Security implications need to be considered and addressed to ensure the organization remains protected and safe from threats.
When an individual leaves an organization for whatever reason or if someone changes position within an organization, there are several security implications that need to be considered and addressed to ensure the organization remains protected and safe from threats. These implications are the focus of pitfall #20 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
A process needs to be defined to address the security control requirements associated with the termination of personnel or changes in position of personnel from one role to another. This is required to, among other things, ensure access is terminated in a timely fashion; or appropriately adjusted when personnel transfer from one role to another. Organizations put the confidentiality of information at risk if appropriate access revocation or modification is not completed in a timely manner.
The access rights of all personnel to information and information systems must be removed immediately upon termination of employment or adjusted upon moving from one position or role to another within the organization. When personnel move to a new position, access administrators should be notified, prompting access to be re-evaluated with appropriate adjustments being made as soon as possible – not to exceed a maximum of thirty days. One month may seem excessive, but there may be a need for the current access level to continue on a temporary basis to support knowledge transfer or cross-training activities.
Personnel that are being terminated should be made aware of their obligations to ensure any protected or sensitive information to which they had prior access remains confidential. Generally, this should be addressed during the exit interview process. The exit interview process should also address defined security and confidentiality topics, property owned by the organization that is to be returned, as well as access revocation. Your organization should maintain a documented termination checklist to help ensure all planned steps to be taken upon termination of personnel are completed. Property belonging to your organization should be returned on, or before, the final day of employment.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.