You Can’t Take It With You: Discussion Notes

Presented at RSA Conference USA 2017

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

The session was almost completely full, and almost every one contributed to the conversation. A variety of points of interest were made, coming from different backgrounds and issues, with talk flowing around the room. This is the direct connection opportunity Peer-to-Peers sessions give within the larger conference, attended by more than 40,000 people.

Shortly after the session concluded I wrote out notes capturing what I remembered of the conversation, which I share here.

  • Defense contractor needs to track much more closely activity during employment, and before and after termination; looking to fold in social media activity
  • Onyx software to track activity
  • DLP is used to track activity, but the package used was biased toward Windows, which was a problem in a mixed platform environment
  • Network segmentation for departures
  • Most concerning activity happens just before, and within 30 days after termination
  • HR is often involved, but not prepared for IT-oriented issues
  • Large group changes, in the specific case a merger, overwhelmed HR and IT processes
  • Particular roles cause concern; specific case cited was sales people leaving with customer lists
  • People issues and technology issues
  • Identifying residual data can be particularly difficult for people who have had different roles through the years; existing processes focus on cleanup of the current (last) job, but have difficulty moving back through the previous roles
  • Risk incurred by transition periods, where some access is provided after termination or departure announcement
  • Concern about resignations, where the organization has no control visibility until the departure is announced by the person
  • Contractors are not trained to the level of employees, leading to risk
  • Issues with company data on personal devices; what access, impose agent control, how to reclaim or remove data upon departure
  • Issues balancing privacy with monitoring, particularly in countries with differing privacy requirements
  • Who is the driver of departure processes? It varies. Sometimes HR, sometimes Legal, never IT Sec. Driver gives momentum which supports funding and teaming

Please contact me with any additions, clarifications or questions. I will update the notes with the feedback I receive.