Leadership

Video: Protect company assets during employee departures

Whether it's massive layoffs or routine separations, IT should have standard security policies that detail the steps to take when an employee leaves the company. Bill Detwiler goes over four critical areas of employment transition security.

Employment transition is an often overlooked danger to company security. Whether it's massive layoffs or routine separations, IT should have standard security policies in place that detail the steps to take when an employee leaves the company. In this IT Dojo video, I'll go over four critical areas of employment transition security, including:

  • User accounts
  • Documentation
  • Inventory
  • Personal electronics

And because dismissals and departures can be traumatic for everyone involved, I recommend you read William Jones', article "Sensitive tech support during employee departures." Here, Jones outlines several ways that IT departments can humanely serve both the employee and the company during a staff member's exit.

For those of you who prefer text to video, you can click the Transcript link that appears below the video player window or you can also read Chad Perrin's article, "10 important categories of employment transition security," on which this video is based.

You can also sign up to receive the latest IT Dojo lessons through one or more of the following methods:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

26 comments
gmmoon
gmmoon

While the content is great, it could do without your political opinion about the financial crisis at the opening paragraph. If you want to be a political pundit, apply for a job at Politico.com, ok?

Photogenic Memory
Photogenic Memory

All I do to keep hell on earth from happening is in-puting several hot-key strokes that reset the programs from being launched at a specific time interval. If I'm let go unjustly; drives will be wiped, information leaked, backdoors will be installed, and backups tainted. It's a great strategy! I'M JUST KIDDING FOLKS! However, you know there's some people out there that have already done this or have this set up. Kinda scary. I couldn't imagine having to deal with this type of deep sabotage. What a headache!

bstimon
bstimon

Bill, I'm sorry to say that you've forgotten one last step. 99.9% of the time the departing employees' computer (pc, laptop or any equipment that can store data) gets passed onto to either an existing employee or a new/incoming employee. The computer needs to be properly sanitized prior to release. In my work with law enforcement, we've discovered that departing employees make generous use of the various places on a hard disk drive to store information and the cos. IT department is not educated enough on how to guarantee that no previous data is left behind for the new emplyee to either discover or worse be accused of holding. Throughout your presentation, you only touch on the heart felt topic that the true value is the data itself and not the equipment. You should impress upon your readers that there are simple and fast appliances out there that will allow them to "Purge" data and still allow the equipment to be re-used instead of destroyed. Do some research on the ANSI standard 'Secure Erase' protocol (from ANSI T-13).

Bill Detwiler
Bill Detwiler

Whether it's massive layoffs or routine separations, you should have standard security policies that detail the steps to take when an employee leaves the company. In an IT Dojo video, I discuss four critical areas of employee transition security--user accounts, documentation, inventory, and personal electronics. Original post: http://blogs.techrepublic.com.com/itdojo/?p=619 Because IT must react quickly to employee departures, many organizations involve IT early in the process. On average how quickly is your IT department notified of employee departures? Take the quick poll in the above blog post and let us know.

snewton628
snewton628

I was recently laid off from a global IT company (yep, that's the one) where the majority of employees did not have office desks, but did have access to websites, files, and buildings all over the world. In this situation, most employees' managers were not local to the employee. The first step, following notification that the "resource action" applied to me, was moving from my current manager to a designated "transition manager". The company also showed some creativity about making sure company IDs, corporate credit cards, and equipment were returned in a timely fashion - the final paycheck was mailed out when the IDs, PCs, and other items were received by the transition manager (the company very kindly paid the UPS Overnight charge). Of course, in some jurisdictions, withholding paychecks to encourage property return is either not legal or heavily restricted, but, in this case, it seems to have worked well. Of course, if the employer does not know what access or equipment is assigned / being used by a specific employee, this would not be effective, and might generate additional feelings of resentment. I have not, of course, checked to see if the VPN and remote access accounts have been disabled, but I assume they have. With a large enough employee count, having "transition managers" handle the exit details, rather than relying on general management, seems to make sense.

gmmoon
gmmoon

This comment above was intended for the article by Chad Perrin that was linked herein. After reading the article, the comments section sent the comment back to the original article! Epic Fail!

KSoniat
KSoniat

My boss thought he was going to be fired, so he set up a program where if he didn't sign on for two weeks various libraries and programs would be deleted, one per day for a week. His wife found out and made him delete, so by the time he bragged to me I could not prove anything. I left the company shortly thereafter and warned the powers that be that he was that type of person and to watch out!

Aaron Mason
Aaron Mason

... it was an older revision of their current equipment and it was never reimaged. It had personal pictures, documents and iTunes music... of my previous manager! I touched nothing but the music, I swear. For an organisation that maintains its own AD LDAP server and a strict 180-day policy on temp accounts with 60 day password terms, this was quite a screw up.

Bill Detwiler
Bill Detwiler

You're absolutely right about the decommissioning and recommissioning of equipment. I've written about degaussing, destruction, and wiping utilities in the past. Perhaps we'll cover it in an upcoming IT Dojo video. Thanks for the suggestion!

cjshelby
cjshelby

Here's something I witnessed in the early 90s. I was working maintenance at a large CA hospital. I had to do some work in a wing that ad been closed some months earlier to get it ready to be re-opened. In an open walk-in closet in one of the rooms, there were several cardboard file boxes. They were tossed on the floor, not sitting neatly on the shelves, and were full of file folders with papers. I removed a couple of folders and examined the contents to see why they had been left there. They were labeled with patient names (last.first) and contained counseling records of the teenage kids who were admitted in the substance abuse program that formerly occupied the wing! I called my department director up, and he and I secured the files and delivered them to the medical records director. This incident proves that, no matter how hard some of us try, a lot of information security problems boil down to people who just don't give a damn.

brian
brian

Re: Notification - I got "notified" about my only "Direct Report" about 4 hours before the exit, and my boss was in the room with me, and was just as surprised. It was a layoff, and I had to contend with 6 concurrent exits, now by myself. To add to the headache, when I changed the Administrator password (obvious reasons), my entire backup solution stopped functioning, as the Admin password was used to configure backups. (Need admin rights to backup all data....) My favorite exit was when the user implemented his own userID to "run as a service" to support an internal application on a production server. The moment his account was disabled, so was the service! An added bonus was that the files were "in his name." I kick myself every time I have to hand off Admin passwords to non-Admins, because I don't have proper security implemented to control/delegate privileges. Oh, for some training dollars.... Everyone in IT, do themselves a favor: 1) Write out an IT Exit checklist - Include *every* task which is done to ensure a person is no longer able to get access to the environment. Identify who will need to perform each task (IT) (Eng) (HR) (other). If nothing else, it will keep track of the progress, so you can get back to the task after someone interrupts you to work on something else. 2) SHARE this Exit Checklist with HR. It's a great way for them to know your expectations, and for them to see just what you are really doing for the company, behind the scenes. 3) Death to the "shared" accounts! These are major security holes, as *anyone* with the password can cause disasters, and you have no tracking evidence. 4) Build "base images" for systems. It sucks to constantly reimage, and it is irksome to have to reimage a box for a temp, who lasts all of 3 days. If you are lucky enough to have volume licenses for software (I am not - the cost savings is apparently worth my time installing...? Yeah, sad.) use it to the hilt. 5) Get a policy with HR about "personal data" and IT. I am NOT going to send a tech to your desk to recover iTunes data off of a corporate laptop. Make it known that you're here to chew bubble gum and purge non-business data, and you're all out of bubble gum. (Thank you to the writers of "They Live")

davidt
davidt

This is the only company I have worked at that the LAST person to be notified is me...everywhere else, we knew ahead of time when to lock the account and do a full backup. We've even lost company information (it was deleted, not stolen), and it still happens. Go figure.

cjshelby
cjshelby

IMHO, security and privacy go hand-in-hand. Individuals in all walks of life either understand and respect this concept or don't give a damn. My supervisor once requested a replacement PC for one that died. The new one had all of the old files from the previous user (a manager of another department, still employed there, female). There were all of her old e-mails, meeting minutes, documents, etc. Even stuff of a personal nature concerning her recent divorce. The reason I know this is that my boss (whom I affectionately referred to as the "Anti-Christ"), immediately started blabbing about it to anyone and everyone without regard to the privacy of this woman. Everyone in this story "dropped the ball". My supervisor, IT, and the former user of the PC. When I work on systems I make it a point to NEVER open files. The only thing I can't prevent is thumbnails of images popping up. It seems that respect for privacy, even one's own, is a dying concept .

Craig_B
Craig_B

At my previous job they did a decent job of notification of employees however we rarely received notification about contractors.

merakli
merakli

Bill, either you forgot the option NEVER in the poll or somehow you didn't think it's possible. But from my experience I know, these instances are not rare.

fjdumagat
fjdumagat

Ex-Employee credentials should be disallowed after a minimum of 1 day after leaving. Often times large corporation uses one user account that will allow access to different sites and portals, as well as confidential company assets and even remote logins to computers with which might be taken advantage.

cfc2000
cfc2000

I used to work for a particular organisation. I left in 2003. Recently I went back to do some short term contract work in the same department. They said they would set me up with the usual temporary account, but there was no need. My old account was still active. When I opened it I had over 5000 emails about fire drills, sponsored charity walks and so on. My remote server account was still active also. So much for security.

Bill Detwiler
Bill Detwiler

Where you on the article page for Chad Perrin's article when you added the comment? If you clicked the Submit Post button from that page, your comment should have been applied to the article's discussion thread. Have you seen this behavior before?

BHunsinger
BHunsinger

If it is company property, there is not privacy. That is like talking on your celphone in public and glaring at evesdroppers. That being said the former suer had every right to believe that once here data was transfered, her account would be removed. In this case IT dropped ball - didn't look at the files to see that there was a problem. Your boss insensitive jerk

Bill Detwiler
Bill Detwiler

Many organizations given temporary or contract employees accounts that automatically expire after a certain period of time--3 months for example. At which point, the employee's supervisor must request that the account be extended. This policy can be a pain, I've had direct reports who have come in one only to find they have no access. But, it's a good security policy.

Bill Detwiler
Bill Detwiler

I assumed never would fall into the last category, but I see your point. It's definitely a sad state of affairs when IT isn't told about employee departures, and a serious security threat.

Deadly Ernest
Deadly Ernest

In 200 and 2001 I worked for a major US multi national IT company, in the Australian main office, on some short term contracts. I worked in the very high security gateway, mostly doing troubleshooting and server building / testing. I was the level 3 help desk contact for the gateway and also on the out of hours emergency call in list for the gateway. The company sold itself as being a high security mob in IT - most customer at the time being government agencies. Out of hours emergency calls for the gateway were very rare as it had a high redundancy built in - it could still operate with two major failures. I left in mid 2001 - between then and late 2005 when I change my mobile phone number, I would receive about one call in the deepest hours of the night every six to seven months about needing to come in and urgently fix something wrong with the gateway. Seems I was still on the recently renewed emergency call out list. When the last contract I had with them in 2001 expired, I even had to close out my own administrator account and walk myself around the building to sign out as the boss was too busy having a long lunch. I heard later he got into trouble over that.

timsalabim
timsalabim

The new president hired 2 consultants to come in and downsize. They interviewed department heads and employees for about 2 weeks. Then for the next 3 months people were being let go randomly (some were even VPs!). The only way IT was notified was if we bumped into someone in the hallway and they said, "Did you see who got walked to the door?!?" Never felt more helpless with trying to play catchup...

WiseITOne
WiseITOne

I manage three offices and when they let go of 6 employees three months ago the only notification I got was the President of the company asking if I knew how to change the door code. He didn't even tell me until I had the employees coming in to give me their equipment! LOL. I then emailed him and said, hey who is being let go I need to disable their accounts. He let them stay logged into our network for an hour to transfer "personal" information. Never in my 10 years have I seen such poor exit procedures. Sometimes I get to the point where I don't even care...especially after the crappy raise. : ) Contractors should be 90 days with manager approval for renewal. The CORRCT policyfor exit/deprture should be IT/HR notified 2 days prior. IT disable accounts BEFORE employees enter the building on the last day. IT collect equipment (which should be inventoried, lol.) HR exit interview, employee escorted out of the building. Sadly, it doesn't happen that way in some places.

Editor's Picks