Terminating an employee is one of management's unpleasant tasks. It can also be a minefield from an IT perspective. If you're a security professional, you're undoubtedly familiar with your organization's procedures
It's not a task many security teams are eager to handle – especially on smaller teams where it involves planning for the firing of one of your own. However, you owe it to your organization to plan for this distasteful eventuality. Let's take a look at a few steps you can follow to ease the process:
- Follow your standard procedures. First and foremost, follow the same process that you
use for the immediate termination of any employee. Ensure that all organization property assigned
to the employee is accounted for. Escort the employee to his or her work area to clear out personal
belongings. Issue a reminder of any confidentiality agreements that may survive the employment
the passwords – all of them. Even if your organization has a Single Sign On (SSO)
mechanism, chances are your administrators still use multiple passwords on various systems. If you
have common administrative passwords (and you shouldn't, but that's a separate matter!), make sure
to change them whenever someone who has access to them leaves. Think carefully to uncover hidden
passwords (such as the administrative access code for your telephone system).
- Update contact lists. System administrators often have tremendous authority to act on
behalf of the organization. They might be listed as authorized contacts for communications
circuits, service contracts and other items that require only verbal authorization for
modifications. If an administrator is fired, you'll need to quickly update these lists to protect
against acts of revenge.
- Plan ahead. You've already started down this path by reading this tip. Think about all of the steps you'll need to take if an administrator suddenly leaves, and develop them into a checklist that may be rapidly followed. Make sure that multiple individuals have access to the checklist and are aware of the procedures.
Hopefully, you'll never need to invoke this policy. However, it's important that you ensure your organization has a strong policy in place to protect your assets if a termination occurs. As you probably know, the greatest computer security threat is that of the malicious insider. If an administrator is suddenly terminated and still has insider access to your systems, he or she may take drastic action to get revenge upon the organization. It's your duty to prevent that from succeeding.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
This was first published in November 2003