Let’s talk about a Leavers Policy

• by Ellie Hurst
• Advent IM Blog

Del Brazil takes a look at recent security failures that made the news and could have been managed or prevented with a robust leavers policy and its careful application.

An American college had cause to dismiss one of its IT Administrators and requested that all college IT equipment be returned.  The employee complied but not before wiping the laptop hard drive and rendering the laptop unusable to the college.  The additional issue associated with the laptop was that the college’s Gmail Admin account password had been stored on the laptop.  This, coupled with the fact that the dismissed employee’s personal email account had been set as the default email used for resetting passwords, caused major issues for the college.  The resulting impact for the college was that their students were unable to access their Google hosted email accounts.  The issue was eventually resolved with the college liaising with Google and having to fully explain the sequence of events and the current situation.  This is a clear example of one potential issue that can occur in the event personnel are dismissed with no formalised/structure leavers process being followed.  If the college had a formalised leavers process in place, the dismissed member of staff would have been required to surrender not only all IT equipment, but also any passwords associated with their their role.  These passwords could then have been changed to prevent the dismissed employee any further access to systems, whilst also ensuring that the college retained the necessary administrator access to maintain their Google accounts.

Currently, the case is being handled by the authorities and courts, as the dismissed individual is claiming that a degree of discrimination had taken place whilst they were employed by the college; however the college is also seeking damages totalling approximately $500,000 which is the estimated cost attributed to the loss of services they incurred.

This recent event has highlighted the need for organisations to have robust starters and leavers processes and/or policies in place in order to maintain access to their systems.

The main focus of ensuring that an appropriate and effective leavers policy and process is in place is to ensure that all equipment loaned to staff is returned and accounted for, whilst ensuring that all network and email access privileges are restricted or removed.  There is a distinct possibility that personnel who are dismissed for disciplinary reasons may wish to cause disruption or destroy information or assets related to the organisation.  This is further compounded by the possibility that disgruntled staff may steal and or release information to competitors or publish in the public domain to cause embarrassment and loss or reputation to the organisation, third parties or even worse potentially, customers.

A good starters/leavers policy should involve the input of a number of departments within an organisation to ensure that the necessary actions have been completed to ensure that the individual concerned has the correct privileges assigned to them prior to taking up post with the organisation, the same can be said when we deal with personnel leaving the organisation.  Departments that could be included within the starters/leavers process may include but is not limited to the following:-

• HR – To ensure that appropriate vetting and staff records are completed.

• Line Manager – To ensure that the role to be filled is in line with the employee’s capability and specialisation.

• IT – To ensure that a user account is created in line with the necessary permissions and file shares approved by the employee’s line manager.

• IT/Line Manager – To ensure that any necessary equipment is made available to the employee in line with the needs of their assign role.

• Security – To ensure that the necessary access permissions are provided (door combinations and/or swipe cards).

Another good example of a poor starters and leavers process is the incident involving a Pennsylvania woman, who faced three charges of unlawful use of a computer and a further three charges of computer trespassing/altering data.  The individual had previously worked within the District office as an administrative office secretary from 2008 through April, 2011 and was responsible for managing employee user accounts.   The individual concerned had initially hacked into the children’s school’s District computer system using the schools superintendent’s credentials and altered the children’s grades.  The individual was also found to be using various passwords to access HR systems which facilitated access to personnel files and numerous emails.  In this instance the school failed to not only implement a good starters/leavers policy but also failed to recognise the importance of segregation of duties or carryout any protective monitoring and/or auditing.  In the example stated above not only was the individual permitted to create/manage user accounts without any supervisory checks being conducted but they were also able to abuse their position by either impersonating another user or creating bogus accounts which permitted access to various pieces of sensitive employee data.

It is the author’s recommendation that all organisations, irrelevant of size, should review their current starters/leavers processes along with their methodology for segregating duties to ensure that they do not fall foul of a similar occurrence.  A good audit program and/or protective monitoring solution may potentially highlight any inappropriate use or at very least highlight suspicious/questionable user activity.