Departing Personnel: Discussion Framework

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, started today in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post discussed a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

This is last blog post on the topic of my Peer-to-Peer session presents the discussion framework I will use in session, and includes some open questions on risk and mitigation that I hope the group will consider. Check back as I may add content to this discussion framework during the week.


  • Types of people
  • Types of people departures
  • Types of group departures
  • Departure timing

Threat model

  • Systems and application access we don’t know about
  • Shared accounts we don’t know about
  • Departures of personnel with privileged access (SA, DBA, NA)
  • Reluctant departures
  • Cultural differences
  • Inappropriate contacts back to the organization
  • Social media disclosures, intentional and inadvertent
  • Partner and customer disclosures
  • Information assets they have and where they’ve stored it
  • Storage on personally-owned devices
  • Legal or privacy violation from intrusive survey
  • Leakage during transition periods
  • Unclear responsibility for information assets reclaimed
  • Reclaimed assets destroyed too soon, or kept too long (legal risk)


  • Appropriate design decision team, linking HR, IT, ITSec, Risk Mgmt, Payroll, Facilities, PhysicalSec
  • Foundational policy, communicated and tested
  • Set the stage for departure with good processes and controls during employment
  • Defined process threads with tailored to the departure context, with tested control points
  • Appropriate operations team
  • Risk avoidance, transference, acceptance
  • Checklist(s)
  • Evergreen: regular process renewal, regular training
  • Internal and external audits, with accountability and deadlined remediation
  • Management of personally-owned devices??
  • Remanent steward (manager?) controls inactive reclaimed assets


  • Monitoring after departure; risk, resources, harassment?
  • Inspection of personally-owned devices and personally-owned external accounts?
  • Timing of the end of access?
  • Conflicts between the design and operations teams?
  • Who should own the information left behind?

These Peer-to-Peer sessions provide the opportunity for an open, intimate discussion owned by the participants where the details of the discussion stay in the room. I hope this framework, and the questions I pose, spark insights and actionable ideas that can be implemented upon return.