Wednesday, January 20, 2010

Bill's Recommendations - Mitigating A Employee Termination

As a Information Security professional, one of your major duties will involve risk mitigation to your organizations IT infrastructure. Those risks are both external and internal. Believe it or not, you are more likely to suffer a internal attack than that of a external attack. The internal threat happens commonly at the time of a termination of an employee. Here are some scary statistics for you to look at from a blog over at A common theme from research I have done revolves around communication issues between Human Resources (HR) and Information Technology (IT) departments.

Here's a scenario to consider:


You're a Network Administrator for a local company. Every morning (or evening!) you come in and check your email, grab some coffee or Mt. Dew, check your email again, and start to perform your everyday duties of monitoring, working with resources and active directory and backup duties along with the mountain of projects all IT people have. But I digress......

As you are walking through the halls you notice a office or cube that was previously occupied is empty. You proceed to ask the neighbor closest to them who was in there and the reply is, "Oh, didn't you hear? Joe (or Jane) left the company last week." -OR- "Oh, didn't you hear? Joe (or Jane) was fired last week and made a big scene. It was like watching a bad soap opera......." BUT you stop listening because you are in panic mode right?!?! Your network has had a possible security breach for that period of time and it's still happening right now. You rush off to your HR department to verify.


This situation can be mitigated by opening the communication channels between HR and IT. One should begin by educating the HR department on the threat and risks to data and resources associated with delaying notification to IT a employee termination. You should work with them on a notification process and time table in which they need to notify IT.

Here are some suggested steps to follow when alerted of a pending termination:

1. Immediately disable the employee's user accounts and access to resources. DO NOT DISCUSS WITH ANYONE! It is imperative that confidentiality be maintained during this process. You do not want to alert the employee to pending action(s) because they may begin malicious activities such as deleting data or becoming violent in the workplace.

2. Inform HR that access has been disabled. Request that security or management be present at the time of action. It is important that a procedure be in place for this part. A best practice would be to instruct the employee to cease current activity and to back away from the system and then escorted to HR. The employee should be escorted to and from any point during the termination phase.

3. Perform a full backup and audit of the system. It's also a good idea to check for any encryption software that may be installed. This could bite you badly if the system is turned off and the encryption software requires a password. If encryption exists, request/require that the employee provide the keys used for encrypting and decrypting.

Here are some suggested steps when alerted of a pending voluntary departure:

1. Work on documenting what that employee knows about systems they worked with. I can't tell you how many times I was in a situation where a previous employee knew the ins and outs of a system, network, or wiring infrastructure where there was no documentation when they left or were fired. This can be a major source of frustration for a tech or admin.

2. Ask the employee to train someone on the basics of what they do. This may or may not work, depending on the employee's attitude towards leaving or co-workers. It doesn't hurt to ask.

3. Prepare for the departure. Make a list of assets that will need to be returned and audit afterwards to ensure everything has been returned to the organization. It wouldn't be good have that $1000 laptop go missing and throw a budget out of whack!

4. Keep the Lines of Communication Open. One never knows when a question may come up that only the former employee would know. Maybe they could become a future consultant?

Every organization handles these situations differently. This post just offers some basic suggestions on how to mitigate a possible internal threat to your data and network infrastructure. Here are some links to additional information, both really good articles:

How to Fire an Employee - By Andy Weeks -

Don't Overlook This Easy-To-Miss Security Threat - By Michelle Hamilton -