Presented at RSA Conference USA 2017
During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)
The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.
This blog posts on the topic of my Peer-to-Peer session and presents the discussion framework I used in the session. It includes topics for consideration, including some that we did not have the opportunity to talk about in the session.
- “Off-Boarding” processes involves both People and Technology
- Departure types – People
- Human, emotional, belonging/identity aspects
- Employees
- Contractors
- Interns
- Guest workers
- Visitors
- Departure types — Process
- Individual
- Resignations (voluntary)
- Terminations
- Contractual
- Internship
- Visits
- Group
- Reorganizations
- Spin-offs
- Outsourcing
- Organizational sales
- Contractural
- Individual
- Team – cross functional
- Planning
- HR, Legal, Risk Management, IT, Payroll, Facilities, Physical Security
- Process execution
- HR, Legal, IT, Payroll, Facilities, Physical Security
- Planning
- Policy & Process design
- Some call this “Off-boarding”
- Processes different for different departure types
- Policy framework, authoring, update
- Process definition: A process that links HR, IT and other groups, to ensure personnel access to information systems, networks, applications and physical locations is disabled.
- “Checklist” approach for consistency and completeness
- Training, Operations & Audit
- Tabletop exercises
- Controls monitoring
- “Residual” access
- Incident response
- Company information on personally owned computing devices and computing services
- Forcing use of company-owned devices
- Forcing management of personally owned computing devices
- Restricting through policy company information uploaded to computing services
- Departure of people in special roles, such as sys admin, manager, security, audit
- Shared accounts (yes, they shouldn’t but maybe do exist)
- Reluctant departures
- Contacts back to the business
- Special relationships with vendors and / or customers
- Social media monitoring
- Transition periods
- End-of-day, end-of-contract, wind-down, guesting
- Controversial: Moral and psychological balancing
- Model for addressing risk and mitigation
- Events vs. transitions
- Immediate departure events with no access
- Transition phases with access limitations
- Complete knowledge of every department impacted by departure
- Different for different companies, divisions and job descriptions
- Address really custom stuff, like special privileges, access and assets
- What has the departing person got? (asset inventory & retention)
- Internal network access
- Remote access
- Systems access
- Internal application access
- External application access
- Social media access
- Intentional upload
- Unintentional upload
- Computing assets
- Laptops
- Smart phones
- Portable disks (data and backup)
- Memory sticks
- Other storage devices
- ID badges
- Credit cards
- Authentication token devices
- Company applications and data on personal devices
- License recovery
- Any and all other company-owned property
- Exit interview
- Archiving & information stewardship
- Assignment & responsibilities of new ownership
- Do not delete accounts, but make them inactive, with new ownership
- Attribution risk?
- Records review and assimilation
- Scheduled destruction
- Legal requirements
- Intellectual property ownership and monitoring
- Personal property ownership
- e-discovery mitigations and restrictions
- Other
- Impulse to take
- Prediction: HR -> legal -> IT (behavioral analytics)
- Most property is taken within 90 days of departure
- 50% admitted to taking property after departure
- Most digital assets are taken via email, cloud, memory stick
- Target critical roles for monitoring
Please contact me with any additions, ideas or questions on this material. I will update these framework notes with the feedback I receive.