This article provides simple, real-world tips for tracking user demotions, promotions, and lateral moves and maintaining proper and accurate user and group account assignments and permissions with those changes.
Office parties often accompany a promotion or lateral job transfer. Celebrations may even be held in the case of a demotion as a group bids farewell to a co-worker. Demotions aside, most people are quite happy when employees move within the organization.
One thing that is often overlooked in the frenzy of an internal job change, however, is network security. Frequently the rights and permissions required for the previous job are left assigned after the employee starts their new job. Lax security procedures such as this can potentially lead to troublesome issues, policy breaches, or violations of state or federal laws.
For example, if an employee in a healthcare facility moves from a clinical role to a non-clinical role, they should no longer be permitted to view patient related information. If the employee does access patient related information that is not required as part of their new job, they are in violation of the Health Insurance Portability and Accountability Act (HIPAA) which can lead to stiff penalties and fines for the employee and the organization.
In order to ensure that all employees who work for the organization have the requisite permissions assigned to their user accounts, all positions in the organization should have a documented list of the appropriate permissions that are required for each job title. Although such documentation may take time to develop, it will prove to be a worthwhile investment for the organization. Using these lists will allow the network security staff to quickly determine and assign the appropriate group memberships and permissions for each employee. When employees change jobs within the organization the security staff will be able to easily and accurately change the employee's permissions.
One way to ensure that the network security staff is aware of an employee job change is to require Human Resources to notify the IT department when an employee's job status changes. When the network security staff receives a job change notification they can send the appropriate forms to the employee's new manager to ensure that the employee will have the appropriate rights and permissions on their start date.
In addition to the previous suggestions, the following tips provide a guide for keeping the rights and permissions up-to-date and increasing network security. While these simple steps may not eliminate all of the potential issues, they will help ensure that all employees will have the appropriate rights and permissions to perform their job.
- Remove network access for employees who no longer work for the organization.
- Remove login accounts to systems that the employee should no longer access.
- Change passwords on systems that have generic or group login accounts.
- Remove outdated group assignments, permissions, and rights when employees change jobs within the organization.
- Uninstall all applications that are no longer needed by the employee to save licensing costs.
- Limit the rights to change user permissions to prevent others from modifying permission assignments.
- Perform periodic security reviews in small and medium sized organizations.
TechProGuild articles appearing on TechRepublic
This article is from TechProGuild, TechRepublic's premium online brand dedicated to providing network administrators and support professionals with proven, real-world solutions to today's toughest IT problems. TechProGuild members have access to this and other solutions-oriented original technical content, as well as over 200 IT-related books, monthly PDF newsletters, and free featured downloads from the TechRepublic Catalog. Discover additional articles like this and more by becoming a TechProGuild member. Sign up for a 7-day free trial and join TechProGuild today!