You Can’t Take It With You: Discussion Framework

Presented at RSA Conference USA 2017

During the RSA USA Conference 2017, in San Francisco, I facilitated a Peer-to-Peer session, held on Thursday, February 16, at 4 pm. The session title is:
You Can’t Take It With You! How to Manage Security When Personnel Depart (Session P2P2-R11)

The session description is:
How can you manage information security when people leave your organization? Expanding on the popular 2016 P2P session, let’s talk best practices for managing IT security for the off-boarding process.

This blog posts on the topic of my Peer-to-Peer session and presents the discussion framework I used in the session. It includes topics for consideration, including some that we did not have the opportunity to talk about in the session.

Context for discussion
  • “Off-Boarding” processes involves both People and Technology
  • Departure types – People
    • Human, emotional, belonging/identity aspects
    • Employees
    • Contractors
    • Interns
    • Guest workers
    • Visitors
  • Departure types — Process
    • Individual
      • Resignations (voluntary)
      • Terminations
      • Contractual
      • Internship
      • Visits
    • Group
      • Reorganizations
      • Spin-offs
      • Outsourcing
      • Organizational sales
      • Contractural
  • Team – cross functional
    • Planning
      • HR, Legal, Risk Management, IT, Payroll, Facilities, Physical Security
    • Process execution
      • HR, Legal, IT, Payroll, Facilities, Physical Security
  • Policy & Process design
    • Some call this “Off-boarding”
    • Processes different for different departure types
    • Policy framework, authoring, update
    • Process definition: A process that links HR, IT and other groups, to ensure personnel access to information systems, networks, applications and physical locations is disabled.
    • “Checklist” approach for consistency and completeness
  • Training, Operations & Audit
    • Tabletop exercises
    • Controls monitoring
    • “Residual” access
    • Incident response
Risks for consideration (particular to this issue)
  • Company information on personally owned computing devices and computing services
    • Forcing use of company-owned devices
    • Forcing management of personally owned computing devices
    • Restricting through policy company information uploaded to computing services
  • Departure of people in special roles, such as sys admin, manager, security, audit
  • Shared accounts (yes, they shouldn’t but maybe do exist)
  • Reluctant departures
  • Contacts back to the business
  • Special relationships with vendors and / or customers
  • Social media monitoring
  • Transition periods
    • End-of-day, end-of-contract, wind-down, guesting
  • Controversial: Moral and psychological balancing
  • Model for addressing risk and mitigation
Issues for consideration
  •  Events vs. transitions
    • Immediate departure events with no access
    • Transition phases with access limitations
  • Complete knowledge of every department impacted by departure
    • Different for different companies, divisions and job descriptions
    • Address really custom stuff, like special privileges, access and assets
  • What has the departing person got? (asset inventory & retention)
    • Internal network access
    • Remote access
    • Systems access
    • Internal application access
    • External application access
    • Social media access
      • Intentional upload
      • Unintentional upload
    • Computing assets
      • Laptops
      • Smart phones
      • Portable disks (data and backup)
      • Memory sticks
      • Other storage devices
    • ID badges
    • Credit cards
    • Authentication token devices
    • Company applications and data on personal devices
    • License recovery
    • Any and all other company-owned property
  • Exit interview
  • Archiving & information stewardship
    • Assignment & responsibilities of new ownership
    • Do not delete accounts, but make them inactive, with new ownership
    • Attribution risk?
    • Records review and assimilation
    • Scheduled destruction
  • Legal requirements
    • Intellectual property ownership and monitoring
    • Personal property ownership
    • e-discovery mitigations and restrictions
  • Other
    • Impulse to take
    • Prediction: HR -> legal -> IT (behavioral analytics)
    • Most property is taken within 90 days of departure
    • 50% admitted to taking property after departure
    • Most digital assets are taken via email, cloud, memory stick
    • Target critical roles for monitoring

Please contact me with any additions, ideas or questions on this material. I will update these framework notes with the feedback I receive.