How Good is your Employee Termination Policy?

Published: 2011-06-22
Last Updated: 2011-06-22 22:22:27 UTC
by Guy Bruneau (Version: 1)
21 comment(s)

A former employee of Baltimore Substance Abuse Systems Inc. compromised his boss’ computer during a presentation and replaced some of the content with pornographic material. It is customary to have policies in place that require terminated employees to be escorted out of the building by either a security officer or member of upper level administration.

However, when it comes of terminating employees, this case highlights the importance of having a solid corporate termination policy. The actions of this former employee embarrass the company during a presentation but what if he would have deleted business critical data and trashed the backups? Or copied the business critical data (i.e. financial data, client credit card data or employees’ information) and sold it to the highest bidder?

It is important to have a policy for limiting access to corporate technical resources after an employee has been terminated. Some basic step include: disabling user account(s), changing or locking all the passwords the former employee had access to, disabling corporate e-mail access and locking down access to their personal workstation.

An email from HR using a pre-configured template to all key stakeholders with a mean of reporting back to HR, confirming the work has been completed, would help prevent this kind of malicious activity. Of course, the account(s) should be monitored to detect potential unauthorized access. Do you have similar horror story to share?

[1] http://www.dailymail.co.uk/news/article-2006962/Fired-IT-manager-hacked-companys-swapped-boss-digital-presentation-porn.html?ito=feeds-newsxml
[2] http://www.baltimoresun.com/news/maryland/baltimore-city/bs-md-ci-computer-hacking-sentence-20110621,0,857376.story
[3] http://nakedsecurity.sophos.com/2011/06/22/hacker-ceo-presentation-porn/
 

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

21 comment(s)

Comments

How good is my current employers termination policy...well, I'll have to get back to you on that.
"Termination policies" should be fairly well figured out by now, since they've had so much practice at it.
Last time I checked, a tech's average stay anywhere is about 18 months. That's why most of us are "Consultants" now.
.
Since I AM the employer, anytime one of my people is terminated we have two police officers come by, stop by my office first to get the termination notice and a cardboard box and where the employee's desk/cubicle is located. They walk up to the employee, hand him the termination slip and the box is for the purpose of the employee's personal belongings. The employee is then escorted out of the building. If the employee is part of the IT team, any remote access userID's and passwords are changed. This is quite unusual I admit but the nature of the business requires it, all employees are required to "card in" and out.
It doesn't just affect terminated employees, a close eye also needs to be kept on current employees too, especially those under secondment.
One a persons role within the organisation changes, so should their access levels.
Far too often I've seen people being allowed access to systems that are far out of their current scope after doing a particular job to cover mat(pat)ernal leavers.
In what country can you ask two cops to come in when there has been no crime committed nor even suspicion of a crime?

I'm calling b.s. on that one.
Old Dad,
I hope you at least look the person in the eyes when you do that. You wouldn't happen to be Mr. Burns, would you?
While you seem to take a HUGE amount of physical security in your termination procedures, you let slip that you actually have very poor internal security on the technical side.
If you have to change remote access IDs and passwords, that means you're using some form of shared authentication creds (username & password that more than 1 person has access to). Sure, you might take the required precautions when someone is terminated, but what about when you have a bad actor that is currently employed? They can use the shared authentication to get in & you would have no idea who the bad one is.
Shared authentication should never be used. If there are cases where you need to have a special account as a backup, you have two people form the password in turn, then put the two halves in a sealed envelope that is in secure storage.
JasonTracy:Been in business since 1972 and never had a problem. That speaks for itself, the system works.

Pevensey:No b.s. here whatsoever. Where there is an inventory of 10+million USD of technical parts, you take preventative action to protect that inventory as well as protection of the internal network and other employees. We have never had a problem to date. Would you rather have us terminate the employee and then give them a few hours to get their "things" together? I think not.
Pevensey:

The cops will do pretty much anything for anyone that pays them and has some level of standing within a community (small business owner is good enough). The U.S. is quickly gaining 3rd world banana republic status, in case you haven't noticed. Complete with an East German style police state - 50% of the population employed in one way or another (police, medical responders, firemen, postal workers, meter readers, teachers, social workers, children, etc.) to spy on the other 50%, most of whom are unemployed.
Sorry Old Dad, I personally find that absolutely ridiculous. Not only is 10Million USD in inventory a drop in the monetary bucket, you are absolutely wasting local law enforcements time by having them assist in your terminations. I'm not sure if your comment was meant to sound hard core, but it sounds knee jerk to any security professional. No one said to give them a few hours to gather their things, just get yourself an employee you trust to escort them out. Using law enforcement for that task is a waste of their time and takes them away from their civil duty. I do hope you will consider my comment as a counter point to your current way of thinking and not a judement on you as a professional. I mean no disrespect.
Our policy is awesome and is working well.

I have full "keys" to the city and I was told this past Monday that I am no longer needed after next Friday. Because of my hours I was told prior to any other sysadmins being on site, I was permitted to leave the GMs office and return to work. I would have expeated my accounts to have been locked, and to be escorted out.

Obviously I must have high moral values.

Also, there was another sysadmin told the same thing on Tuesday, he still sits beside me.

Oh I almost forgot to meationed the accounting staff were gased too. They're too still siting at their desk with their usual level of access.

Do you think our employer dropped their pants?

Maybe they don't care as our employer was bought by a larger player.

k.o.

Diary Archives