Managing the access control of former users

Managing the access control of former users



This tip was submitted to the searchSecurity Tip Exchange by user Lou Tinto. Let other users know how useful it is by rating the tip below.

One problem consistently encountered during systems audits is ensuring that the IDs for terminated and temporary employees and contractors are removed from the system(s) in a timely manner. One of the comments from Information Security (or the group responsible for establishing the system IDs) is that, "We are not informed when an employee or contractor is terminated."

Here are some effective techniques for eliminating this problem.

For contractors and temporary employees, the ID needs to be set with an expiration date not to exceed the term of the assignment. Ideally, the password should expire monthly and force the user to change monthly. IDs with expired passwords not reset should be revoked after a set period of time.

If a badge is issued to the contractor or temp, the issuing group should immediately contact (e-mail works great) the group responsible for establishing IDs upon receipt of a terminated badge and or knowledge of termination.

If payroll is involved in paying the employee, temp orcontractor (as opposed to Accounting), payroll should immediately contact the group responsible for establishing IDs upon knowing of a termination date. A final paycheck may be able to be held until the badge is received and/ or verification that access for all IDs assigned have

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

been revoked.

Most of the time, a contractor or temp is terminated and the responsible manager either saves the ID for the replacement or uses it as a spare ID. An effective way of combating this is to tie timely removal of these IDs into the manager's performance appraisal. (Exit Interviews of ALL employees, temps and contractors that include a checklist with a line for removal of systems access works well as a reminder for managers.)

Human Resources should also be responsible for contacting the group responsible for establishing IDs upon termination of an employee, temp or contractor. HR should, on a monthly basis, send a list of Terminations and Transfers to the group responsible for establishing the IDs. That group can then do a comparison of the valid system IDs to help ensure the access for the IDs is suspended/revoked.


This was first published in February 2002

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top