At my former company, we tried to enforce what I thought was a simple security standard: disabling computer access on or before the final day of employment for employees who leave the company. As in the majority of organizations, our HR people conducted exit interviews, collected keys, and notified payroll about final check payments.
There was one problem with our simple employee separation approach: Not all departments notified the IT unit that an employee was leaving. It’s not because HR didn’t want to or dismissed the need; it was just that it was not stipulated as an item to check off on the employee termination checklist.
Our company had over 50 divisions, 400 plants, and around 120,000 employees. Putting a security approach in place to avert potential issues with ex-employees' access wasn’t easy and it wasn’t quick.
The first step was to implement audit procedures to check for active accounts assigned to employees no longer with the company. It was shocking how many locations had active accounts for people who didn’t work for the company anymore.
Why it’s necessary
Leaving active accounts is a huge security risk. Intrusion detection won’t alarm because there’s no intrusion. The access will be coming through a valid, authorized account with no invalid password entries. No intrusion-detection system can catch that.
While many companies are careful to turn off accounts when employees with high-level system privileges leave, they sometimes forget about employees with high-level application access. The fact is, you just don’t want former employees having access to any company information.
A possible scenario
Let’s say one company's computer processing is performed in Indianapolis, and there are plants in Dallas and Juarez, Mexico. People in the plants have accounts on the primary computer in Indianapolis so they can enter information into the manufacturing and shipping systems. Some local HR personnel also have computer accounts so they can perform benefits and payroll administration.
Here’s what could happen: Fred, an assistant manager, resigns. He gives his two weeks' notice and spends a good portion of the lame duck period saying goodbye and filling in his superior and subordinates on where he stands on various projects. Everyone was surprised by Fred’s announcement, so a replacement is nowhere near being hired. The boss asks IT to keep Fred’s directories in case he needs any of the files. IT says, “No problem.”
The final Friday arrives. Late in the day, Fred stops by the personnel office and turns in his door key and credit card. The HR manager says thanks and good luck, and then returns to his business.
Since Fred still needs a paycheck for this last week, his payroll record doesn’t need to be updated until the next Wednesday. Fred is gone, but no one in Indianapolis has any idea that someone with access to the manufacturing schedule, purchasing, and general ledger has just left the company.
If Fred is not quite the swell guy that everyone thought, he can go home, access the company’s information via dial-up, and wreak havoc. He could mess up the schedule, delete critical information, or maybe send his brother-in-law an accounts payable check.
Usually, Fred turns out to be a decent fellow, but why take the chance? It takes only one dishonest or disgruntled employee to exploit computer access.
The need for specific policies
The only answer to this is to develop procedures. If separation procedures are lacking, a lot of other things are probably falling through the cracks in addition to computer access. Tasks like collecting keys, company credit cards, and other company property may be haphazard.
TechRepublicprovides a solid employee termination checklist that you can download and customize to make sure that all IT issues—access to the network, e-mail, BlackBerrys, and cell phones—are accounted for.
Keep in mind that a formal resignation or layoff isn’t the only situation to keep track of. What about the employee who suddenly stops showing up for work? This actually happened to our organization. An employee called in sick and never showed up at the office again.
You need a set procedure for handling this occurrence. Many organizations have a stipulation in their employment policies stating that if an employee fails to notify a superior within 24 hours that he or she won't be reporting to work, it means immediate dismissal. The next step should be the requirement that the manager or supervisor notify IT about cutting off network and e-mail access.
And even if an employee calls in sick, but there’s some suspicion about the situation, I recommend disabling the account. If the employee comes back, you can reinstate the access.
Take these approaches
Addressing the potential security issues is not very difficult, but it does take time and effort to build procedures and discipline.
In the case of remote locations, one of the divisions I worked with set up a special e-mail account just for remote locations to send separation information to the IT security administrators. They monitored the account daily and took necessary actions to disable accounts. The exit checklists at the remote locations included sending the e-mail. This made it easy and timely for everyone.
In summary, here is what you need to put in place so that separated employees are removed from computer systems on a timely basis:
- Ensure the exit checklist includes same-day notification to IT about the departure.
- Ensure that IT has the personnel to act on the notification.
- Disable accounts immediately. If files need to be checked or moved to other employees, get it done within two to three weeks of the departure.
- Periodically (monthly) use system tools to check for any computer accounts that have not been used for 60 to 90 days. This is often a clue that someone has slipped through the cracks and accounts need to be disabled.