Departing Personnel: Discussion Framework

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, started today in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post discussed a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

This is last blog post on the topic of my Peer-to-Peer session presents the discussion framework I will use in session, and includes some open questions on risk and mitigation that I hope the group will consider. Check back as I may add content to this discussion framework during the week.

Context

  • Types of people
  • Types of people departures
  • Types of group departures
  • Departure timing

Threat model

  • Systems and application access we don’t know about
  • Shared accounts we don’t know about
  • Departures of personnel with privileged access (SA, DBA, NA)
  • Reluctant departures
  • Cultural differences
  • Inappropriate contacts back to the organization
  • Social media disclosures, intentional and inadvertent
  • Partner and customer disclosures
  • Information assets they have and where they’ve stored it
  • Storage on personally-owned devices
  • Legal or privacy violation from intrusive survey
  • Leakage during transition periods
  • Unclear responsibility for information assets reclaimed
  • Reclaimed assets destroyed too soon, or kept too long (legal risk)

Controls

  • Appropriate design decision team, linking HR, IT, ITSec, Risk Mgmt, Payroll, Facilities, PhysicalSec
  • Foundational policy, communicated and tested
  • Set the stage for departure with good processes and controls during employment
  • Defined process threads with tailored to the departure context, with tested control points
  • Appropriate operations team
  • Risk avoidance, transference, acceptance
  • Checklist(s)
  • Evergreen: regular process renewal, regular training
  • Internal and external audits, with accountability and deadlined remediation
  • Management of personally-owned devices??
  • Remanent steward (manager?) controls inactive reclaimed assets

Questions

  • Monitoring after departure; risk, resources, harassment?
  • Inspection of personally-owned devices and personally-owned external accounts?
  • Timing of the end of access?
  • Conflicts between the design and operations teams?
  • Who should own the information left behind?

These Peer-to-Peer sessions provide the opportunity for an open, intimate discussion owned by the participants where the details of the discussion stay in the room. I hope this framework, and the questions I pose, spark insights and actionable ideas that can be implemented upon return.

Departing Personnel: Security Risks

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, starts in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures; reviewing specifics of the organization within which the personnel worked; the importance of inventorying impacted information assets; specific issues from the use of social media; exit interviews; information archiving and stewardship; and legal considerations. Today’s post turns to exploring risks around managing security for departing personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

Managing company information on personally-owned computing devices, laptops, smart phones, and computing services is a challenge even for those not departing the organization, but an even greater challenge for departing personnel. The foundation for managing this risk is set by policy. Each organization should decide how much control to exert. Most organizations restrict the use of company information on personally-owned devices and services, while others require the use of company-owned and provisioned devices and software, including company management, through software, of devices. Compliance with regulatory requirements influences this decision. Once determined, the organization sets down their requirements in a clear statement of policy, ensures all personnel covered by the policy understand it, and monitors for compliance. For the policy to be respected there need to be enforcement actions for violations.

Open question: is there any good way to monitor for company information on personally-owned computing devices and computing services after departure?

People in customer contact roles, such as sales, sales-support, marketing, and service are successful because they build relationships with customers. People in purchasing and supply roles also often work to build relationships with suppliers, to secure better terms, to build trust and reliability. A similar risk are those individuals with significant contact back to the organization following departure. These relationships can present a risk after departure if they are abused against the organization’s interest. This is true generally, but also can involve inappropriate disclosure of company information. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements.

People in roles with special privileges in the use of information assets, such as system administrators, database administrators, network engineers, IT security, audit, and managers in special roles, also can present risks leading up to and after departure. But these roles present risk at work, before departure, so it is essential that controls already exist, anchored by policy, to minimize risk of abuse of these special privileges. These controls typically include use of authentication tokens for access, logging of all access and activities, manager confirmation for special actions, and immediate suspension of privileges upon notice of departure.

Shared accounts are always a risk, as they provide no attestation directly to one individual. They shouldn’t exist, but often they do, ironically often system accounts used by systems and database administrators and network engineers, accounts with special, powerful privileges. These accounts can be particularly risky after departure, providing privileged access to systems even after the normal accounts of a departing person are locked or terminated. Shared accounts must be prohibited by policy, configurations designed and implemented so direct use of system accounts is unnecessary, and ongoing monitoring and audits of the direct use of system accounts.

Reluctant departures can involve significant risk. These are individuals who are not departing voluntarily, who may be angry, hostile, aggressive, and looking for retribution or revenge. One outlet for their retribution is inflicting damage on information assets. Here is a challenging balance between watchful awareness and professional respect. The accounts of individuals departing involuntarily should be immediately locked or terminated upon notice of termination.

Another challenging situation are those departures that move through a transition period before leaving. The period can be as short as the end of the business day of notice, or the wrap-up of a contract, or, in the case of senior management, may be as long as a few months. Immediate yet phased restricting of privileges rather than immediate account locking, is one strategy for enabling a productive, respectful termination period while minimizing risk. But special privilege account access should be terminated immediately upon notice.

As noted in a previous blog post, accounts on social media are a particular challenge. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements, Yet monitoring can be really difficult, time-consuming, and at risk of raising issues of privacy.

Open question: Is there any good way to monitor for company information on personally-owned social media accounts?

My last blog post on the topic of my Peer-to-Peer session will outline the discussion framework I will use in session, and include some open questions on risk and mitigation that I hope the group will consider. But the wonderful nature of these Peer-to-Peer sessions are that the discussion is owned by the participants, not by me in the role of facilitator. I expect a lively conversation!

Departing Personnel: Security Issues Part 2

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, starts next week. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in more depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures, reviewing specifics of the organization within which the personnel worked, the importance of inventorying impacted information assets, and specific issues from the use of social media. Today’s post continues this theme of exploring issues.

Almost all departures involve an exit interview, usually with a member of the Human Resources (HR) team. While it is rare that IT or IT Security are present at the interview, it is essential that we contribute to the content of the interview. IT-specific content would include a review and confirmation of the information assets, including accounts, internal and external, and recovery of equipment. It would also include mention of specific policy points where legal responsibility extends beyond the date of departure.

Almost all departures involve a “residue” of information, created by or used by the departed person. This information is retained in the internal and external accounts, both application and system accounts, and on the equipment. Good security practice required an identifiable owner for all information. Following the departure ownership of this information must be transferred to a “custodian”, perhaps the direct manager but perhaps someone in a custodian role. By policy it is clearly understood and communicated that the custodian is not liable or responsible for the created information itself, attribution, but only to safeguard and manage it.

Next is to address the question: what to do with the information left behind?

Depending up the role of the departed person, there might be some process for review of the created information, before transfer to a replacement person, or archiving, or deletion. Out-boarding process design should account for this review, for critical roles.

In the case of transfer to a replacement person, that new individual likely will be integrating the acquired information with their own, making attribution challenging. The best and easiest solution for this is the retain an intact, digitally signed copy that would be used if later any question arises.

Most organizations have a policy for information retention and destruction, balancing the concerns for storage burden, possible future use, and legal risk of unnecessary retention. Archived information from departed personnel should follow this process. Perhaps review this retention and destruction process to be sure it accommodates this category of archive.

There are legal issues involving IT and IT Security for departed personnel. Already mentioned is the requirement to reduce legal risk of unnecessary retention. The counterpoint to this is policy and process in place to safeguard information that falls under the category of required e-discovery, and this information may be from departed personnel. There is also the need for policy and process to set the boundaries and clear demarkation between organization-owned and personally-owned assets, including computing equipment and intellectual property, and how these assets are to be used in conducting the business of the organization.

My next blog will turn to a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

Departing Personnel: Security Issues Part 1

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, is less than a week away. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post outlined a framework for understanding, planning and managing various types of personnel departures. Today’s post, and the next, explore in more depth specific issues to consider when managing security for departing personnel.

Many personnel departures come about after advance notice, providing the benefit of time to plan for these transitions and manage through them. Referring to the framework outlined in the last post, almost all organizational transitions, that impact groups of people, occur with advance notice. Most individual departures also occur with some amount of advance notice. But some departures are immediate, “events” rather than “transitions”. Event departures still require the “off-boarding” team to follow defined processes, but at speed, with the risk of missing an important task. This makes use of a checklist even more important. And unique to event departures, the first task often is to negotiate for more transition time.

The framework for managing security for departing personnel includes establishing a sound process. This process must include steps to develop a full knowledge of the organizational structure and the information resources used that are impacted by the departure. In practice developing this understanding is unique to each organization, division, or department. There are likely to be reporting and teaming relationships, information assets, and system privileges unique to the role of the departing person. To successfully manage security and decrease risk you have to ask good questions, probe and document, then implement your process to control and transition access.

You have to answer the question: what has the departing person got? Answering this leads to the identification of an inventory of information assets and privileges that need to be secured. Among these:

  • Internal network access
  • Remote access to internal networks
  • Access to specific systems
  • Access to internally hosted applications
  • Access to externally hosted applications
  • Accounts on social media on behalf of the organization
  • Computing assets
    • laptops
    • smart phones
    • portable disks (data and backup)
    • memory sticks, and other storage devices
  • ID badges
  • Credit cards
  • Authentication token devices
  • Company applications and data on personally-owned devices
  • Software license recovery
  • Any and all other property owned by the organization

I stress again that a good checklist is essential to manage a good departure.

Accounts on social media are a particular challenge. People often have personal accounts, where exposure of organization information can really only be addressed by policy and monitoring, and monitoring is really difficult, time-consuming, and at risk of raising issues of privacy. For accounts on

social media on behalf of the organization, it should be clearly agreed by established policy that upon creation these accounts are owned by and managed on behalf of the organization. If possible there should be an opportunity for the organization to control the account without the aid of the departed person.

My next blog post will continue walking through the various issues faced with managing security for departed personnel, including exit interviews, archiving and information stewardship, and legal requirements.

Departing Personnel: Discussion Framework

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, is only a week away. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, starting at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

This blog post, and others this week, will address this topic in more detail, to provide a preview of some of those issues I hope the group will consider and discuss.

Personnel departures are a daily occurrence for large organizations, and are also not uncommon on a regular basis for small and medium-sized organizations. I use the term “organization” to mean both companies and other types of organizations, such as government and NGO’s, Non-Governmental Organizations. These NGO’s can be both for-profit and non-profit. In short, all organizations face personnel departures.

Most often we think of those leaving as former employees, but departures of other categories of people can be even more common: contractors hired by the business; interns gaining experience; guest workers who arrived from another company or division; and even visitors who come for a day or a week or longer, who are meeting, inspecting or just visiting.

There are two distinct types of departures: individuals who leave and groups who leave.

Individuals can depart under various circumstances, voluntary resignations; terminations (often involuntary); contractors leaving at the end of their contract; interns leaving at the end of their internships; visitors leaving at the end of their visits.

Group departures include organizational re-organizations; spin-offs of portions of the organization to other organizations; outsourcing of organizational functions; group contractors; and outright sales of the organization or portions of it. Group departures often involve many of the types of individual departures.

Constructing a framework for understanding, planning and management for these various types of personnel departures requires first the gathering of a team of stakeholders all consistently involved with departures. Typical members on this team include representatives from Human Resources, Legal, IT (and IT Security), Payroll, Facilities, and Physical Security.

Next, representatives of this group complete a detailed review of existing policies and processes, sometimes called “off-boarding”, used to conduct these departures. The framework must accommodate differences for the different types of individual and group departures. Policy and process re-design or re-engineering follows. Most organizations use some existing policy and process design methodologies. Supported by policy, a good set of processes links HR, IT and the other stakeholders to ensure personnel access ton information system, networks, application and physical locations is disabled.

Like other organizational processes, departure processes, anchored by policies, require orientation, training, exercise, controls, controls monitoring, good communications, and incident response. They also require regular, scheduled review and update.

In my next blog post I will discuss specific issues to consider for personnel departures.