This tip was submitted to the searchSecurity Tip Exchange by user Lou Tinto. Let other users know how useful it is by rating the tip below.
One problem consistently encountered during systems audits is ensuring that the IDs for terminated and temporary employees and contractors are removed from the system(s) in a timely manner. One of the comments from Information Security (or the group responsible for establishing the system IDs) is that, "We are not informed when an employee or contractor is terminated."
Here are some effective techniques for eliminating this problem.
For contractors and temporary employees, the ID needs to be set with an expiration date not to exceed the term of the assignment. Ideally, the password should expire monthly and force the user to change monthly. IDs with expired passwords not reset should be revoked after a set period of time.
If a badge is issued to the contractor or temp, the issuing group should immediately contact (e-mail works great) the group responsible for establishing IDs upon receipt of a terminated badge and or knowledge of termination.
If payroll is involved in paying the employee, temp orcontractor (as opposed to Accounting), payroll should immediately contact the group responsible for establishing IDs upon knowing of a termination date. A final paycheck may be able to be held until the badge is received and/ or verification that access for all IDs assigned have
Most of the time, a contractor or temp is terminated and the responsible manager either saves the ID for the replacement or uses it as a spare ID. An effective way of combating this is to tie timely removal of these IDs into the manager's performance appraisal. (Exit Interviews of ALL employees, temps and contractors that include a checklist with a line for removal of systems access works well as a reminder for managers.)
Human Resources should also be responsible for contacting the group responsible for establishing IDs upon termination of an employee, temp or contractor. HR should, on a monthly basis, send a list of Terminations and Transfers to the group responsible for establishing the IDs. That group can then do a comparison of the valid system IDs to help ensure the access for the IDs is suspended/revoked.
This was first published in February 2002