Departing Personnel: Security Issues Part 1

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, is less than a week away. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post outlined a framework for understanding, planning and managing various types of personnel departures. Today’s post, and the next, explore in more depth specific issues to consider when managing security for departing personnel.

Many personnel departures come about after advance notice, providing the benefit of time to plan for these transitions and manage through them. Referring to the framework outlined in the last post, almost all organizational transitions, that impact groups of people, occur with advance notice. Most individual departures also occur with some amount of advance notice. But some departures are immediate, “events” rather than “transitions”. Event departures still require the “off-boarding” team to follow defined processes, but at speed, with the risk of missing an important task. This makes use of a checklist even more important. And unique to event departures, the first task often is to negotiate for more transition time.

The framework for managing security for departing personnel includes establishing a sound process. This process must include steps to develop a full knowledge of the organizational structure and the information resources used that are impacted by the departure. In practice developing this understanding is unique to each organization, division, or department. There are likely to be reporting and teaming relationships, information assets, and system privileges unique to the role of the departing person. To successfully manage security and decrease risk you have to ask good questions, probe and document, then implement your process to control and transition access.

You have to answer the question: what has the departing person got? Answering this leads to the identification of an inventory of information assets and privileges that need to be secured. Among these:

  • Internal network access
  • Remote access to internal networks
  • Access to specific systems
  • Access to internally hosted applications
  • Access to externally hosted applications
  • Accounts on social media on behalf of the organization
  • Computing assets
    • laptops
    • smart phones
    • portable disks (data and backup)
    • memory sticks, and other storage devices
  • ID badges
  • Credit cards
  • Authentication token devices
  • Company applications and data on personally-owned devices
  • Software license recovery
  • Any and all other property owned by the organization

I stress again that a good checklist is essential to manage a good departure.

Accounts on social media are a particular challenge. People often have personal accounts, where exposure of organization information can really only be addressed by policy and monitoring, and monitoring is really difficult, time-consuming, and at risk of raising issues of privacy. For accounts on

social media on behalf of the organization, it should be clearly agreed by established policy that upon creation these accounts are owned by and managed on behalf of the organization. If possible there should be an opportunity for the organization to control the account without the aid of the departed person.

My next blog post will continue walking through the various issues faced with managing security for departed personnel, including exit interviews, archiving and information stewardship, and legal requirements.