344
A Practical Guide to Security Assessments
QUESTIONS
1. Do a formal policy and procedure for employee termination exist? Are
the policy and procedure communicated and readily accessible?
Guidance:
A formal policy is critical because it sets the high-level require-
ments for terminations by which procedures can then be developed. A for-
mal policy also allows enforcement of good termination practices. Some
key elements that should be contained in the termination policy include:
• Roles and responsibilities
•Involvement of key departments — HR, IT, etc.
• Compliance and audit requirements
The policy should be communicated to certain employees,
including de-
partment managers, IT, HR, and others as appropriate. The policy should
be easily accessible so employees can refer to it as needed. One way to ac-
complish this is to post it on the employee intranet if one is available.
Risk:
Without a formal policy for terminations, the risks include:
• Difficulty in enforcing good termination processes
•Terminations not being done properly
• Lack of ownership of the termination process
Client Response:
2. Is there a documented procedure for terminations with clearly defined
roles and responsibilities? Is there a form or checklist that is used to help
facilitate the termination process?
Guidance:
There should be a documented procedure for terminations,
with clear roles and responsibilities, and a step-by-step process explaining
what to do in the event of a termination. Everyone involved, including
managers, human resources, and IT, should know exactly what they are re-
sponsible for in the termination process. In addition, someone should own
the responsibility of ensuring that the entire process has been completed.
Without this overall ownership, there is a chance that the process will not
be completely done. One of the reasons why terminations are not always
handled properly is that everyone thinks someone else is responsible.
Some key responsibilities that should be addressed in the process and have
clearly defined owners include:
• Collecting any assets that the employee has—e.g., laptop computer,
personal digital assistant (PDA)
• Collecting any identifications — e.g., badges to gain access
•Revoking all access — e.g., network, application, and remote access
as well as physical access
AU1706_book.fm Page 344 Wednesday, July 28, 2004 11:06 AM