Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: How Good is your Employee Termination Policy? - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How Good is your Employee Termination Policy?

A former employee of Baltimore Substance Abuse Systems Inc. compromised his boss’ computer during a presentation and replaced some of the content with pornographic material. It is customary to have policies in place that require terminated employees to be escorted out of the building by either a security officer or member of upper level administration.

However, when it comes of terminating employees, this case highlights the importance of having a solid corporate termination policy. The actions of this former employee embarrass the company during a presentation but what if he would have deleted business critical data and trashed the backups? Or copied the business critical data (i.e. financial data, client credit card data or employees’ information) and sold it to the highest bidder?

It is important to have a policy for limiting access to corporate technical resources after an employee has been terminated. Some basic step include: disabling user account(s), changing or locking all the passwords the former employee had access to, disabling corporate e-mail access and locking down access to their personal workstation.

An email from HR using a pre-configured template to all key stakeholders with a mean of reporting back to HR, confirming the work has been completed, would help prevent this kind of malicious activity. Of course, the account(s) should be monitored to detect potential unauthorized access. Do you have similar horror story to share?



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


523 Posts
ISC Handler
Jun 22nd 2011
How good is my current employers termination policy...well, I'll have to get back to you on that.

65 Posts
"Termination policies" should be fairly well figured out by now, since they've had so much practice at it.
Last time I checked, a tech's average stay anywhere is about 18 months. That's why most of us are "Consultants" now.

160 Posts
Since I AM the employer, anytime one of my people is terminated we have two police officers come by, stop by my office first to get the termination notice and a cardboard box and where the employee's desk/cubicle is located. They walk up to the employee, hand him the termination slip and the box is for the purpose of the employee's personal belongings. The employee is then escorted out of the building. If the employee is part of the IT team, any remote access userID's and passwords are changed. This is quite unusual I admit but the nature of the business requires it, all employees are required to "card in" and out.
20 Posts
It doesn't just affect terminated employees, a close eye also needs to be kept on current employees too, especially those under secondment.
One a persons role within the organisation changes, so should their access levels.
Far too often I've seen people being allowed access to systems that are far out of their current scope after doing a particular job to cover mat(pat)ernal leavers.
6 Posts
In what country can you ask two cops to come in when there has been no crime committed nor even suspicion of a crime?

I'm calling b.s. on that one.
7 Posts
Old Dad,
I hope you at least look the person in the eyes when you do that. You wouldn't happen to be Mr. Burns, would you?
While you seem to take a HUGE amount of physical security in your termination procedures, you let slip that you actually have very poor internal security on the technical side.
If you have to change remote access IDs and passwords, that means you're using some form of shared authentication creds (username & password that more than 1 person has access to). Sure, you might take the required precautions when someone is terminated, but what about when you have a bad actor that is currently employed? They can use the shared authentication to get in & you would have no idea who the bad one is.
Shared authentication should never be used. If there are cases where you need to have a special account as a backup, you have two people form the password in turn, then put the two halves in a sealed envelope that is in secure storage.

4 Posts
JasonTracy:Been in business since 1972 and never had a problem. That speaks for itself, the system works.

Pevensey:No b.s. here whatsoever. Where there is an inventory of 10+million USD of technical parts, you take preventative action to protect that inventory as well as protection of the internal network and other employees. We have never had a problem to date. Would you rather have us terminate the employee and then give them a few hours to get their "things" together? I think not.
20 Posts

The cops will do pretty much anything for anyone that pays them and has some level of standing within a community (small business owner is good enough). The U.S. is quickly gaining 3rd world banana republic status, in case you haven't noticed. Complete with an East German style police state - 50% of the population employed in one way or another (police, medical responders, firemen, postal workers, meter readers, teachers, social workers, children, etc.) to spy on the other 50%, most of whom are unemployed.
22 Posts
Sorry Old Dad, I personally find that absolutely ridiculous. Not only is 10Million USD in inventory a drop in the monetary bucket, you are absolutely wasting local law enforcements time by having them assist in your terminations. I'm not sure if your comment was meant to sound hard core, but it sounds knee jerk to any security professional. No one said to give them a few hours to gather their things, just get yourself an employee you trust to escort them out. Using law enforcement for that task is a waste of their time and takes them away from their civil duty. I do hope you will consider my comment as a counter point to your current way of thinking and not a judement on you as a professional. I mean no disrespect.
9 Posts
Our policy is awesome and is working well.

I have full "keys" to the city and I was told this past Monday that I am no longer needed after next Friday. Because of my hours I was told prior to any other sysadmins being on site, I was permitted to leave the GMs office and return to work. I would have expeated my accounts to have been locked, and to be escorted out.

Obviously I must have high moral values.

Also, there was another sysadmin told the same thing on Tuesday, he still sits beside me.

Oh I almost forgot to meationed the accounting staff were gased too. They're too still siting at their desk with their usual level of access.

Do you think our employer dropped their pants?

Maybe they don't care as our employer was bought by a larger player.

1 Posts
maintaining the chain of custody is critical, however not all employees are released on bad terms especially in our recent recession.

we may want some of these employees back in the future. having too stark a policy can be tough on morale not only for a loyal spontaneously-former employee but for remaining employees.

this needs to be considered all the while making sure transitional security is maintained.

the account lockout process might better be mediated by adding a transitional phase that included a sandbox feature to be accessible until they are 'out the door'. where the exiting employee is allowed to write file final reports, emails and suggestions to an embargoed sandboxed area before they are turned away. the final reports after being vetted can save the remaining employees time and trouble trying to figure out where the former-employee was on various projects as the workload is shifted. the sandbox feature could provide limited access that keeps company systems/data disconnected and safe but lets the employee do some housecleaning tasks they had been working on that they dont just want to dump without pomp. this is not only less traumatic to an employee that was loyal but can also bear on safey and security if for example they had noticed but not yet got to filing reports on a recent packet analysis or failing mixing valve or pressure sensor.

8 Posts
People might be mis-interpreting the "cops" statement - those thinking that Old Dad claims to call 9-1-1 and gets a pair of officers... are correct, that'll never happen.

However, you can rent-a-cop for however long you wish, provided it's scheduled. Big events do so all the time - for traffic flow, security, whatever - the event is paying for that detail. Large shopping malls rent cops all the time. Likewise, we rented a sheriff to stake-out our parking lot for a few weeks during overnights... as a cop, to catch somebody.

So, if he's got the budget for it, nothing stops Old Dad from actually having two officers on-site 24/7... but it's not an ad-hoc thing, as some were expecting.

42 Posts
For everyone that thinks having two "cops" escort someone out, have you ever worked in a secured government facility? All terminations are handled this way. Of course the "cops" are facilities security people. But they may be armed guards. They will be brought up to escort the person out immediately upon their termination. This is NOT an uncommon practice.
7 Posts
Phil: No disrespect taken of course. 10M USD is a substantial inventory for a small military contractor such as us. And have you heard the expression "going postal" - applies in our situation, that's the reason the police are involved in terminations. Our methodology has worked for almost 40 yrs now - no point in continuing this.
20 Posts
Physical destruction through shredding, dissolving in acid, or incineration will ensure the employee has been fully terminated. "You have been erased."
Steven C.

171 Posts
Old Dad, ultimately I think these guys are getting to the human part of the equation. Your description seems like the typical horror story about uncaring employers.

135 Posts
Old Dad: If you use the same method of termination for every single employee, I see no problem with it. It isn't particularly "shameful" if it happens no matter who you are.

In other news, the most important thing is having a way to quickly disable all access. If everything is tied to Active Directory or a single sign-on solution, that means you disable one account and everything stops.

Most normal terminations where I work rely on a status change being filed in HR and the nightly IAM batch disabling the account.

Emergency status changes for folks to are leaving on bad terms or who have deep admin rights result in emails being sent to the managers of the appropriate groups from Corporate Security and accounts being manually disabled as close to immediately as possible.

There was the time that an employee went to lunch and when she got back her badge didn't work and her boss was waiting in the lobby with a box of her stuff, but that guy was an ass.

93 Posts
Treat your employees right and maybe you won't have to deal with an angry born-again hacker.

NOTHING pisses a worker off more than a sudden, suprise firing.

Your HR might actually like doing it this way. From their point of view and maybe the manager's POV too, it beats a long, drawn-out struggle. But from the worker's perspective, your company just made a new enemy.
3 Posts
Here in the UK it is more difficult to just fire someone. Unless they are guilty of gross misconduct, you have to give them a verbal warning then a written warning before you can fire them. In the case of redundancy, these days it is usual to have a "consultancy" period (2-3 weeks) where discussions go on between the employer (usually HR) and the employee to see if there is another role that they can fulfil within the company. Often this doesn't change anything but I have seen at least one case where a sysadmin was kept on in an IT support role. So it is rare that people have their employment terminated without at least some warning.

Having said that, I did hear of a major bank that wanted to make several employess redundant so they had a fire drill and then only let certain people back in the building. Harsh!

35 Posts
Whatever happening to finding out you'd lost your job by being locked out of the network when you arrive at the office?
No Love.

37 Posts

Sign Up for Free or Log In to start participating in the conversation!