Mixing
Revoking access privileges when someone leaves a job [closed]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
18
down vote
favorite
I work in a start up company, with a very small team. This has been my first and only job since I graduated too.
Recently, a person on design team left our company for greener pastures elsewhere and he had access to production server via ftp, emails etc. and I have rounded up all of the stuff that belonged to him and have discontinued / removed it from the server.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access? All this is fairly easy because we are a start up and I knew what exactly he was working as and what he had access to (as I was the one to set this all up) but we are also growing very quickly and there may come a time when I have to deal with a lot of people.
How do you keep track of who has access to what and what is the procedure to revoke access to all that? What happens to their emails? Google docs? How long should you wait before revoking their access? Should you do a general clean up of the system they used to work on? change the password for windows (actually, this guy was on a Mac, our dev team is on Windows, most others are on Macs).
job-change security
edited Jul 23 '12 at 16:55
HLGEM
133k25227489
asked Jul 23 '12 at 11:22
iamserious
19648
closed as off-topic by Joe Strazzere, Chris E, gnat, scaaahu, keshlam Oct 15 '16 at 21:59
- This question does not appear to be about the workplace within the scope defined in the help center.
 |Â
show 3 more comments
up vote
18
down vote
favorite
I work in a start up company, with a very small team. This has been my first and only job since I graduated too.
Recently, a person on design team left our company for greener pastures elsewhere and he had access to production server via ftp, emails etc. and I have rounded up all of the stuff that belonged to him and have discontinued / removed it from the server.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access? All this is fairly easy because we are a start up and I knew what exactly he was working as and what he had access to (as I was the one to set this all up) but we are also growing very quickly and there may come a time when I have to deal with a lot of people.
How do you keep track of who has access to what and what is the procedure to revoke access to all that? What happens to their emails? Google docs? How long should you wait before revoking their access? Should you do a general clean up of the system they used to work on? change the password for windows (actually, this guy was on a Mac, our dev team is on Windows, most others are on Macs).
job-change security
edited Jul 23 '12 at 16:55
HLGEM
133k25227489
asked Jul 23 '12 at 11:22
iamserious
19648
closed as off-topic by Joe Strazzere, Chris E, gnat, scaaahu, keshlam Oct 15 '16 at 21:59
- This question does not appear to be about the workplace within the scope defined in the help center.
11
This is really an IT Security Question not a Workplace question. (Not to be confused with a bad question just off topic for the workplace)
– IDrinkandIKnowThings
Jul 23 '12 at 13:03
1
@Chad - This question could be applied to any field, just get rid of the word "dev team", but I won't do that.
– Ramhound
Jul 23 '12 at 13:06
6
@Ramhound - It is about managing and revoking IT Security clearances that is why it belongs there, as you said the dev team part is irrelevant.
– IDrinkandIKnowThings
Jul 23 '12 at 13:15
3
"Security Clearance"has a very specific meaning I have changed the title to access privileges as this is what the poster meant
– Neuro
Jul 23 '12 at 16:15
3
@Chad it's ok for questions to be on-topic in more than one place, or to be very close to a question that would be on topic elsewhere. I read this question as being about processes and organization, not the technical specifics, so I think it's ok here, and actually better here.
– Nicole
Jul 23 '12 at 18:29
 |Â
show 3 more comments
up vote
18
down vote
favorite
up vote
18
down vote
favorite
I work in a start up company, with a very small team. This has been my first and only job since I graduated too.
Recently, a person on design team left our company for greener pastures elsewhere and he had access to production server via ftp, emails etc. and I have rounded up all of the stuff that belonged to him and have discontinued / removed it from the server.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access? All this is fairly easy because we are a start up and I knew what exactly he was working as and what he had access to (as I was the one to set this all up) but we are also growing very quickly and there may come a time when I have to deal with a lot of people.
How do you keep track of who has access to what and what is the procedure to revoke access to all that? What happens to their emails? Google docs? How long should you wait before revoking their access? Should you do a general clean up of the system they used to work on? change the password for windows (actually, this guy was on a Mac, our dev team is on Windows, most others are on Macs).
job-change security
edited Jul 23 '12 at 16:55
HLGEM
133k25227489
asked Jul 23 '12 at 11:22
iamserious
19648
I work in a start up company, with a very small team. This has been my first and only job since I graduated too.
Recently, a person on design team left our company for greener pastures elsewhere and he had access to production server via ftp, emails etc. and I have rounded up all of the stuff that belonged to him and have discontinued / removed it from the server.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access? All this is fairly easy because we are a start up and I knew what exactly he was working as and what he had access to (as I was the one to set this all up) but we are also growing very quickly and there may come a time when I have to deal with a lot of people.
How do you keep track of who has access to what and what is the procedure to revoke access to all that? What happens to their emails? Google docs? How long should you wait before revoking their access? Should you do a general clean up of the system they used to work on? change the password for windows (actually, this guy was on a Mac, our dev team is on Windows, most others are on Macs).
job-change security
edited Jul 23 '12 at 16:55
HLGEM
133k25227489
asked Jul 23 '12 at 11:22
iamserious
19648
edited Jul 23 '12 at 16:55
HLGEM
133k25227489
edited Jul 23 '12 at 16:55
HLGEM
133k25227489
edited Jul 23 '12 at 16:55
HLGEM
133k25227489
133k25227489
asked Jul 23 '12 at 11:22
iamserious
19648
asked Jul 23 '12 at 11:22
iamserious
19648
asked Jul 23 '12 at 11:22
iamserious
19648
19648
closed as off-topic by Joe Strazzere, Chris E, gnat, scaaahu, keshlam Oct 15 '16 at 21:59
- This question does not appear to be about the workplace within the scope defined in the help center.
closed as off-topic by Joe Strazzere, Chris E, gnat, scaaahu, keshlam Oct 15 '16 at 21:59
- This question does not appear to be about the workplace within the scope defined in the help center.
11
This is really an IT Security Question not a Workplace question. (Not to be confused with a bad question just off topic for the workplace)
– IDrinkandIKnowThings
Jul 23 '12 at 13:03
1
@Chad - This question could be applied to any field, just get rid of the word "dev team", but I won't do that.
– Ramhound
Jul 23 '12 at 13:06
6
@Ramhound - It is about managing and revoking IT Security clearances that is why it belongs there, as you said the dev team part is irrelevant.
– IDrinkandIKnowThings
Jul 23 '12 at 13:15
3
"Security Clearance"has a very specific meaning I have changed the title to access privileges as this is what the poster meant
– Neuro
Jul 23 '12 at 16:15
3
@Chad it's ok for questions to be on-topic in more than one place, or to be very close to a question that would be on topic elsewhere. I read this question as being about processes and organization, not the technical specifics, so I think it's ok here, and actually better here.
– Nicole
Jul 23 '12 at 18:29
 |Â
show 3 more comments
11
This is really an IT Security Question not a Workplace question. (Not to be confused with a bad question just off topic for the workplace)
– IDrinkandIKnowThings
Jul 23 '12 at 13:03
1
@Chad - This question could be applied to any field, just get rid of the word "dev team", but I won't do that.
– Ramhound
Jul 23 '12 at 13:06
6
@Ramhound - It is about managing and revoking IT Security clearances that is why it belongs there, as you said the dev team part is irrelevant.
– IDrinkandIKnowThings
Jul 23 '12 at 13:15
3
"Security Clearance"has a very specific meaning I have changed the title to access privileges as this is what the poster meant
– Neuro
Jul 23 '12 at 16:15
3
@Chad it's ok for questions to be on-topic in more than one place, or to be very close to a question that would be on topic elsewhere. I read this question as being about processes and organization, not the technical specifics, so I think it's ok here, and actually better here.
– Nicole
Jul 23 '12 at 18:29
11
11
This is really an IT Security Question not a Workplace question. (Not to be confused with a bad question just off topic for the workplace)
– IDrinkandIKnowThings
Jul 23 '12 at 13:03
This is really an IT Security Question not a Workplace question. (Not to be confused with a bad question just off topic for the workplace)
– IDrinkandIKnowThings
Jul 23 '12 at 13:03
1
1
@Chad - This question could be applied to any field, just get rid of the word "dev team", but I won't do that.
– Ramhound
Jul 23 '12 at 13:06
@Chad - This question could be applied to any field, just get rid of the word "dev team", but I won't do that.
– Ramhound
Jul 23 '12 at 13:06
6
6
@Ramhound - It is about managing and revoking IT Security clearances that is why it belongs there, as you said the dev team part is irrelevant.
– IDrinkandIKnowThings
Jul 23 '12 at 13:15
@Ramhound - It is about managing and revoking IT Security clearances that is why it belongs there, as you said the dev team part is irrelevant.
– IDrinkandIKnowThings
Jul 23 '12 at 13:15
3
3
"Security Clearance"has a very specific meaning I have changed the title to access privileges as this is what the poster meant
– Neuro
Jul 23 '12 at 16:15
"Security Clearance"has a very specific meaning I have changed the title to access privileges as this is what the poster meant
– Neuro
Jul 23 '12 at 16:15
3
3
@Chad it's ok for questions to be on-topic in more than one place, or to be very close to a question that would be on topic elsewhere. I read this question as being about processes and organization, not the technical specifics, so I think it's ok here, and actually better here.
– Nicole
Jul 23 '12 at 18:29
@Chad it's ok for questions to be on-topic in more than one place, or to be very close to a question that would be on topic elsewhere. I read this question as being about processes and organization, not the technical specifics, so I think it's ok here, and actually better here.
– Nicole
Jul 23 '12 at 18:29
 |Â
show 3 more comments
6 Answers
6
active
oldest
votes
up vote
18
down vote
accepted
As others have said, a checklist is critical. If you don't know what they had access to, there's no easy way to revoke it. Don't forget that people might also have access to external accounts on behalf of the company (like support contracts for Oracle or something like that, in addition to Google apps and such) and you'll want to be able to secure those as well.
What happens to their emails?
Old emails? Well, it depends on whether you think there is anything useful in there. While it is prudent to archive them, my experience has been that everything will be overcome by events and decisions that no one is likely to ever search those emails for information. Basically, whatever the archiving rules are for everyone should be followed for the exiting employee. Archiving will be critical in certain environments in which that is required by law.
New emails sent to their account? If they were getting emails from outside related to the business it's smart to redirect any mail sent to their email address to someone else in the office. A small company for which I do some work had the office manager leave a few years ago and they still get some emails for her email address that the current office manager needs. A lot of website accounts get linked to email addresses and it would be shame if you couldn't do a password reset on one of those without having the account any more.
How long should you wait before revoking their access?
It depends on how they left. In some cases, I've had access and consulted back to former employers for years. If it's a hostile termination, revoking access before informing the employee may be prudent. In most cases, the person keeps working until their last day, so you follow the same security rules you have for everyone - they only gets rights to what they need to in order to do their job. Revoking access immediately might both piss off someone who thought they were leaving on friendly terms and inhibit them from transitioning their tasks to other team members or their replacement.
Should you do a general clean up of the system they used to work on?
Of course. There's a good chance that they might accidentally leave behind personal files or leave cookies with IDs and passwords behind on the computer. You don't want to expose the departing employee to identity theft or your company to any liability for making that possible.
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
2
Thanks for the answer, you definitely bought up things that I had not thought about, like the cookies. I might be asking too much here, but, do you know if there's any list available anywhere that I can refer to? (Google says no!)
– iamserious
Jul 24 '12 at 8:38
I'm not aware of such a list, so I guess you can build one and then share it here, right? :-)
– David Navarre
Jul 24 '12 at 15:23
haha, okay, I better start making that checklist then!
– iamserious
Jul 25 '12 at 13:26
2
"While it is prudent to archive them," - it may also be required by law.
– tymtam
Oct 10 '16 at 0:51
1
But if it isn't required by law, then having a written policy to delete all obsolete emails may be a prudent thing, as it makes it impossible for someone to ask for them in any future lawsuit.
– Simon B
Jan 16 '17 at 23:48
 |Â
show 2 more comments
up vote
3
down vote
Generally, the process you describe is called "deprovisioning." It can be a headache for most HR departments because it is manual and frequently error-prone. One does not only need to disable accounts, but also notify insurance companies of the termination, or discontinue cell phone service.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access?
In most Windows environments, the account is locked in Active Directory. You never delete the accounts because they may come back, or you may need to set up the next guy with the same roles/permissions as the one who quit. Someone should have a list of what each person has been issued (such as SecureID tokens), and check them off upon departure.
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
add a comment |Â
up vote
2
down vote
How do you keep track of who has access to what and what is the
procedure to revoke access to all that?
Come up with a process that all employees must follow ( no exceptions ) this could either be an email with certain information that you archive or a word document you print out and place in a folder for the employee at your desk.
My suggestion is that choose any format to get it to you but you should have both an electronic copy stored on perhaps an encrypted dand a paper copy at your desk.
What happens to their emails?
You archive them.
How long should you wait before revoking their access?
You should revoke their access before their last day. This means if you are getting rid of them, their access should already be revoked, personal files shouldn't be a problem since that is against company policy right?
Google docs?
You revoke their access to this account also.
Should you do a general clean up of the system they used to work on?
Just wipe the system.
change the password for windows (actually, this guy was on a mac, our
dev team is on windows, most others are on macs)
I would assume his domain account is already inactive. If its not then deactive the network account, wipe the system, and assign the hardware to his replacement.
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
answered Jul 23 '12 at 13:05
Ramhound
462410
6
Wiping the system is a bad idea if they had any work on there (they should have). We keep our old Programmers' PCs so we can go through their projects to make sure important stuff is where it should be. Google docs is a risk because they might have uploaded work to their private account ("shouldn't" happen but of course does)
– Rarity
Jul 23 '12 at 14:53
@Rarity - So pull the hdd, place a label on it, and repurpose the machine. But all source code should be under source control, if a single developer has source code on his machine ( not under source control ) you have a bigger problem.
– Ramhound
Jul 23 '12 at 16:15
@Ramhound - This discussion is all about a specific job function... Second I would assume his domain account is already inactive. from the sounds of the question I think it seems to be the responsibility of the OP do that.
– IDrinkandIKnowThings
Jul 23 '12 at 16:39
@Rarity that is a BAD practice. you should set up shared network drives, and have all work take place on them. this brings the added benefit of allowing people to access their files if they're not in the office with a laptop+a VPN (since the files would be stored on the domain)
– acolyte
Jul 23 '12 at 17:29
3
@acolyte Current group of workers do do that. The last two people to retire in our department did not. Whether it's good practice or not it's something to be aware of. What does happen is more important than what should happen, it doesn't hurt to be extra careful here
– Rarity
Jul 23 '12 at 18:25
 |Â
show 6 more comments
up vote
0
down vote
As soon as somebody leaves company he should have revoked access to all sensitive data, resources, infrastructure, etc. His data should be stored, his workstation formatted, all the documents he was working on should be given to his manager no later than the day he leaves the company.
Big companies usually have a centralized system of granting and revoking privileges and a dedicated staff monitoring the privileges.
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
add a comment |Â
up vote
0
down vote
When setting up new people, think in terms of putting them into groups and then rights for various things are set by groups, automated emails are sent to (and sent from) specific email groups never individuals, database rights are set by group not by individual (even if only one individual is in the group). Then when someone leaves is it simpler to simply remove him from any groups and put his replacement in the groups he was in. This doesn't fix everything but it can work for database access and email issues. JObs on the database server should have a dedicated account that is never an individual as the owner, so that things don't stop working because the guy who created the job no longer has access.
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
add a comment |Â
up vote
0
down vote
I will speak directly from experience as an IT auditor / security professional.
How do you keep track of who has access to what?
A good practice is to centralize access by tying all available access to Microsoft Active Directory (AD) for the machines that run Windows. Benefits of approach:
- Centralizes access management using Kerberos built in authentication technology
As soon as the AD account is disabled, any subsequent requests to authenticate from the client to the domain controller via ticket granting ticket(TGT) will fail. This minimizes human error in forgetting to revoke some access.
If your company users SQL server for databases, by setting authentication to Windows mode, as soon as AD is disabled, no access to SQL server and hence database is possible. As a bonus, security risks inherent in SQL Server implementation such as the default SA account is auto-disabled.
To make sure, that the AD account is disabled timely, your mail application can be programmed to auto send a copy of all termination requests to you, minimizing human error of forgetting to revoke access.
- Frees up time for you and your peer IT staff to work on other tasks rather than working on manual access management.
This access monitoring and revocation process should be ongoing, and ideally continuous in a company. From your question, it appears you may be responsible for access provisioning / administration in your role. If true, with management consent, you should be periodically reviewing access and any improper / unauthorized / unaccounted for access discovered should be investigated and / or revoked upon discovery.
How long should you wait until revoking their access?
The answer depends on the type of termination. If the termination is voluntary, a certain latitude such as 1 business day can be used. However if the termination is involuntary, then access should be revoked immediately upon notification of employee by HR / manager. This minimizes the opportunity for a malicious former employee to destroy data, steal IP, or cause other system damage. I will have to respectfully disagree with @David Navarre on this last point. Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee.
In addition to revoking local access onsite, pay attention to remote access such as VPN. This is critical if the terminated employee has been issued company devices such as a laptop, due to possibility for employee to steal data and sabotage IT resources through creating backdoors, or planting logic bombs. If possible, tie the ability to remote login via VPN to AD as well, so that once AD is cut off, so is all other access that is linked to it. Ultimately your goal is to have the minimum points of access as possible.
answered Oct 14 '16 at 2:54
Anthony
5,2391355
"Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee." - feelings can only be hurt at surprise (e.g. deprovisioning wasn't listed on the corporate policy at the time of employment / on contract). So its a) immediate risk of the rumors spread to their coworkers and/or online, b) long-term risk for the next employer to get someone having both a knowledge of said deprovisioning procedure and an urge to prevent that happening.
– kagali-san
Oct 16 '16 at 20:18
oh. necroposting. (:
– kagali-san
Oct 16 '16 at 20:21
add a comment |Â
6 Answers
6
active
oldest
votes
6 Answers
6
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
18
down vote
accepted
As others have said, a checklist is critical. If you don't know what they had access to, there's no easy way to revoke it. Don't forget that people might also have access to external accounts on behalf of the company (like support contracts for Oracle or something like that, in addition to Google apps and such) and you'll want to be able to secure those as well.
What happens to their emails?
Old emails? Well, it depends on whether you think there is anything useful in there. While it is prudent to archive them, my experience has been that everything will be overcome by events and decisions that no one is likely to ever search those emails for information. Basically, whatever the archiving rules are for everyone should be followed for the exiting employee. Archiving will be critical in certain environments in which that is required by law.
New emails sent to their account? If they were getting emails from outside related to the business it's smart to redirect any mail sent to their email address to someone else in the office. A small company for which I do some work had the office manager leave a few years ago and they still get some emails for her email address that the current office manager needs. A lot of website accounts get linked to email addresses and it would be shame if you couldn't do a password reset on one of those without having the account any more.
How long should you wait before revoking their access?
It depends on how they left. In some cases, I've had access and consulted back to former employers for years. If it's a hostile termination, revoking access before informing the employee may be prudent. In most cases, the person keeps working until their last day, so you follow the same security rules you have for everyone - they only gets rights to what they need to in order to do their job. Revoking access immediately might both piss off someone who thought they were leaving on friendly terms and inhibit them from transitioning their tasks to other team members or their replacement.
Should you do a general clean up of the system they used to work on?
Of course. There's a good chance that they might accidentally leave behind personal files or leave cookies with IDs and passwords behind on the computer. You don't want to expose the departing employee to identity theft or your company to any liability for making that possible.
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
2
Thanks for the answer, you definitely bought up things that I had not thought about, like the cookies. I might be asking too much here, but, do you know if there's any list available anywhere that I can refer to? (Google says no!)
– iamserious
Jul 24 '12 at 8:38
I'm not aware of such a list, so I guess you can build one and then share it here, right? :-)
– David Navarre
Jul 24 '12 at 15:23
haha, okay, I better start making that checklist then!
– iamserious
Jul 25 '12 at 13:26
2
"While it is prudent to archive them," - it may also be required by law.
– tymtam
Oct 10 '16 at 0:51
1
But if it isn't required by law, then having a written policy to delete all obsolete emails may be a prudent thing, as it makes it impossible for someone to ask for them in any future lawsuit.
– Simon B
Jan 16 '17 at 23:48
 |Â
show 2 more comments
up vote
18
down vote
accepted
As others have said, a checklist is critical. If you don't know what they had access to, there's no easy way to revoke it. Don't forget that people might also have access to external accounts on behalf of the company (like support contracts for Oracle or something like that, in addition to Google apps and such) and you'll want to be able to secure those as well.
What happens to their emails?
Old emails? Well, it depends on whether you think there is anything useful in there. While it is prudent to archive them, my experience has been that everything will be overcome by events and decisions that no one is likely to ever search those emails for information. Basically, whatever the archiving rules are for everyone should be followed for the exiting employee. Archiving will be critical in certain environments in which that is required by law.
New emails sent to their account? If they were getting emails from outside related to the business it's smart to redirect any mail sent to their email address to someone else in the office. A small company for which I do some work had the office manager leave a few years ago and they still get some emails for her email address that the current office manager needs. A lot of website accounts get linked to email addresses and it would be shame if you couldn't do a password reset on one of those without having the account any more.
How long should you wait before revoking their access?
It depends on how they left. In some cases, I've had access and consulted back to former employers for years. If it's a hostile termination, revoking access before informing the employee may be prudent. In most cases, the person keeps working until their last day, so you follow the same security rules you have for everyone - they only gets rights to what they need to in order to do their job. Revoking access immediately might both piss off someone who thought they were leaving on friendly terms and inhibit them from transitioning their tasks to other team members or their replacement.
Should you do a general clean up of the system they used to work on?
Of course. There's a good chance that they might accidentally leave behind personal files or leave cookies with IDs and passwords behind on the computer. You don't want to expose the departing employee to identity theft or your company to any liability for making that possible.
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
2
Thanks for the answer, you definitely bought up things that I had not thought about, like the cookies. I might be asking too much here, but, do you know if there's any list available anywhere that I can refer to? (Google says no!)
– iamserious
Jul 24 '12 at 8:38
I'm not aware of such a list, so I guess you can build one and then share it here, right? :-)
– David Navarre
Jul 24 '12 at 15:23
haha, okay, I better start making that checklist then!
– iamserious
Jul 25 '12 at 13:26
2
"While it is prudent to archive them," - it may also be required by law.
– tymtam
Oct 10 '16 at 0:51
1
But if it isn't required by law, then having a written policy to delete all obsolete emails may be a prudent thing, as it makes it impossible for someone to ask for them in any future lawsuit.
– Simon B
Jan 16 '17 at 23:48
 |Â
show 2 more comments
up vote
18
down vote
accepted
up vote
18
down vote
accepted
As others have said, a checklist is critical. If you don't know what they had access to, there's no easy way to revoke it. Don't forget that people might also have access to external accounts on behalf of the company (like support contracts for Oracle or something like that, in addition to Google apps and such) and you'll want to be able to secure those as well.
What happens to their emails?
Old emails? Well, it depends on whether you think there is anything useful in there. While it is prudent to archive them, my experience has been that everything will be overcome by events and decisions that no one is likely to ever search those emails for information. Basically, whatever the archiving rules are for everyone should be followed for the exiting employee. Archiving will be critical in certain environments in which that is required by law.
New emails sent to their account? If they were getting emails from outside related to the business it's smart to redirect any mail sent to their email address to someone else in the office. A small company for which I do some work had the office manager leave a few years ago and they still get some emails for her email address that the current office manager needs. A lot of website accounts get linked to email addresses and it would be shame if you couldn't do a password reset on one of those without having the account any more.
How long should you wait before revoking their access?
It depends on how they left. In some cases, I've had access and consulted back to former employers for years. If it's a hostile termination, revoking access before informing the employee may be prudent. In most cases, the person keeps working until their last day, so you follow the same security rules you have for everyone - they only gets rights to what they need to in order to do their job. Revoking access immediately might both piss off someone who thought they were leaving on friendly terms and inhibit them from transitioning their tasks to other team members or their replacement.
Should you do a general clean up of the system they used to work on?
Of course. There's a good chance that they might accidentally leave behind personal files or leave cookies with IDs and passwords behind on the computer. You don't want to expose the departing employee to identity theft or your company to any liability for making that possible.
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
As others have said, a checklist is critical. If you don't know what they had access to, there's no easy way to revoke it. Don't forget that people might also have access to external accounts on behalf of the company (like support contracts for Oracle or something like that, in addition to Google apps and such) and you'll want to be able to secure those as well.
What happens to their emails?
Old emails? Well, it depends on whether you think there is anything useful in there. While it is prudent to archive them, my experience has been that everything will be overcome by events and decisions that no one is likely to ever search those emails for information. Basically, whatever the archiving rules are for everyone should be followed for the exiting employee. Archiving will be critical in certain environments in which that is required by law.
New emails sent to their account? If they were getting emails from outside related to the business it's smart to redirect any mail sent to their email address to someone else in the office. A small company for which I do some work had the office manager leave a few years ago and they still get some emails for her email address that the current office manager needs. A lot of website accounts get linked to email addresses and it would be shame if you couldn't do a password reset on one of those without having the account any more.
How long should you wait before revoking their access?
It depends on how they left. In some cases, I've had access and consulted back to former employers for years. If it's a hostile termination, revoking access before informing the employee may be prudent. In most cases, the person keeps working until their last day, so you follow the same security rules you have for everyone - they only gets rights to what they need to in order to do their job. Revoking access immediately might both piss off someone who thought they were leaving on friendly terms and inhibit them from transitioning their tasks to other team members or their replacement.
Should you do a general clean up of the system they used to work on?
Of course. There's a good chance that they might accidentally leave behind personal files or leave cookies with IDs and passwords behind on the computer. You don't want to expose the departing employee to identity theft or your company to any liability for making that possible.
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
edited Oct 13 '16 at 20:20
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
answered Jul 23 '12 at 14:48
David Navarre
1,5161112
1,5161112
2
Thanks for the answer, you definitely bought up things that I had not thought about, like the cookies. I might be asking too much here, but, do you know if there's any list available anywhere that I can refer to? (Google says no!)
– iamserious
Jul 24 '12 at 8:38
I'm not aware of such a list, so I guess you can build one and then share it here, right? :-)
– David Navarre
Jul 24 '12 at 15:23
haha, okay, I better start making that checklist then!
– iamserious
Jul 25 '12 at 13:26
2
"While it is prudent to archive them," - it may also be required by law.
– tymtam
Oct 10 '16 at 0:51
1
But if it isn't required by law, then having a written policy to delete all obsolete emails may be a prudent thing, as it makes it impossible for someone to ask for them in any future lawsuit.
– Simon B
Jan 16 '17 at 23:48
 |Â
show 2 more comments
2
Thanks for the answer, you definitely bought up things that I had not thought about, like the cookies. I might be asking too much here, but, do you know if there's any list available anywhere that I can refer to? (Google says no!)
– iamserious
Jul 24 '12 at 8:38
I'm not aware of such a list, so I guess you can build one and then share it here, right? :-)
– David Navarre
Jul 24 '12 at 15:23
haha, okay, I better start making that checklist then!
– iamserious
Jul 25 '12 at 13:26
2
"While it is prudent to archive them," - it may also be required by law.
– tymtam
Oct 10 '16 at 0:51
1
But if it isn't required by law, then having a written policy to delete all obsolete emails may be a prudent thing, as it makes it impossible for someone to ask for them in any future lawsuit.
– Simon B
Jan 16 '17 at 23:48
2
2
Thanks for the answer, you definitely bought up things that I had not thought about, like the cookies. I might be asking too much here, but, do you know if there's any list available anywhere that I can refer to? (Google says no!)
– iamserious
Jul 24 '12 at 8:38
Thanks for the answer, you definitely bought up things that I had not thought about, like the cookies. I might be asking too much here, but, do you know if there's any list available anywhere that I can refer to? (Google says no!)
– iamserious
Jul 24 '12 at 8:38
I'm not aware of such a list, so I guess you can build one and then share it here, right? :-)
– David Navarre
Jul 24 '12 at 15:23
I'm not aware of such a list, so I guess you can build one and then share it here, right? :-)
– David Navarre
Jul 24 '12 at 15:23
haha, okay, I better start making that checklist then!
– iamserious
Jul 25 '12 at 13:26
haha, okay, I better start making that checklist then!
– iamserious
Jul 25 '12 at 13:26
2
2
"While it is prudent to archive them," - it may also be required by law.
– tymtam
Oct 10 '16 at 0:51
"While it is prudent to archive them," - it may also be required by law.
– tymtam
Oct 10 '16 at 0:51
1
1
But if it isn't required by law, then having a written policy to delete all obsolete emails may be a prudent thing, as it makes it impossible for someone to ask for them in any future lawsuit.
– Simon B
Jan 16 '17 at 23:48
But if it isn't required by law, then having a written policy to delete all obsolete emails may be a prudent thing, as it makes it impossible for someone to ask for them in any future lawsuit.
– Simon B
Jan 16 '17 at 23:48
 |Â
show 2 more comments
up vote
3
down vote
Generally, the process you describe is called "deprovisioning." It can be a headache for most HR departments because it is manual and frequently error-prone. One does not only need to disable accounts, but also notify insurance companies of the termination, or discontinue cell phone service.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access?
In most Windows environments, the account is locked in Active Directory. You never delete the accounts because they may come back, or you may need to set up the next guy with the same roles/permissions as the one who quit. Someone should have a list of what each person has been issued (such as SecureID tokens), and check them off upon departure.
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
add a comment |Â
up vote
3
down vote
Generally, the process you describe is called "deprovisioning." It can be a headache for most HR departments because it is manual and frequently error-prone. One does not only need to disable accounts, but also notify insurance companies of the termination, or discontinue cell phone service.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access?
In most Windows environments, the account is locked in Active Directory. You never delete the accounts because they may come back, or you may need to set up the next guy with the same roles/permissions as the one who quit. Someone should have a list of what each person has been issued (such as SecureID tokens), and check them off upon departure.
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
add a comment |Â
up vote
3
down vote
up vote
3
down vote
Generally, the process you describe is called "deprovisioning." It can be a headache for most HR departments because it is manual and frequently error-prone. One does not only need to disable accounts, but also notify insurance companies of the termination, or discontinue cell phone service.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access?
In most Windows environments, the account is locked in Active Directory. You never delete the accounts because they may come back, or you may need to set up the next guy with the same roles/permissions as the one who quit. Someone should have a list of what each person has been issued (such as SecureID tokens), and check them off upon departure.
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
Generally, the process you describe is called "deprovisioning." It can be a headache for most HR departments because it is manual and frequently error-prone. One does not only need to disable accounts, but also notify insurance companies of the termination, or discontinue cell phone service.
I was just wondering what the procedures are when someone leaves the company to remove all of their intra-company access?
In most Windows environments, the account is locked in Active Directory. You never delete the accounts because they may come back, or you may need to set up the next guy with the same roles/permissions as the one who quit. Someone should have a list of what each person has been issued (such as SecureID tokens), and check them off upon departure.
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
answered Jul 24 '12 at 17:48
Tangurena
5,0401936
5,0401936
add a comment |Â
add a comment |Â
up vote
2
down vote
How do you keep track of who has access to what and what is the
procedure to revoke access to all that?
Come up with a process that all employees must follow ( no exceptions ) this could either be an email with certain information that you archive or a word document you print out and place in a folder for the employee at your desk.
My suggestion is that choose any format to get it to you but you should have both an electronic copy stored on perhaps an encrypted dand a paper copy at your desk.
What happens to their emails?
You archive them.
How long should you wait before revoking their access?
You should revoke their access before their last day. This means if you are getting rid of them, their access should already be revoked, personal files shouldn't be a problem since that is against company policy right?
Google docs?
You revoke their access to this account also.
Should you do a general clean up of the system they used to work on?
Just wipe the system.
change the password for windows (actually, this guy was on a mac, our
dev team is on windows, most others are on macs)
I would assume his domain account is already inactive. If its not then deactive the network account, wipe the system, and assign the hardware to his replacement.
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
answered Jul 23 '12 at 13:05
Ramhound
462410
6
Wiping the system is a bad idea if they had any work on there (they should have). We keep our old Programmers' PCs so we can go through their projects to make sure important stuff is where it should be. Google docs is a risk because they might have uploaded work to their private account ("shouldn't" happen but of course does)
– Rarity
Jul 23 '12 at 14:53
@Rarity - So pull the hdd, place a label on it, and repurpose the machine. But all source code should be under source control, if a single developer has source code on his machine ( not under source control ) you have a bigger problem.
– Ramhound
Jul 23 '12 at 16:15
@Ramhound - This discussion is all about a specific job function... Second I would assume his domain account is already inactive. from the sounds of the question I think it seems to be the responsibility of the OP do that.
– IDrinkandIKnowThings
Jul 23 '12 at 16:39
@Rarity that is a BAD practice. you should set up shared network drives, and have all work take place on them. this brings the added benefit of allowing people to access their files if they're not in the office with a laptop+a VPN (since the files would be stored on the domain)
– acolyte
Jul 23 '12 at 17:29
3
@acolyte Current group of workers do do that. The last two people to retire in our department did not. Whether it's good practice or not it's something to be aware of. What does happen is more important than what should happen, it doesn't hurt to be extra careful here
– Rarity
Jul 23 '12 at 18:25
 |Â
show 6 more comments
up vote
2
down vote
How do you keep track of who has access to what and what is the
procedure to revoke access to all that?
Come up with a process that all employees must follow ( no exceptions ) this could either be an email with certain information that you archive or a word document you print out and place in a folder for the employee at your desk.
My suggestion is that choose any format to get it to you but you should have both an electronic copy stored on perhaps an encrypted dand a paper copy at your desk.
What happens to their emails?
You archive them.
How long should you wait before revoking their access?
You should revoke their access before their last day. This means if you are getting rid of them, their access should already be revoked, personal files shouldn't be a problem since that is against company policy right?
Google docs?
You revoke their access to this account also.
Should you do a general clean up of the system they used to work on?
Just wipe the system.
change the password for windows (actually, this guy was on a mac, our
dev team is on windows, most others are on macs)
I would assume his domain account is already inactive. If its not then deactive the network account, wipe the system, and assign the hardware to his replacement.
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
answered Jul 23 '12 at 13:05
Ramhound
462410
6
Wiping the system is a bad idea if they had any work on there (they should have). We keep our old Programmers' PCs so we can go through their projects to make sure important stuff is where it should be. Google docs is a risk because they might have uploaded work to their private account ("shouldn't" happen but of course does)
– Rarity
Jul 23 '12 at 14:53
@Rarity - So pull the hdd, place a label on it, and repurpose the machine. But all source code should be under source control, if a single developer has source code on his machine ( not under source control ) you have a bigger problem.
– Ramhound
Jul 23 '12 at 16:15
@Ramhound - This discussion is all about a specific job function... Second I would assume his domain account is already inactive. from the sounds of the question I think it seems to be the responsibility of the OP do that.
– IDrinkandIKnowThings
Jul 23 '12 at 16:39
@Rarity that is a BAD practice. you should set up shared network drives, and have all work take place on them. this brings the added benefit of allowing people to access their files if they're not in the office with a laptop+a VPN (since the files would be stored on the domain)
– acolyte
Jul 23 '12 at 17:29
3
@acolyte Current group of workers do do that. The last two people to retire in our department did not. Whether it's good practice or not it's something to be aware of. What does happen is more important than what should happen, it doesn't hurt to be extra careful here
– Rarity
Jul 23 '12 at 18:25
 |Â
show 6 more comments
up vote
2
down vote
up vote
2
down vote
How do you keep track of who has access to what and what is the
procedure to revoke access to all that?
Come up with a process that all employees must follow ( no exceptions ) this could either be an email with certain information that you archive or a word document you print out and place in a folder for the employee at your desk.
My suggestion is that choose any format to get it to you but you should have both an electronic copy stored on perhaps an encrypted dand a paper copy at your desk.
What happens to their emails?
You archive them.
How long should you wait before revoking their access?
You should revoke their access before their last day. This means if you are getting rid of them, their access should already be revoked, personal files shouldn't be a problem since that is against company policy right?
Google docs?
You revoke their access to this account also.
Should you do a general clean up of the system they used to work on?
Just wipe the system.
change the password for windows (actually, this guy was on a mac, our
dev team is on windows, most others are on macs)
I would assume his domain account is already inactive. If its not then deactive the network account, wipe the system, and assign the hardware to his replacement.
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
answered Jul 23 '12 at 13:05
Ramhound
462410
How do you keep track of who has access to what and what is the
procedure to revoke access to all that?
Come up with a process that all employees must follow ( no exceptions ) this could either be an email with certain information that you archive or a word document you print out and place in a folder for the employee at your desk.
My suggestion is that choose any format to get it to you but you should have both an electronic copy stored on perhaps an encrypted dand a paper copy at your desk.
What happens to their emails?
You archive them.
How long should you wait before revoking their access?
You should revoke their access before their last day. This means if you are getting rid of them, their access should already be revoked, personal files shouldn't be a problem since that is against company policy right?
Google docs?
You revoke their access to this account also.
Should you do a general clean up of the system they used to work on?
Just wipe the system.
change the password for windows (actually, this guy was on a mac, our
dev team is on windows, most others are on macs)
I would assume his domain account is already inactive. If its not then deactive the network account, wipe the system, and assign the hardware to his replacement.
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
answered Jul 23 '12 at 13:05
Ramhound
462410
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
edited Jul 23 '12 at 19:48
jcmeloni
21.6k87393
21.6k87393
answered Jul 23 '12 at 13:05
Ramhound
462410
answered Jul 23 '12 at 13:05
Ramhound
462410
answered Jul 23 '12 at 13:05
Ramhound
462410
462410
6
Wiping the system is a bad idea if they had any work on there (they should have). We keep our old Programmers' PCs so we can go through their projects to make sure important stuff is where it should be. Google docs is a risk because they might have uploaded work to their private account ("shouldn't" happen but of course does)
– Rarity
Jul 23 '12 at 14:53
@Rarity - So pull the hdd, place a label on it, and repurpose the machine. But all source code should be under source control, if a single developer has source code on his machine ( not under source control ) you have a bigger problem.
– Ramhound
Jul 23 '12 at 16:15
@Ramhound - This discussion is all about a specific job function... Second I would assume his domain account is already inactive. from the sounds of the question I think it seems to be the responsibility of the OP do that.
– IDrinkandIKnowThings
Jul 23 '12 at 16:39
@Rarity that is a BAD practice. you should set up shared network drives, and have all work take place on them. this brings the added benefit of allowing people to access their files if they're not in the office with a laptop+a VPN (since the files would be stored on the domain)
– acolyte
Jul 23 '12 at 17:29
3
@acolyte Current group of workers do do that. The last two people to retire in our department did not. Whether it's good practice or not it's something to be aware of. What does happen is more important than what should happen, it doesn't hurt to be extra careful here
– Rarity
Jul 23 '12 at 18:25
 |Â
show 6 more comments
6
Wiping the system is a bad idea if they had any work on there (they should have). We keep our old Programmers' PCs so we can go through their projects to make sure important stuff is where it should be. Google docs is a risk because they might have uploaded work to their private account ("shouldn't" happen but of course does)
– Rarity
Jul 23 '12 at 14:53
@Rarity - So pull the hdd, place a label on it, and repurpose the machine. But all source code should be under source control, if a single developer has source code on his machine ( not under source control ) you have a bigger problem.
– Ramhound
Jul 23 '12 at 16:15
@Ramhound - This discussion is all about a specific job function... Second I would assume his domain account is already inactive. from the sounds of the question I think it seems to be the responsibility of the OP do that.
– IDrinkandIKnowThings
Jul 23 '12 at 16:39
@Rarity that is a BAD practice. you should set up shared network drives, and have all work take place on them. this brings the added benefit of allowing people to access their files if they're not in the office with a laptop+a VPN (since the files would be stored on the domain)
– acolyte
Jul 23 '12 at 17:29
3
@acolyte Current group of workers do do that. The last two people to retire in our department did not. Whether it's good practice or not it's something to be aware of. What does happen is more important than what should happen, it doesn't hurt to be extra careful here
– Rarity
Jul 23 '12 at 18:25
6
6
Wiping the system is a bad idea if they had any work on there (they should have). We keep our old Programmers' PCs so we can go through their projects to make sure important stuff is where it should be. Google docs is a risk because they might have uploaded work to their private account ("shouldn't" happen but of course does)
– Rarity
Jul 23 '12 at 14:53
Wiping the system is a bad idea if they had any work on there (they should have). We keep our old Programmers' PCs so we can go through their projects to make sure important stuff is where it should be. Google docs is a risk because they might have uploaded work to their private account ("shouldn't" happen but of course does)
– Rarity
Jul 23 '12 at 14:53
@Rarity - So pull the hdd, place a label on it, and repurpose the machine. But all source code should be under source control, if a single developer has source code on his machine ( not under source control ) you have a bigger problem.
– Ramhound
Jul 23 '12 at 16:15
@Rarity - So pull the hdd, place a label on it, and repurpose the machine. But all source code should be under source control, if a single developer has source code on his machine ( not under source control ) you have a bigger problem.
– Ramhound
Jul 23 '12 at 16:15
@Ramhound - This discussion is all about a specific job function... Second I would assume his domain account is already inactive. from the sounds of the question I think it seems to be the responsibility of the OP do that.
– IDrinkandIKnowThings
Jul 23 '12 at 16:39
@Ramhound - This discussion is all about a specific job function... Second I would assume his domain account is already inactive. from the sounds of the question I think it seems to be the responsibility of the OP do that.
– IDrinkandIKnowThings
Jul 23 '12 at 16:39
@Rarity that is a BAD practice. you should set up shared network drives, and have all work take place on them. this brings the added benefit of allowing people to access their files if they're not in the office with a laptop+a VPN (since the files would be stored on the domain)
– acolyte
Jul 23 '12 at 17:29
@Rarity that is a BAD practice. you should set up shared network drives, and have all work take place on them. this brings the added benefit of allowing people to access their files if they're not in the office with a laptop+a VPN (since the files would be stored on the domain)
– acolyte
Jul 23 '12 at 17:29
3
3
@acolyte Current group of workers do do that. The last two people to retire in our department did not. Whether it's good practice or not it's something to be aware of. What does happen is more important than what should happen, it doesn't hurt to be extra careful here
– Rarity
Jul 23 '12 at 18:25
@acolyte Current group of workers do do that. The last two people to retire in our department did not. Whether it's good practice or not it's something to be aware of. What does happen is more important than what should happen, it doesn't hurt to be extra careful here
– Rarity
Jul 23 '12 at 18:25
 |Â
show 6 more comments
up vote
0
down vote
As soon as somebody leaves company he should have revoked access to all sensitive data, resources, infrastructure, etc. His data should be stored, his workstation formatted, all the documents he was working on should be given to his manager no later than the day he leaves the company.
Big companies usually have a centralized system of granting and revoking privileges and a dedicated staff monitoring the privileges.
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
add a comment |Â
up vote
0
down vote
As soon as somebody leaves company he should have revoked access to all sensitive data, resources, infrastructure, etc. His data should be stored, his workstation formatted, all the documents he was working on should be given to his manager no later than the day he leaves the company.
Big companies usually have a centralized system of granting and revoking privileges and a dedicated staff monitoring the privileges.
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
add a comment |Â
up vote
0
down vote
up vote
0
down vote
As soon as somebody leaves company he should have revoked access to all sensitive data, resources, infrastructure, etc. His data should be stored, his workstation formatted, all the documents he was working on should be given to his manager no later than the day he leaves the company.
Big companies usually have a centralized system of granting and revoking privileges and a dedicated staff monitoring the privileges.
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
As soon as somebody leaves company he should have revoked access to all sensitive data, resources, infrastructure, etc. His data should be stored, his workstation formatted, all the documents he was working on should be given to his manager no later than the day he leaves the company.
Big companies usually have a centralized system of granting and revoking privileges and a dedicated staff monitoring the privileges.
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
answered Jul 25 '12 at 8:16
Andrzej Bobak
1313
1313
add a comment |Â
add a comment |Â
up vote
0
down vote
When setting up new people, think in terms of putting them into groups and then rights for various things are set by groups, automated emails are sent to (and sent from) specific email groups never individuals, database rights are set by group not by individual (even if only one individual is in the group). Then when someone leaves is it simpler to simply remove him from any groups and put his replacement in the groups he was in. This doesn't fix everything but it can work for database access and email issues. JObs on the database server should have a dedicated account that is never an individual as the owner, so that things don't stop working because the guy who created the job no longer has access.
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
add a comment |Â
up vote
0
down vote
When setting up new people, think in terms of putting them into groups and then rights for various things are set by groups, automated emails are sent to (and sent from) specific email groups never individuals, database rights are set by group not by individual (even if only one individual is in the group). Then when someone leaves is it simpler to simply remove him from any groups and put his replacement in the groups he was in. This doesn't fix everything but it can work for database access and email issues. JObs on the database server should have a dedicated account that is never an individual as the owner, so that things don't stop working because the guy who created the job no longer has access.
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
add a comment |Â
up vote
0
down vote
up vote
0
down vote
When setting up new people, think in terms of putting them into groups and then rights for various things are set by groups, automated emails are sent to (and sent from) specific email groups never individuals, database rights are set by group not by individual (even if only one individual is in the group). Then when someone leaves is it simpler to simply remove him from any groups and put his replacement in the groups he was in. This doesn't fix everything but it can work for database access and email issues. JObs on the database server should have a dedicated account that is never an individual as the owner, so that things don't stop working because the guy who created the job no longer has access.
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
When setting up new people, think in terms of putting them into groups and then rights for various things are set by groups, automated emails are sent to (and sent from) specific email groups never individuals, database rights are set by group not by individual (even if only one individual is in the group). Then when someone leaves is it simpler to simply remove him from any groups and put his replacement in the groups he was in. This doesn't fix everything but it can work for database access and email issues. JObs on the database server should have a dedicated account that is never an individual as the owner, so that things don't stop working because the guy who created the job no longer has access.
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
answered Oct 13 '16 at 21:50
HLGEM
133k25227489
133k25227489
add a comment |Â
add a comment |Â
up vote
0
down vote
I will speak directly from experience as an IT auditor / security professional.
How do you keep track of who has access to what?
A good practice is to centralize access by tying all available access to Microsoft Active Directory (AD) for the machines that run Windows. Benefits of approach:
- Centralizes access management using Kerberos built in authentication technology
As soon as the AD account is disabled, any subsequent requests to authenticate from the client to the domain controller via ticket granting ticket(TGT) will fail. This minimizes human error in forgetting to revoke some access.
If your company users SQL server for databases, by setting authentication to Windows mode, as soon as AD is disabled, no access to SQL server and hence database is possible. As a bonus, security risks inherent in SQL Server implementation such as the default SA account is auto-disabled.
To make sure, that the AD account is disabled timely, your mail application can be programmed to auto send a copy of all termination requests to you, minimizing human error of forgetting to revoke access.
- Frees up time for you and your peer IT staff to work on other tasks rather than working on manual access management.
This access monitoring and revocation process should be ongoing, and ideally continuous in a company. From your question, it appears you may be responsible for access provisioning / administration in your role. If true, with management consent, you should be periodically reviewing access and any improper / unauthorized / unaccounted for access discovered should be investigated and / or revoked upon discovery.
How long should you wait until revoking their access?
The answer depends on the type of termination. If the termination is voluntary, a certain latitude such as 1 business day can be used. However if the termination is involuntary, then access should be revoked immediately upon notification of employee by HR / manager. This minimizes the opportunity for a malicious former employee to destroy data, steal IP, or cause other system damage. I will have to respectfully disagree with @David Navarre on this last point. Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee.
In addition to revoking local access onsite, pay attention to remote access such as VPN. This is critical if the terminated employee has been issued company devices such as a laptop, due to possibility for employee to steal data and sabotage IT resources through creating backdoors, or planting logic bombs. If possible, tie the ability to remote login via VPN to AD as well, so that once AD is cut off, so is all other access that is linked to it. Ultimately your goal is to have the minimum points of access as possible.
answered Oct 14 '16 at 2:54
Anthony
5,2391355
"Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee." - feelings can only be hurt at surprise (e.g. deprovisioning wasn't listed on the corporate policy at the time of employment / on contract). So its a) immediate risk of the rumors spread to their coworkers and/or online, b) long-term risk for the next employer to get someone having both a knowledge of said deprovisioning procedure and an urge to prevent that happening.
– kagali-san
Oct 16 '16 at 20:18
oh. necroposting. (:
– kagali-san
Oct 16 '16 at 20:21
add a comment |Â
up vote
0
down vote
I will speak directly from experience as an IT auditor / security professional.
How do you keep track of who has access to what?
A good practice is to centralize access by tying all available access to Microsoft Active Directory (AD) for the machines that run Windows. Benefits of approach:
- Centralizes access management using Kerberos built in authentication technology
As soon as the AD account is disabled, any subsequent requests to authenticate from the client to the domain controller via ticket granting ticket(TGT) will fail. This minimizes human error in forgetting to revoke some access.
If your company users SQL server for databases, by setting authentication to Windows mode, as soon as AD is disabled, no access to SQL server and hence database is possible. As a bonus, security risks inherent in SQL Server implementation such as the default SA account is auto-disabled.
To make sure, that the AD account is disabled timely, your mail application can be programmed to auto send a copy of all termination requests to you, minimizing human error of forgetting to revoke access.
- Frees up time for you and your peer IT staff to work on other tasks rather than working on manual access management.
This access monitoring and revocation process should be ongoing, and ideally continuous in a company. From your question, it appears you may be responsible for access provisioning / administration in your role. If true, with management consent, you should be periodically reviewing access and any improper / unauthorized / unaccounted for access discovered should be investigated and / or revoked upon discovery.
How long should you wait until revoking their access?
The answer depends on the type of termination. If the termination is voluntary, a certain latitude such as 1 business day can be used. However if the termination is involuntary, then access should be revoked immediately upon notification of employee by HR / manager. This minimizes the opportunity for a malicious former employee to destroy data, steal IP, or cause other system damage. I will have to respectfully disagree with @David Navarre on this last point. Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee.
In addition to revoking local access onsite, pay attention to remote access such as VPN. This is critical if the terminated employee has been issued company devices such as a laptop, due to possibility for employee to steal data and sabotage IT resources through creating backdoors, or planting logic bombs. If possible, tie the ability to remote login via VPN to AD as well, so that once AD is cut off, so is all other access that is linked to it. Ultimately your goal is to have the minimum points of access as possible.
answered Oct 14 '16 at 2:54
Anthony
5,2391355
"Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee." - feelings can only be hurt at surprise (e.g. deprovisioning wasn't listed on the corporate policy at the time of employment / on contract). So its a) immediate risk of the rumors spread to their coworkers and/or online, b) long-term risk for the next employer to get someone having both a knowledge of said deprovisioning procedure and an urge to prevent that happening.
– kagali-san
Oct 16 '16 at 20:18
oh. necroposting. (:
– kagali-san
Oct 16 '16 at 20:21
add a comment |Â
up vote
0
down vote
up vote
0
down vote
I will speak directly from experience as an IT auditor / security professional.
How do you keep track of who has access to what?
A good practice is to centralize access by tying all available access to Microsoft Active Directory (AD) for the machines that run Windows. Benefits of approach:
- Centralizes access management using Kerberos built in authentication technology
As soon as the AD account is disabled, any subsequent requests to authenticate from the client to the domain controller via ticket granting ticket(TGT) will fail. This minimizes human error in forgetting to revoke some access.
If your company users SQL server for databases, by setting authentication to Windows mode, as soon as AD is disabled, no access to SQL server and hence database is possible. As a bonus, security risks inherent in SQL Server implementation such as the default SA account is auto-disabled.
To make sure, that the AD account is disabled timely, your mail application can be programmed to auto send a copy of all termination requests to you, minimizing human error of forgetting to revoke access.
- Frees up time for you and your peer IT staff to work on other tasks rather than working on manual access management.
This access monitoring and revocation process should be ongoing, and ideally continuous in a company. From your question, it appears you may be responsible for access provisioning / administration in your role. If true, with management consent, you should be periodically reviewing access and any improper / unauthorized / unaccounted for access discovered should be investigated and / or revoked upon discovery.
How long should you wait until revoking their access?
The answer depends on the type of termination. If the termination is voluntary, a certain latitude such as 1 business day can be used. However if the termination is involuntary, then access should be revoked immediately upon notification of employee by HR / manager. This minimizes the opportunity for a malicious former employee to destroy data, steal IP, or cause other system damage. I will have to respectfully disagree with @David Navarre on this last point. Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee.
In addition to revoking local access onsite, pay attention to remote access such as VPN. This is critical if the terminated employee has been issued company devices such as a laptop, due to possibility for employee to steal data and sabotage IT resources through creating backdoors, or planting logic bombs. If possible, tie the ability to remote login via VPN to AD as well, so that once AD is cut off, so is all other access that is linked to it. Ultimately your goal is to have the minimum points of access as possible.
answered Oct 14 '16 at 2:54
Anthony
5,2391355
I will speak directly from experience as an IT auditor / security professional.
How do you keep track of who has access to what?
A good practice is to centralize access by tying all available access to Microsoft Active Directory (AD) for the machines that run Windows. Benefits of approach:
- Centralizes access management using Kerberos built in authentication technology
As soon as the AD account is disabled, any subsequent requests to authenticate from the client to the domain controller via ticket granting ticket(TGT) will fail. This minimizes human error in forgetting to revoke some access.
If your company users SQL server for databases, by setting authentication to Windows mode, as soon as AD is disabled, no access to SQL server and hence database is possible. As a bonus, security risks inherent in SQL Server implementation such as the default SA account is auto-disabled.
To make sure, that the AD account is disabled timely, your mail application can be programmed to auto send a copy of all termination requests to you, minimizing human error of forgetting to revoke access.
- Frees up time for you and your peer IT staff to work on other tasks rather than working on manual access management.
This access monitoring and revocation process should be ongoing, and ideally continuous in a company. From your question, it appears you may be responsible for access provisioning / administration in your role. If true, with management consent, you should be periodically reviewing access and any improper / unauthorized / unaccounted for access discovered should be investigated and / or revoked upon discovery.
How long should you wait until revoking their access?
The answer depends on the type of termination. If the termination is voluntary, a certain latitude such as 1 business day can be used. However if the termination is involuntary, then access should be revoked immediately upon notification of employee by HR / manager. This minimizes the opportunity for a malicious former employee to destroy data, steal IP, or cause other system damage. I will have to respectfully disagree with @David Navarre on this last point. Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee.
In addition to revoking local access onsite, pay attention to remote access such as VPN. This is critical if the terminated employee has been issued company devices such as a laptop, due to possibility for employee to steal data and sabotage IT resources through creating backdoors, or planting logic bombs. If possible, tie the ability to remote login via VPN to AD as well, so that once AD is cut off, so is all other access that is linked to it. Ultimately your goal is to have the minimum points of access as possible.
answered Oct 14 '16 at 2:54
Anthony
5,2391355
edited Jan 16 '17 at 4:48
answered Oct 14 '16 at 2:54
Anthony
5,2391355
answered Oct 14 '16 at 2:54
Anthony
5,2391355
answered Oct 14 '16 at 2:54
Anthony
5,2391355
5,2391355
"Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee." - feelings can only be hurt at surprise (e.g. deprovisioning wasn't listed on the corporate policy at the time of employment / on contract). So its a) immediate risk of the rumors spread to their coworkers and/or online, b) long-term risk for the next employer to get someone having both a knowledge of said deprovisioning procedure and an urge to prevent that happening.
– kagali-san
Oct 16 '16 at 20:18
oh. necroposting. (:
– kagali-san
Oct 16 '16 at 20:21
add a comment |Â
"Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee." - feelings can only be hurt at surprise (e.g. deprovisioning wasn't listed on the corporate policy at the time of employment / on contract). So its a) immediate risk of the rumors spread to their coworkers and/or online, b) long-term risk for the next employer to get someone having both a knowledge of said deprovisioning procedure and an urge to prevent that happening.
– kagali-san
Oct 16 '16 at 20:18
oh. necroposting. (:
– kagali-san
Oct 16 '16 at 20:21
"Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee." - feelings can only be hurt at surprise (e.g. deprovisioning wasn't listed on the corporate policy at the time of employment / on contract). So its a) immediate risk of the rumors spread to their coworkers and/or online, b) long-term risk for the next employer to get someone having both a knowledge of said deprovisioning procedure and an urge to prevent that happening.
– kagali-san
Oct 16 '16 at 20:18
"Protecting company assets and minimizing risk should be a topmost priority, rather than protecting the feelings of the employee." - feelings can only be hurt at surprise (e.g. deprovisioning wasn't listed on the corporate policy at the time of employment / on contract). So its a) immediate risk of the rumors spread to their coworkers and/or online, b) long-term risk for the next employer to get someone having both a knowledge of said deprovisioning procedure and an urge to prevent that happening.
– kagali-san
Oct 16 '16 at 20:18
oh. necroposting. (:
– kagali-san
Oct 16 '16 at 20:21
oh. necroposting. (:
– kagali-san
Oct 16 '16 at 20:21
add a comment |Â
11
This is really an IT Security Question not a Workplace question. (Not to be confused with a bad question just off topic for the workplace)
– IDrinkandIKnowThings
Jul 23 '12 at 13:03
1
@Chad - This question could be applied to any field, just get rid of the word "dev team", but I won't do that.
– Ramhound
Jul 23 '12 at 13:06
6
@Ramhound - It is about managing and revoking IT Security clearances that is why it belongs there, as you said the dev team part is irrelevant.
– IDrinkandIKnowThings
Jul 23 '12 at 13:15
3
"Security Clearance"has a very specific meaning I have changed the title to access privileges as this is what the poster meant
– Neuro
Jul 23 '12 at 16:15
3
@Chad it's ok for questions to be on-topic in more than one place, or to be very close to a question that would be on topic elsewhere. I read this question as being about processes and organization, not the technical specifics, so I think it's ok here, and actually better here.
– Nicole
Jul 23 '12 at 18:29