Terminated users who still have access are just as likely to penetrate enterprise systems as current employees. Former employees who retain access are considered by the information security industry to be insiders, making them part of any insider threat.
Besides blocking a terminated user for simple security reasons, removing these users is required for compliance with regulations, such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Both of these regulations require regular auditing of access controls and reporting of active accounts. It makes regulatory sense to monitor and remove terminated users from all groups.
You need an identity management system that not only provisions accounts, but also audits and removes stale accounts. When shopping around for such a system, make sure it can automate provisioning and provide auditing and reporting of active and inactive accounts. These systems should automatically flag an account that hasn't been active for a set time period, such as 30 days.
There are a number of tools on the market that can easily erase ex-employee IDs, provision new ones and change access levels. The Identity Management Suite from BMC Software Inc. has a tool called BMC User Administration and Provisioning, formerly called CONTROL-SA. The tool automates provisioning of accounts for as many (or as few) groups as a user needs access to. It also provides complete auditing and reporting capabilities for both compliance purposes and for use internally by your information security team. It also automatically removes expired users, preventing terminated employees from accessing your systems -- no matter how many groups they were in. Another product, PowerPassword from Symark Software International, offers similar access management controls but is strictly for Unix- and Linux-based systems. PowerPassword also provides logging and auditing features required for compliance.
For more information on termination procedures see Chapter 6 of my book, The Little Black of Computer Security. The chapter Managing Human Resources is excerpted on SearchSecurity.com.
For more information:
Dig Deeper on Password management and policy
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading