Employment transition is an often overlooked danger to company security. Make sure you pay proper attention to protecting your business from security compromises when someone leaves your company.
As this is being written in early 2009, the United States and much of the rest of the industrialized world is subject to a growing economic disaster. Despite the blandishments of politicians and perpetual Pollyannas, most of us are not persuaded that a couple of pork-laden "stimulus packages" and increased meddling in business markets by legislators who helped create the problem in the first place will result in a swift recovery. As we face an uncertain economic future, many businesses are preemptively cutting back on corporate expenses, while others are responding to very real downturns in profits with attempts to stave off further damage.
Such reorganizations of business structure typically include rounds of employee layoffs to cut costs, sometimes even eliminating whole divisions. As much of a disruption as this is to your business model, it can also have unforeseen consequences for security if you aren't careful about how you handle employee departures.
The day a decision is made to transition employees out of a company is the wrong time to develop and apply security policies related to their departure. Being unprepared could result in security breaches, as well as resentment on the part of both former and current employees. Disgruntled employees create the very internal security problems against which you should protect your organization.
With that in mind, I've listed below 10 categories of security policy related to employment transitions. Some categories may overlap in certain areas, but each has its own, irreplaceable importance to overall policy effectiveness.
1. Access Controls
Biometric data, keycards, keys, parking or gate passes, and other physical access controls should be tracked and managed carefully. Many security precautions such as firewalls, deactivated remote access accounts, and strong password policy can be circumvented at times simply by walking up to a physical computer and doing things the "hard" way. Such items should be managed as carefully as possible without such management becoming intrusive into the work of employees, so that they are more easily recovered, deactivated, and/or replaced if and when the time comes. In extreme cases, locks may need to be changed and new keys reissued, but in many cases a well-managed system should allow most access control measures for a given employee to be simply deactivated with a few key presses or mouse clicks.
Employee accounts must be carefully documented and centrally manageable as much as possible to ensure they can be secured once an employee transitions out of the company. When central management is not easily achieved, documentation becomes even more critical. Accounts that require special care include (but are not limited to) company credit cards, network logons, remote access accounts, server administration accounts, voicemail accounts, and workstation user accounts.
When an employee leaves the company, such accounts for the employee should all be deactivated as quickly as possible.
Don't forget that restoring from backups made before the employee's departure may restore that employee's remote access, user, and administrative accounts. Be sure you have policy in place to resolve such potential security issues in the event of disaster recovery operations.
Whenever possible, conduct detailed exit interviews with employees. Among the things you should want to know about are the employee's complaints about the company so you may improve things in the future, current work status, and encrypted file access. Don't let your ego stand in the way of improving conditions after a disgruntled employee leaves, or of gaining important insights into what kind of mess you may have to deal with when it comes to a departing employee's current work in progress. Such information may be quite important to ensuring future security or recovering important work from secured files.
Company policy should, ideally and in most cases, require detailed ongoing documentation of employees' work on projects from day one of employment. This not only ensures easier transition of projects to other (perhaps new) employees and recovery of important data, but also provides something of an automatic audit trail for something the employee may later decide to maliciously alter if he or she becomes dissatisfied with his or her work conditions. Such documentation should be logged to a central, version control tracked, regularly backed up resource. It may seem unintuitive at first, but Web-based collaboration tools such as MediaWiki can actually serve these needs on some organizations' intranets.
Business documentation should be secured in other ways, as well — such as by granular, need-dependent access authorization, so that outgoing employees may not easily engage in last-minute corporate espionage. If your documentation contains trade secrets, no employee should have automatic access to all documentation. Access should be limited to the documentation an employee needs, and properly secured against unauthorized access.
Detailed, regularly (preferably in real-time) updated inventories of office and employee assigned resources should be maintained for many reasons. One of the most important is so that you know what still needs to be recovered from an employee's possession when he or she leaves the company. Maintaining careful inventories up front will help produce clear checklists down the line when they are needed, so start implementing your inventory policy sooner rather than later.
Various levels of physical, file, and account access lockdown should be set up to be quickly and easily enacted in the event that an employee leaves the company or is under suspicion of malicious activity. While this is in some respects just a reiteration of a key point of other categories of employment transition security policy, it deserves its own discrete mention because a clear, comprehensive, and well-managed policy for lockdown procedures should always be carefully planned and implemented to ensure there are no oversights when the time comes to act on that policy.
Good logging procedures are key to tracking security compromise incidents and shaping incident response. This applies to employment transitions as much as it does to protecting your network against less personal threats from the Internet. Good logging procedures implemented today can ensure that, when you have to lay off an employee tomorrow or lose one to a competitor, you will be able to track any suspect activity prior to the employee's departure as well as intrusions by a former employee after the fact.
Passive logging servers — servers that "listen in" on network traffic and log data intended for the server without specifically identifying that particular server as the logged data's destination — can be key to such precautions. Even in the absence of such resources, however, active and direct logging to systems outside the authorized access responsibilities of a given employee can help ensure a clean, secure record of any illicit activity.
Policy should require that access codes, passwords, and similar measures will all be reset to a temporary value that a departing employee would have no way of knowing until the accounts can be deactivated or even deleted entirely. It is for this reason, among others, that such measures should be taken long before an employee leaves the company as using personalized administrative accounts — so that a single employee leaving will not require that the entire IT department has to learn a new set of admin passwords. Careful records should be kept of what accounts are supposed to exist on all company IT resources so that unauthorized accounts can be quickly identified and dealt with, and so that previously authorized but newly obsolete accounts can be shut down and passwords changed as needed without fear of overlooking something.
In many cases, it may even be desirable to change passwords on accounts to which the departing employee was not supposed to have access. After all, employees sometimes share account passwords, store them on sticky notes affixed to their monitors, or keep them tucked under keyboards or in desk drawers, despite the best efforts of the IT department to disallow such practices and enforce strong password policies.
Don't make the mistake of resetting passwords to some default or easily-guess value (such as "1234"), either. Changing passwords when an employee departs doesn't help much if the "new" passwords are either widely-known defaults or subject to brute-force cracking in a matter of seconds.
9. Personal Electronics
Clear security policy with regard to personal electronics is often important to security. If the company deals in trade secrets, such electronic gear as cameras, USB flash media devices, and personal laptops may need to be carefully controlled or even disallowed. Disallowing cameras is becoming increasingly difficult with the ubiquity of cameras integrated into cellphones, and flash storage media may be difficult to regulate with the growing ubiquity of portable MP3 players, but that does not necessarily mean you should throw your hands up in frustration and ignore the potential problems. Leaving such matters unaddressed may lead to security compromise in the wake of an employment transition, such as in the case of an employee that has taken advantage of lax policies to copy sensitive documents and keep the copies stored off-site.
Provide employees with clearly marked and limited private resources, such as a private directory each employee may use to store personal notes that are not specific to work project data. Doing so will ensure that personal data does not get mixed with company data, making it easier to clean out unnecessary data after an employee has departed and provide final personal data recovery access to an employee (such as to-do lists that may include personal matters). Whether such data will be backed up is, of course, up to the company, but employees should generally not rely on the company to provide backups of private data that is not directly related to the business.
Preparation and Incident Action
Policy for how to handle an incidence of employment transition — whether someone is being fired, leaving in (self-)righteous fury, retiring after forty years, being laid off in tough economic times, moving on to a career development opportunity at another company, freeing up time for school or other projects outside the company, starting his or her own business, or leaving for some other reason entirely — is important not only for business continuity, but also security against potential intrusions. Policies that at first glance may not be directly related to employment transition, that need to be enacted from day one of employment for maximum positive effect, are also important for the same reasons, however; they may mean the difference between smooth transition and a bureaucratic, security-ineffective nightmare.
Begin your policy development and implementation now. You'll be grateful for it later.