Challenges of deleting user accounts
For many in information security and IT administration, there is little or no notice of an impending staff reduction. This poses two distinct challenges for those responsible for user account governance. The first is identifying all the accounts across disparate systems associated with the pruned staff. The second is disabling or deleting these accounts within a short time frame, sometimes a matter of hours.
Tackling these issues successfully requires a risk-based approach. As a rule, target high-risk systems with large user populations first, such as those with confidential customer data or monetary movement capabilities; low-risk systems such as an internal phone book with few accounts should be last.
Processes for deleting user accounts
To begin the process, identify the accounts to be deleted. If the company has a product like SailPoint Technologies Inc.'s IdentityIQ or Eurekify's Sage, it's way ahead of the game. These identity-governance tools help administrators associate accounts with end users on various systems and manage them according to a policy. These applications can assist in generating lists of accounts targeted for removal on each system. Some even send tickets for deletions to system administrators and feeds to automated provisioning/deprovisioning products. With these tools the first challenge is solved.
In the absence of an identity-governance application or process, administrators should start by querying each system for accounts to be removed. This work can be time consuming, depending on the number of systems. To speed up the process, prepare scripts ahead of time that automatically compare a list of all newly terminated employees to the accounts on a given system.
If the company has an automated provisioning product, such as IBM Tivoli's Identity Manager or Oracle Corp.'s Identity Manager, these applications can be leveraged to disable or delete accounts by default policy. It may be as simple as letting the normal process take its course, with the HR feed triggering a series of events based on employment status, workflows and deprovisioning policies.
If the company doesn't have an automated provisioning product, or if it has one but it isn't hooked into all systems, scripts should be written. These scripts should be fed the list of targeted accounts generated in step one. They should also be tested in lower regions, i.e., in development and QA; it's unwise to interrupt the production environment any more than it's being interrupted by downsizing.
Best practices for deleting user accounts
Whatever the company's termination process is, it is imperative to remain in close alignment with HR. Generally speaking, information security and IT administration are not in the business of determining how accounts are to be treated outside of standard policy. The security team should not be in charge of determining what accounts are deleted or when the accounts should be disabled or deleted if that time is outside the standard process. For example, if the automated product deletes accounts at 5:00 a.m. based on an HR feed, does the security team have the authorization to kick that same process off in an ad hoc fashion at noon? Policies on termination should be well-established and published. Adhere to these without exception unless there are other instructions in writing from an appropriate source. The process should be as objective and impartial as possible.
One of the biggest pain points in a layoff scenario is deleting accounts that should have been retained. Try to have a fallback plan for these cases, such as a process to have the accounts restored. Also, ensure that the help desk is aware of who is an active employee and who isn't; don't give a disgruntled employee the chance to call in and have his or her account unlocked and reset.
If your company is one of many enterprises facing economic challenges that may lead to staff reduction in the coming months, bear in mind that the process should be similar regardless of numbers. If the tools and processes are not in place to deal with large numbers of employee terminations, now is the time to start building scripts to discover accounts and disable or delete them, and make sure that HR is fully aware of the process.
About the author:
David Griffeth is the Vice President of Business Line Integration and Reporting at RBS Citizens Bank, a financial institution that is one of the 10 largest commercial banking companies in the United States ranked by assets and deposits. As part of his responsibilities, David manages the Enterprise Identity and Access Management group and is charged with supporting the bank's growth model while maintaining compliance with several regulatory bodies. Prior to his current position, David consulted on major information risk management projects with large companies such as Fidelity Investments and CIGNA. David earned a bachelor's degree in computer science from Framingham State College and holds several certifications including CISSP and CISA.
This was first published in December 2008