Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Exit process?

Published: 2008-07-18
Last Updated: 2008-07-19 14:53:21 UTC
by Adrien de Beaupre (Version: 2)
2 comment(s)

A recent experience with the exit process used by a company spurred me to write about the process by which an organization terminates employees or contractors. 

The very first question is, does your organization have both policy and procedures to deal with:
a) employees leaving voluntarily
b) employees being terminated
c) contractors coming and going
d) special cases

The next question is, do your employees actually follow the policies and procedures, or is there a fair amount of ad-libbing? Discretion in the hands of line management can be a good thing, or a recipe for disaster. I have alsways found checklists to be a good thing.

One employer I left I walked my replacement through the checklist, in case I had forgotten to put anything on it before I left. Good trial run for a new procedure. A friend of mine described a special case where a company founder left, however none of his access was changed. Another special case can be letting systems administrators or people like penetration testers go.

So, some of the things to address are:
- Physical access
- Logical access
- Anything only that person has access to, or special privileges.
- All property
- Non-disclosure agreement reminder
- Intellectual property issues
 

Update:

Chris wrote in with the following:

I've worked for several employers that didn't have a proper "exit" process... So I've had to write one up as one of my "final acts". They've tended to be employer-specific as I've worked in various sectors, so I can't share them easily :-(

One area where checklists are almost essential is when an employee dies in service. People don't think straight in that situation, they make mistakes, they accidentally do things that others might think insensitive in the situation, and so on. Having checklists drawn up before such an event can save a whole lot of hassle and grief.

Also, someone needs to make sure that critical systems don't rely on a leaver's account being present to function properly. I've encountered several systems over the years that were built around a specific person, which would then die horribly when that person's account was later removed.

When I design or build a system, I make absolutely sure that it's designed to what I call the "V'Ger Rule". If you've seen "Star Trek: The Motion Picture", you'll understand.

Put simply, the "V'Ger Rule" states:
"A System must continue to operate in a correct and safe manner in the absence of its Creator".

Or, put another way:

1. No blowing up any spaceships ;
2. No joyriding in Carbon Units ;
3. Fat, balding starship captains are to be shot on sight,   especially ones that follow the "If you can't eat it,
   drink it, steal it, spend it or have sex with it, blow   it up" mantra.


----------
Cheers,
Adrien de Beaupré


 

2 comment(s)
Diary Archives