Don't let employee separations jeopardize network security. Follow the steps outline in this article and keep your organization secure.
This download is also available as a TechRepublic download, "Take security precautions when an employee leaves the organization".
Employee separations create critical situations for IT departments. IT professionals often concentrate on external threats, but insiders always pose the most serious threat to computer security. Getting fired can sour even a model employee's opinion about the company.
An employee's separation period is more critical than his or her initial hiring. New employees require time to gain a thorough knowledge of your business: what information is valuable; what isn't; and what could cause the most harm. When employees leave, they know your competitors, your phone directory (useful for social engineering), your client list (useful for poaching), how often you perform backups, how seriously you take physical security, how often passwords are changed, and the like.
Although the immediacy of your actions will depend somewhat on whether the separation is friendly or hostile, your separation process should be largely the same. After all, you never really know how an employee feels about the departure or if he or she will change their mind later. A friendly separation may become hostile. A cunning employee may be hiding how hostile they feel at the time of separation. A departing/previous employee may inadvertently discard sensitive company documents.
Keep your organization safe during employee separations with the following IT security precautions.
General separation procedures
- Change all network and workstation passwords which the individual could possibly have access to - then change all the rest too.
- Deactivate all company e-mail accounts.
- Deactivate any remote access accounts and collect any remote access security devices.
- Retrieve company laptops or PDAs (Never permit employees to use a personal PDA or laptop for work purposes - they WILL store passwords and other information on it and later you won't have any control over it.)
- Retrieve all backup disks, USB keys, and CD-ROMs.
- Conduct a detailed debriefing session with special emphasis on any encrypted files or work in progress in electronic form which other individuals may not know about. It's easy to look through file cabinets but electronic work product can be highly elusive.
- Take whatever action is appropriate for digital cameras. This may include inspecting cameras brought onto company property or simply not permitting cameras. You can store a lot of data in a camera's storage media.
- Reprogram voicemail and change passwords.
- Obtain all company-related keys, pass cards, and ID cards but remember that keys can be duplicated and many employees will honestly (or dishonestly) say that they have lost some items.
- Inform security and change any biometric or physical badge access codes to exclude the individual.
- Secure all work products, both hard copy and electronic.
- Make certain you have retrieved all documentation or other printed material, especially including company phone books.
- Retrieve any gate pass or parking tags.
- Change PINs to any gas or other credit cards.
Hostile or potentially hostile terminations
When an employee is fired for cause, such as stealing, or when a terminated employee possesses critical corporate information, the IT department should act more swiftly than during normal separations. If at all possible, ask management to warn you in advance of hostile terminations so you can be ready when the time comes.