Re: Procedure for staff leaving

[krymson () gmail com]

The best thing to do here is write down what you do when someone leaves. This will create the framework for a procedure.

This can then also provide guidance on your policy. The policy should be general and will likely try to just say, "upon 
termination of employment (may want to define this as being forced termination or mutual or employee leaving, any sort 
of end to employment) all security access for that employee will be revoked. Any information or tasks for that employee 
(file server data, emails, files on their computer) should be backed up. Their direct manager should be queried as to 
what to do with this information and who should get it."

You want to also outline the procedure to invoke this policy. You don't want to start a termination sequence based on 
heresay, even if that is sometimes all you get. You want an announcement from HR or from their direct manager or both, 
in a documentable form (request ticket, signed paper hardcopy, email...). You can then start the procedure, and then 
notify when completed and provide the deliverables.

Your procedure is going to likely include several general areas:

- who is involved: identify notifing HR or their manager so you can ask questions as needed. Get a date of termination, 
and if this is a firing, while it is not necessarily our business to know the details, it may help to know whether it 
is mutual or not, especially if you need to disable their account while they are away being informed. HR should not let 
the employee back to their desk or anywhere else in the company unsupervised after termination. They must be escorted 
out and their personal belongings provided to them either at that moment or later. This may be a bit beyond IT and more 
of an HR thing, but also identify who needs ot be notified of a termination. Should Accounting be notified? How about 
the DBA who controls SQL account? This should be defined in the HR part of the procedure, possibly before you even hear 
about it.

- hardware: reclaim what has been checked out and assigned to that employee in terms of computer equipment, PDAs, etc 
(work with HR to get this procedure for employee hires to sign something). Did they have anything checked out like a 
laptop or projector?

- accounts and access: revoke network accounts, remote access accounts, VPN access and/or firewall rules; any internal 
systems that take an account they may have used (intranets, email, wiki, CRM systems, salesforce, web apps...)

- physical access: retrieve keys/key cards they may have; revoke any biometrics access and let receptionists know that 
the employee is no longer employed, so they can be stopped at the door if they attempt to gain access again.

- information: be sure to back up their information and get permission from their manager before wiping their old 
machine. Keep a copy of this backup for an x amount of months in a locked room (either HR or IT) and provide whatever 
the manager requires. Notify the manager before permanent disposal of the backup. Imaging is nice, but possibly not 
required.

- desk/workspace: Bring their manager or HR along upon the first inspection and clean-up of their workspace, or do not 
do anthing unless they ok it. Reclaim company-owned equipment and identify any personal effects that need to be 
returned to the employee, and provide those to HR. It is best to have HR do this with your help to avoid possible 
issues later.

- evaluate the need to change any shared accounts or access. Do you have wireless that now needs the key changed for? 
Did they know the admin/root/enable password for any systems or devices? Was their name on the contact for SSL certs? 
Was their possibly personal cell phone on the contact list for data center service interruptions?

No form will ever catch everything unless you are in a 100% standards-compliant company. Always leave some room to just 
sit back and evaluate what the person did for their job, and what else may need addressed. You want to do this all in 
one shot as opposed to remembering 2 weeks later that they had a key to a door because 6 months ago you had a 
remodeling project that disabled the electronic locks for a week.


Definitely work with your HR on this policy, as they are likely to be very involved in it. They may even have their own 
procedures with Accounting or internal stuff that needs to be done.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------