343
Appendix I
Employee Termination
The process of employee
1
termination presents a significant risk to companies
primarily because of the damage that a disgruntled employee can potentially do.
Stories regularly appear in the media of former employees wreaking havoc on a
company by gaining access to the company’s network or facilities after they have
been terminated. Termination is really part of overall user ID administration, but it
has been addressed separately because of the risks associated with not handling
termination properly. Some of the main risks associated with weak termination
practices include:
Unauthorized individuals gaining access to the company facilities and
information technology (IT) resources
Existing employees using access that has not been terminated to perform
malicious activity
Disgruntled IT employees gaining access to the company network and
causing some type of network outage
The main reason why terminated employees pose such a risk is that many
companies do not have a sound process for ensuring that terminated employees’
access to systems and physical facilities is removed and all of their outstanding
assets are returned. There is often a lack of communication between key departments
such as IT, human resources (HR), and business unit personnel when it comes to
terminations and as a result, they are not performed properly. In addition, many
companies do not have a person or department that “owns” the termination process —
i.e., someone who is responsible for ensuring that terminations are handled properly.
A strong method for termination requires a structured process that is clear and easy
to follow and good communications between the various departments. The key
groups that must be involved and their high-level responsibilities include:
Department management —
first ones to know about the termination
Human resources —
in charge of terminating benefits and fulfilling other
employment-related requirements
Payroll —
in charge of making the final payment settlement and taking
the terminated employee off the payroll
Facilities —
in charge of ensuring that physical access is revoked
Information technology —
in charge of revoking all access to company
systems
AU1706_book.fm Page 343 Wednesday, July 28, 2004 11:06 AM
344
A Practical Guide to Security Assessments
QUESTIONS
1. Do a formal policy and procedure for employee termination exist? Are
the policy and procedure communicated and readily accessible?
Guidance:
A formal policy is critical because it sets the high-level require-
ments for terminations by which procedures can then be developed. A for-
mal policy also allows enforcement of good termination practices. Some
key elements that should be contained in the termination policy include:
Roles and responsibilities
•Involvement of key departments — HR, IT, etc.
Compliance and audit requirements
The policy should be communicated to certain employees,
including de-
partment managers, IT, HR, and others as appropriate. The policy should
be easily accessible so employees can refer to it as needed. One way to ac-
complish this is to post it on the employee intranet if one is available.
Risk:
Without a formal policy for terminations, the risks include:
Difficulty in enforcing good termination processes
•Terminations not being done properly
Lack of ownership of the termination process
Client Response:
2. Is there a documented procedure for terminations with clearly defined
roles and responsibilities? Is there a form or checklist that is used to help
facilitate the termination process?
Guidance:
There should be a documented procedure for terminations,
with clear roles and responsibilities, and a step-by-step process explaining
what to do in the event of a termination. Everyone involved, including
managers, human resources, and IT, should know exactly what they are re-
sponsible for in the termination process. In addition, someone should own
the responsibility of ensuring that the entire process has been completed.
Without this overall ownership, there is a chance that the process will not
be completely done. One of the reasons why terminations are not always
handled properly is that everyone thinks someone else is responsible.
Some key responsibilities that should be addressed in the process and have
clearly defined owners include:
Collecting any assets that the employee has—e.g., laptop computer,
personal digital assistant (PDA)
Collecting any identifications — e.g., badges to gain access
•Revoking all access — e.g., network, application, and remote access
as well as physical access
AU1706_book.fm Page 344 Wednesday, July 28, 2004 11:06 AM
Appendix I
345
Collecting any company credit cards
•Terminating payroll
Having this process documented will
help ensure that personnel are doing
the process consistently and will provide a means to hold them account-
able. To help facilitate the termination process, a checklist that contains
specific tasks that should be performed when a termination occurs is help-
ful. The checklist also provides an audit trail of the termination process.
Risk:
If there is no documented process, there is a risk that the termination
process will not be performed consistently or properly. In addition, with-
out clearly defined roles and responsibilities, it is difficult to hold individ-
uals accountable.
Client Response:
3. How much turnover does the company experience? What is the turnover
rate relative to the total employee population?
Guidance:
This is an open-ended question to gain an understanding of
how critical the termination process is. A documented and enforced termi-
nation process is very important in larger environments where there is po-
tential for significant turnover. In such environments, where many people
do not know most of the people working for the company, a formal policy
and procedure are critical in ensuring that terminations are processed con-
sistently. The policy and procedure along with enforcement help ensure
that terminations do not fall below the “radar screen.” In smaller environ-
ments, the termination process is more manageable because everyone
knows everyone and the turnover in many cases is lower than in larger en-
vironments. Although it might not be critical to have a formal policy and
procedure in smaller environments, it is still a good idea considering the
potential risks associated with terminations. Also, once a small environ-
ment becomes a large environment, it is more difficult to implement a new
policy or procedure. Therefore, it is easier to ingrain certain processes such
as terminations.
Risk:
Not applicable. The purpose of this question is to understand the sig-
nificance of the termination process within the company.
Client Response:
AU1706_book.fm Page 345 Wednesday, July 28, 2004 11:06 AM
346
A Practical Guide to Security Assessments
4. Has there ever been a security incident resulting from a terminated
employee who was somehow able to gain physical or system access to
the company after being terminated? How was it handled?
Guidance:
Past security incidents related to terminations are a good indi-
cation of how good the current process is. If a security incident occurred,
you should review how the termination process was performed (or not per-
formed), what actions were taken in reacting to the incident, and what the
resulting damage was. In addition, you should also discuss what changes
were made to prevent that type of security incident from happening again.
Risk:
Not applicable. The purpose of this question is to determine whether
any security incidents related to terminations have occurred. Some find-
ings may result from this discussion if no steps have been taken to prevent
this type of an incident from happening again.
Client Response:
5. To facilitate the return of any outstanding company assets possessed by
employees when they are terminated, is there an inventory of what com-
pany assets the employee has?
Guidance:
Employees, particularly people who are on the road, will nor-
mally have various pieces of company-owned equipment such as laptop
computers or PDAs, as well as company credit cards. To ensure that every-
thing is returned, there should be a centralized repository (which a limited
number of people have access to) where assets given to employees are in-
ventoried. This inventory can be used in the termination process to help en-
sure that everything that was given to the employee has been returned. In
the event that this documented inventory does not exist, there is a heavy
reliance on the employee’s manager to know what assets an employee has.
Risk:
If company assets given to employees are not properly recorded, a
risk exists that not all assets will be returned when an employee is terminated.
Client Response:
6. If a terminated employee had a job function involving administrator
access to critical components of the IT infrastructure or critical applica-
tions (assuming that a single account was shared by multiple individuals),
would the password be promptly changed after termination?
AU1706_book.fm Page 346 Wednesday, July 28, 2004 11:06 AM
Appendix I
347
Guidance:
If the terminated employee had administrator-level access to
key components of the IT infrastructure, such as routers, firewalls, or key
servers, where a single account was used by all administrators, the termi-
nation process should address the changing of these passwords. If the in-
dividual had his or her own access, this access should be revoked. If the
passwords are not changed, the terminated employee can potentially use
that account to do significant damage because of the access that an admin-
istrator has and his or her knowledge of the systems. As a best practice,
every administrator should have his or her own account for accountability
purposes and when an employee leaves, that account should be either ter-
minated or disabled.
Risk:
If shared administrator account passwords are not promptly changed
when an employee is terminated, a risk exists that the terminated employee
can gain unauthorized access and do damage to the company’s IT systems.
Client Response:
7. If a terminated employee dealt with third-party business partners — i.e.,
business-to-business partners, is there a process to ensure that the busi-
ness partner is informed? If the terminated employee had access to any
business-to-business applications, is that access promptly revoked?
Guidance:
This question is very relevant for companies who are engaged
in business-to-business relationships where companies have a view into a
business partner’s systems for certain functions. A perfect example is
where businesses have certain parts of their inventory automatically re-
plenished by vendors who have the ability to go into the business partners’
systems via the Web and manage certain portions of their inventory. The
problem scenario is if the terminated employee goes to work for a compet-
itor. If the access is not removed, the terminated employee can still poten-
tially access the same information while with a competitor, including
information of a sensitive nature (e.g., pricing). For companies engaging
in business-to-business activities, this is a major issue as they try to ensure
that access is given only to employees that require it.
Risk:
If a terminated employee’s access to business-to-business applica-
tions is not immediately revoked, a risk exists of exposure of confidential
data and damage to the relationship between business partners.
Client Response:
AU1706_book.fm Page 347 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.191.22