Departing Personnel: Security Risks

Presented at RSA Conference USA 2016

The RSA USA Conference for 2016, set in San Francisco, starts in just a few days. At the conference I will be facilitating a Peer-to-Peer session, scheduled for Thursday, March 3, 2016, start at 2:10 pm, in Moscone West Room 2021, and titled:

Saying Goodbye: Managing Security for Departing Personnel  (Session ID P2P3-R08)

My last blog post explored in depth specific issues to consider when managing security for departing personnel, including transition vs. “event” departures; reviewing specifics of the organization within which the personnel worked; the importance of inventorying impacted information assets; specific issues from the use of social media; exit interviews; information archiving and stewardship; and legal considerations. Today’s post turns to exploring risks around managing security for departing personnel, considering departure of people in special roles, shared accounts, reluctant departures, contacts back to the business, special relationship with vendors and customers, social media monitoring, more detail on personally-owned assets, and departure transition periods.

Managing company information on personally-owned computing devices, laptops, smart phones, and computing services is a challenge even for those not departing the organization, but an even greater challenge for departing personnel. The foundation for managing this risk is set by policy. Each organization should decide how much control to exert. Most organizations restrict the use of company information on personally-owned devices and services, while others require the use of company-owned and provisioned devices and software, including company management, through software, of devices. Compliance with regulatory requirements influences this decision. Once determined, the organization sets down their requirements in a clear statement of policy, ensures all personnel covered by the policy understand it, and monitors for compliance. For the policy to be respected there need to be enforcement actions for violations.

Open question: is there any good way to monitor for company information on personally-owned computing devices and computing services after departure?

People in customer contact roles, such as sales, sales-support, marketing, and service are successful because they build relationships with customers. People in purchasing and supply roles also often work to build relationships with suppliers, to secure better terms, to build trust and reliability. A similar risk are those individuals with significant contact back to the organization following departure. These relationships can present a risk after departure if they are abused against the organization’s interest. This is true generally, but also can involve inappropriate disclosure of company information. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements.

People in roles with special privileges in the use of information assets, such as system administrators, database administrators, network engineers, IT security, audit, and managers in special roles, also can present risks leading up to and after departure. But these roles present risk at work, before departure, so it is essential that controls already exist, anchored by policy, to minimize risk of abuse of these special privileges. These controls typically include use of authentication tokens for access, logging of all access and activities, manager confirmation for special actions, and immediate suspension of privileges upon notice of departure.

Shared accounts are always a risk, as they provide no attestation directly to one individual. They shouldn’t exist, but often they do, ironically often system accounts used by systems and database administrators and network engineers, accounts with special, powerful privileges. These accounts can be particularly risky after departure, providing privileged access to systems even after the normal accounts of a departing person are locked or terminated. Shared accounts must be prohibited by policy, configurations designed and implemented so direct use of system accounts is unnecessary, and ongoing monitoring and audits of the direct use of system accounts.

Reluctant departures can involve significant risk. These are individuals who are not departing voluntarily, who may be angry, hostile, aggressive, and looking for retribution or revenge. One outlet for their retribution is inflicting damage on information assets. Here is a challenging balance between watchful awareness and professional respect. The accounts of individuals departing involuntarily should be immediately locked or terminated upon notice of termination.

Another challenging situation are those departures that move through a transition period before leaving. The period can be as short as the end of the business day of notice, or the wrap-up of a contract, or, in the case of senior management, may be as long as a few months. Immediate yet phased restricting of privileges rather than immediate account locking, is one strategy for enabling a productive, respectful termination period while minimizing risk. But special privilege account access should be terminated immediately upon notice.

As noted in a previous blog post, accounts on social media are a particular challenge. The foundation for managing this risk is set by policy, with controls placed through hiring and confidentiality agreements, Yet monitoring can be really difficult, time-consuming, and at risk of raising issues of privacy.

Open question: Is there any good way to monitor for company information on personally-owned social media accounts?

My last blog post on the topic of my Peer-to-Peer session will outline the discussion framework I will use in session, and include some open questions on risk and mitigation that I hope the group will consider. But the wonderful nature of these Peer-to-Peer sessions are that the discussion is owned by the participants, not by me in the role of facilitator. I expect a lively conversation!