Steal This Data

Does your company have a well defined set of procedures are followed for all employees who resign or who have been terminated?

If not, I highly recommend that you write a standard employee termination policy and make sure that your human resources and information technology groups implement it whenever an employee is terminated or leaves your company. This is particularly important if the employee has access to sensitive financial information, customer information, confidential intellectual property or information technology systems, but should be uniformly implemented regardless of the employee’s role.

During the termination process, IT’s focus should be on protecting the data assets of your company from disclosure or inappropriate use and on making sure that the departing employee does not destroy any information required for business continuity including sales leads, customer information and trade secrets.

When you create your employee termination policy, it should include a check list of all the physical, network, computer, and data access privileges that an employee could possibly have. That can be quite a long list, but it’s essential that you document as much of it as possible because it is unlikely that your IT group will have this information centralized and up to date. A certain amount of discovery will be required before or during the termination process and a checklist will ensure that you’ve examined and revoked the employee’s access to all major systems of concern.

In the case of a terminated employee, IT should immediately revoke all computer, network, application and data access the former employee has. Remote access should also be disabled and the former employee should return all company-owned property, including notebook computers and intellectual property like corporate files containing customer, sales, financial or operational information. A careful log should be kept of each of these actions for legal or forensic purposes, including the time/date that they occurred and the name of IT or HR staff member who performed the action.

To get you started, I’ve provided a checklist of the systems and privileges that your IT and HR group should review and revoke upon employee termination.

1. Access to company computers including desktops, laptops and servers.
2. Access to the company’s physical and wireless networks.
3. Access to the VPN gateway.
4. Access to all company email accounts. This may include a personal account as well as one or more group accounts that the individual has access to. If the employee has access to email accounts with shared passwords, the shared password should be changed.
5. Terminate all email or message forwarding to personal devices such as mobile phones.
6. Access to all internal server-based systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
7. Access to all externally hosted applications used by the company including online sales force management, CRM, billing, financial, email marketing, team collaboration and web hosting systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
8. All remote servers that can be accessed outside of the company network, say over the internet. If these are accessed by multiple people using a shared password, the shared password should be changed.
9. Access to voicemail.
10. Access to all company conferencing services.
11. Access to the company credit card. If there is only one company credit card and it’s widely known, you may be SOL. I’d recommend you change the card number and centralize all purchasing to keep this information more secure.
12. Remove the employee’s name from the list of approved contacts maintained by all of your external service or software providers.
13. Access to physical premises, either using a key or remote access card. This may include access to multiple sites.
14. Access to any 3rd party locations where the company has equipment, including remote data centers.
15. Access to remote backups hosted by 3rd party services. This may require some forensic work in old expense reports to determine if the employee was backing up their desktop of laptop using an off site service.

Once access to the information has been revoked, your IT and HR groups should work with the employee’s manager and other departments to determine who will take over the terminated employee’s responsibilities and what information they should have access to. For example, if a sales rep is let go, a sales manager should review the rep’s pipleline and reassign leads or in progress deals to another employee. IT may need to be involved in this process if it requires moving data from one account to another or destroying electronic information if it is deemed worthless and should be disposed of.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Tags: employee termination policy, Information Security Policy and procedures, revoke access, revoke credentials, revoke priviledges

This entry was posted on Tuesday, November 11th, 2008 at 9:07 pm and is filed under Information Security Policy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.