We are updating our organization's security policies and found that we don't have a clear way of declaring an employee...
a security risk or procedures for taking away system access privileges. Do we specify that after a certain number of violations one is a security risk? Do we use personnel policy or some combination of the two? It is not easy to terminate an employee in my organization, so how should we handle an employee who has been declared a security risk, but has not yet been terminated?
To address such issues, the security group, HR and management should work together to define and enforce these policies. Let's review some employee termination procedures.
Before you begin, make sure you have management's support. Management is responsible for selecting the appropriate people to work together on this task. Management and HR should oversee the enforcement of proper employee behavior and the security group should help develop the necessary policies, standards, guidelines and procedures. The security group should also assist with the development of training procedures and conduct training seminars, so if an incident occurs, the organization will be able to handle the situation.
The following are specific strategies for building a structure for dealing with employees even before they are hired.
Step 1: Before employment begins
Perform background checks on all personnel prior to hiring them. The degree of this should depend on the employee's position and the level of access to company resources the individual will have. For example, someone applying for an entry-level position at a paper mill will not require the same level of background check as someone applying for a position with the Secret Service. However, if the individual were applying for a position within the paper mill that has access to funds or other sensitive materials, a more thorough check would be in order.
Due to the sensitive nature of background checks, it's wise to consult with legal counsel, before conducting one, regardless of the intended depth. This can help you determine if there are any state/federal legal restrictions and obligations you must abide by, and help avoid any legal troubles.
Step 2: Hiring and orientation
The hiring and orientation process is your first direct chance to stress security's importance within the organization and to equip employees with proper security awareness training, as well as their position's security requirements. Your organization should require that new employees sign a non-disclosure agreement, promising to protect sensitive and confidential data. During the security awareness training, employees should also sign a document stating they have read and understand the company's security policies and the ramifications for non-compliance. These signed documents will protect the company in a legal capacity, if it needs to suspend, terminate or prosecute an employee for their actions.
Establishing a level of expectation from the beginning makes it easier to maintain during the course of their employment. The management team and supervisors should also work together to understand and enforce the messages the employees are exposed to during orientation.
Step 3: Employment
Security training doesn't end with orientation. It's an ongoing process that should continually evolve to meet the needs of the organization. Security requirements will change from one organization to another and, depending upon the security needs of the environment, some practices may be more appropriate than others. For instance, repeated background checks may be necessary to determine if an employee has become a security risk. Once again, if this were necessary, to avoid serious legal repercussions, having legal counsel present would be in your company's best interest. Also, if any actions are taken as a result of information gleaned from an investigation, it should be cleared with an attorney.
Throughout the duration of employment, every employee should have a supervisor who understands that they are not only responsible for this person's performance, but also for this person's lack of compliance. Therefore, supervisors must be aware of the expectations of their staff, follow up and ensure expectations are met, be told if an employee contributes to an incident and know how to deal with incidents properly. When dealing with governance and compliance, it is of utmost importance that senior and mid-level management understand these topics even more so than the employees, because they'll be the enforcers.
Step 4: After the employee termination
When an employee leaves, whether voluntarily or involuntarily, there is always a degree of risk involved. Therefore, it is vital that the process be as fluid as possible. Holding an exit interview reduces this risk as it is a good time to remind employees that they are legally bound to comply with the organization's security policies, as dictated by the non-disclosure and confidentiality agreements they signed. Additionally, it is important to retrieve physical items like keys and keycards, disable accounts, and deactivate the employee's access to areas and services that were once privilege. This will prevent them from remotely accessing services and information they should not be.
The team responsible for your organization's security polices should take these steps into account, because the greatest vulnerability can be the people that work for the organization. However, it's important to remember that while the security team helps create the policies and procedures for suspending a user's access, they should not be the ones to make the decision.
Unfortunately, employee termination is inevitable. To minimize the risks that a termination can create, it's important to plan accordingly for this situation. With that said, use this checklist, which highlights key factors to consider when developing employee termination procedures:
- Always have at least one other individual present when informing any employee of their termination. For instance, have a meeting with the employee, their supervisor and a human resource manager. Do not fire them in a public manner -- that can be embarrassing and draw further attention to the situation.
- Deactivate access to the network and vital services that the employee once had.
- Retrieve all physical access devices such as IDs, keys and smart cards.
- An exit interview should always be performed.
- The employee must return any equipment that is the property of the organization, including any off-site devices.
- Notify HR prior to terminating an employee, so they can prepare final paychecks (including vacation pay) and the exit interview. Also, discuss employee benefits (health insurance, stock options, retirement, life insurance, etc.) with human resources, so the proper steps are taken to either transfer or cease these benefits with the employee's knowledge and understanding.
- Return any personal property from to the employee's work space. Inspect and examine any media or documentation that may contain confidential or proprietary data and information that is the legal property of the organization.
The most important thing to remember about a termination procedure is that without it, an organization may find security gaps and other security vulnerabilities that someone, the disgruntled employee per say, can take advantage of. While organizations don't like to terminate their employees, with the proper procedures they should be able to handle this unfortunate scenario.
Dig Deeper on Network Access Control technologies
Related Q&A from Shon Harris
When it comes to firewalls, the networking group often handles the installation, while the information security department writes the rules. Should ... Continue Reading
In today's security world, it's hard to keep track of each and every management standard and auditing procedure. In this SearchSecurity.com Q&A, ... Continue Reading
Before you begin putting the pieces of your security program together, you may want to have a look at ISO 27001. In this expert Q&A, Shon Harris ... Continue Reading