article dealing with the other side of the employment equation.

jhogue
jhogue

Transition to the unemployment line. Sanitized language again to avoid the ugly reality of FIRING people. Being transitioned out of a job is not made any nicer by using another way of saying "you're fired" and escorted off the premises by security. The only proper response to an order for an exit interview is "shove it". Do you really think the "transitionnee" hard feelings will be alleviated by a smooth talker who couyld not care less about the situation ?

Tony Hopkinson
Tony Hopkinson

where most of this catches you by surprise and you feel you are going to disgruntle at least some your employees, try to 'erm sneak this stuff in. Everybody 'knows' layoffs are being considered, everybody knows management are going to give as little notice as possible. Sudden out of the blue implementation, of a pile of measures to ameliorate such issues, will have every good experienced employee you have, out of the door before you make the announcement.... Remember you need your best, most expereinced and therefore by definition most expensive people to help you with defining an implementing such a policy, they know where the skeletons are. Generally we are not talking managers here. You need them on board as well.....

Sterling chip Camden
Sterling chip Camden

One company I used to work for had the following procedure: when your boss brought you into his office for the news, someone else would be assigned to clean out your desk and put everything into a box. The sysadmins would disable your accounts and change all shared passwords. You'd be asked for your key before you left your boss's office, and you weren't even allowed to go back to your desk -- your box was brought to the door. "Nothing personal," your boss would say.

Sterling chip Camden
Sterling chip Camden

"30% if they wanted me to curb the name calling and laughter while doing it." No, that's priceless.

Sterling chip Camden
Sterling chip Camden

I always appreciate someone who says what they think, but "shove it" is not very likely to earn a referral letter.

apotheon
apotheon

"Employment transition" is easier to say than "quitting, fired, laid off, indefinite leave, sabbatical, or other instances of someone ceasing to have active employment".

Neon Samurai
Neon Samurai

I've known places that when they let someone go they have an exit interview for any paperwork cleanup, mental assessment *and*, career development and help finding new employment. Those last three where a surprise to me but I watched a friend go through the process including the self help and job hunting seminars. Not everyone wants that kind of help after being tossed and not every company is going to go through that or at least not through that for low ranking or short term positions. In my case, I was waiting for HR to schedule my exit interview but it never happened. They didn't ask for my access card even; I turned it in to my boss on my way out because I'm a good little security geek. After hearing some of the exit interview questions from other's, I had a good list of issues and recommendations for the position. Sign off closing documents, hand in my ID, give my reasons for leaving, job related issues and recommendations then close out the retirement investment paperwork. Instead, I left quietly on the appointed Friday, had no place to give recommendations beyond those who already knew them but could not implement them and now have to chase down the investment firm that our retirement plans where done through. Bit of a pain. Now, if it's a "please train your replacement" kind of exit interview, you may have the right response.

Tony Hopkinson
Tony Hopkinson

I've never even considered doing something as counter-productive as using my knowledge to damage an ex, or soon to be ex employer. If we had an unamicable split though, I would expect to be revoked and chucked out on the spot. Course in the UK, that would give me my notice period pay as a minimum send off, we call that garden leave by the way. It doesn't matter whether I would do something bad, there's no doubt whatsoever that if I was so inclined I could do something bad. Capability, not intentions.