348
A Practical Guide to Security Assessments
8. If the terminated employee had access to specific applications aside from
the standard business applications (e.g., word processing, spreadsheet),
are those application owners informed on a timely basis so that the
application access can be removed?
Guidance:
Some clients will say that not revoking application-level ac-
cess is not a major risk as long as access to the network has been revoked
because you need network access to get to the application. Although this
might have some merit, there are ways to gain unauthorized access to the
network. In the case of terminated employees who are technically savvy,
we are dealing with insiders who know the network and can potentially
gain access because of their knowledge. If they gain access to the network,
they can access the applications and cause damage. Depending on what ap-
plication they access, the damage can be enormous. For example, if they
can access order entry systems, fictitious orders can be placed or worse yet,
orders can be deleted. If the terminated employee was from HR, that per-
son could potentially gain access to sensitive personnel information. The
damage to a company can be significant. Revoking the application access
might appear unnecessary, but it is another layer of security that is valu-
able. Ideally, application access should be specifically addressed in the ter-
mination process.
Risk:
If a terminated employee’s application access is not revoked, a risk
exists that the former employee may gain unauthorized access to the appli-
cation or that some other employee might use the terminated employee’s
access to access applications and potentially cause damage.
Client Response:
9. Are network access, application access, and facility access lists periodi-
cally reviewed and purged to help ensure that terminated users’ access
has been removed at both the network and application levels?
Guidance:
Periodic review of access lists for the network and key appli-
cations is another layer of security that helps ensure that terminated per-
sonnel’s access has been removed. If an oversight occurred and a
terminated employee’s access was not revoked, this process should catch
such a case. Department heads or application owners should review these
access lists to determine whether any access should be removed and ensure
that only those who require access have it. The frequency of the process
depends on the level of risk associated with the terminations.
AU1706_book.fm Page 348 Wednesday, July 28, 2004 11:06 AM
Appendix I
349
Risk:
Periodic reviews and purging of access lists reduce the risk of termi-
nated employees having access to the company network, applications, and
facilities.
Client Response:
10. Are there any special procedures for terminating disgruntled employees
(particularly IT employees) who might pose a threat once terminated —
e.g., expediting the communication process of informing the different
departments involved?
Guidance:
Disgruntled employees pose a significant threat because they
have knowledge of the company and its systems and processes, as well as
the motivation to cause damage. Unlike hackers, who probably know very
little about a company (from an internal perspective) when they are hack-
ing, a disgruntled employee has intimate knowledge of the company and
how things work, which can be used to cause significant damage. IT em-
ployees in particular can sabotage systems or leave back doors that can be
used later to access the system. Other employees who are disgruntled can
potentially destroy information or steal proprietary information. At the dis-
cretion of the appropriate manager, disgruntled employees should be han-
dled carefully. With disgruntled employees, the IT department should be
involved early in the process. Ideally, system access should be removed
before employees even know that they are terminated. Extra care should
be given to ensure that all access the terminated employee had is revoked
(both system access and physical access). These special procedures require
close cooperation between the different departments.
Risk:
If a disgruntled employee still has system or physical access to the
company after termination, the former employee can use that access to
cause significant damage to the company.
Client Response:
11. Are all physical access codes to buildings previously known to the
employee changed when an employee is terminated?
Guidance:
Some companies have facilities where physical access is
gained by entering a code on a keypad. These keypads may also be used to
AU1706_book.fm Page 349 Wednesday, July 28, 2004 11:06 AM
350
A Practical Guide to Security Assessments
physically access sensitive areas like the data center. Because everyone
uses the same code with these devices, it should be changed when an em-
ployee is terminated to prevent terminated employees from using the
known code to physically access facilities. A mitigating control and best
practice is to periodically change access codes regardless of whether or not
terminations have occurred.
Risk:
If access codes of facilities are not changed after an employee is ter-
minated, a risk exists that the former employee will gain unauthorized
physical access to the facilities.
Client Response:
NOTE
1. For this questionnaire, the term “employees” refers to both employees and contractors.
AU1706_book.fm Page 350 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.