Terminating an employee is one of management's unpleasant tasks. It can also be a minefield from an IT perspective. If you're a security professional, you're undoubtedly familiar with your organization's procedures for handling the termination, resignation or reassignment of a non-technical employee. You may even have a checklist in place for when a member of the IT team leaves the organization. But do you have a policy for how to handle...
the sudden termination of a key system administrator?
It's not a task many security teams are eager to handle – especially on smaller teams where it involves planning for the firing of one of your own. However, you owe it to your organization to plan for this distasteful eventuality. Let's take a look at a few steps you can follow to ease the process:
- Follow your standard procedures. First and foremost, follow the same process that you use for the immediate termination of any employee. Ensure that all organization property assigned to the employee is accounted for. Escort the employee to his or her work area to clear out personal belongings. Issue a reminder of any confidentiality agreements that may survive the employment relationship.
- Change the passwords – all of them. Even if your organization has a Single Sign On (SSO) mechanism, chances are your administrators still use multiple passwords on various systems. If you have common administrative passwords (and you shouldn't, but that's a separate matter!), make sure to change them whenever someone who has access to them leaves. Think carefully to uncover hidden passwords (such as the administrative access code for your telephone system).
- Update contact lists. System administrators often have tremendous authority to act on behalf of the organization. They might be listed as authorized contacts for communications circuits, service contracts and other items that require only verbal authorization for modifications. If an administrator is fired, you'll need to quickly update these lists to protect against acts of revenge.
- Plan ahead. You've already started down this path by reading this tip. Think about all of the steps you'll need to take if an administrator suddenly leaves, and develop them into a checklist that may be rapidly followed. Make sure that multiple individuals have access to the checklist and are aware of the procedures.
Hopefully, you'll never need to invoke this policy. However, it's important that you ensure your organization has a strong policy in place to protect your assets if a termination occurs. As you probably know, the greatest computer security threat is that of the malicious insider. If an administrator is suddenly terminated and still has insider access to your systems, he or she may take drastic action to get revenge upon the organization. It's your duty to prevent that from succeeding.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.