Departing Personnel: Security Issues Part 2

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, starts next week. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in more depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures, reviewing specifics of the organization within which the personnel worked, the importance of inventorying impacted information assets, and specific issues from the use of social media. Today’s post continues this theme of exploring issues.

Almost all departures involve an exit interview, usually with a member of the Human Resources (HR) team. While it is rare that IT or IT Security are present at the interview, it is essential that we contribute to the content of the interview. IT-specific content would include a review and confirmation of the information assets, including accounts, internal and external, and recovery of equipment. It would also include mention of specific policy points where legal responsibility extends beyond the date of departure.

Almost all departures involve a “residue” of information, created by or used by the departed person. This information is retained in the internal and external accounts, both application and system accounts, and on the equipment. Good security practice required an identifiable owner for all information. Following the departure ownership of this information must be transferred to a “custodian”, perhaps the direct manager but perhaps someone in a custodian role. By policy it is clearly understood and communicated that the custodian is not liable or responsible for the created information itself, attribution, but only to safeguard and manage it.

Next is to address the question: what to do with the information left behind?

Depending up the role of the departed person, there might be some process for review of the created information, before transfer to a replacement person, or archiving, or deletion. Out-boarding process design should account for this review, for critical roles.

In the case of transfer to a replacement person, that new individual likely will be integrating the acquired information with their own, making attribution challenging. The best and easiest solution for this is the retain an intact, digitally signed copy that would be used if later any question arises.

Most organizations have a policy for information retention and destruction, balancing the concerns for storage burden, possible future use, and legal risk of unnecessary retention. Archived information from departed personnel should follow this process. Perhaps review this retention and destruction process to be sure it accommodates this category of archive.

There are legal issues involving IT and IT Security for departed personnel. Already mentioned is the requirement to reduce legal risk of unnecessary retention. The counterpoint to this is policy and process in place to safeguard information that falls under the category of required e-discovery, and this information may be from departed personnel. There is also the need for policy and process to set the boundaries and clear demarkation between organization-owned and personally-owned assets, including computing equipment and intellectual property, and how these assets are to be used in conducting the business of the organization.

My next blog will turn to a set of risks to consider when managing security for departed personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.