By Kenneth Morrison, Principal, Morrison Consulting
Personnel departures are a daily occurrence for large organizations, and small and medium-sized organizations need to manage them on a regular basis. The RSA Conference 2016 Peer2Peer session Saying Goodbye: Managing Security for Departing Personnel provided the opportunity for a great group of 25 attendees to talk to each other in a small session about managing security for something we all share in common.
By the term “organization” we include both companies and other types of organizations, such as government and NGO’s, Non-Governmental Organizations. All organizations face personnel departures. Indeed our participants came from large and medium-sized businesses, NGO’s and government. The questions posed, stories shared, and solutions described all reflected this diversity of experience, but there were common threads heard from all attendees.
Here I’ll share the highlights of our discussion.
Participants described the types of personnel departures they had experienced, including the departures of former employees, contractors, interns, guest workers from other companies, and even visitors who come in for a day or two. Individual departures came about from voluntary resignations, terminations (often involuntary), or when contracts or internships ended. Group departures came about from reorganizations, spin-offs, outsourcing, and sales of the organization or portions of it.
Presented were serious frameworks for understanding, planning and managing these various departure scenarios. In these situations teams of relevant stakeholders such as human resources, the legal department, IT and IT security, payroll, facilities and physical security were often involved. Frameworks were, without exception, anchored in policy documents. Documented processes defined common departure scenarios.
Key issues of concern voiced and discussed were:
1. Determining what company-owned resources the departing worker has in his or her possession.
- The challenge of personally owned computing devices used for work.
- Some companies impose controls as prerequisite for allowing the device, or vary monitoring by the worker’s role
2. Determining what organizational systems has the departing worker access to, internally and externally, and across group boundaries.
- Ensuring this access be promptly restricted then terminated.
- Looking for and eliminating shared accounts.
3. Determining what monitoring is appropriate during the exit process.
- Monitoring is of special concern for workers with special system privileges or access to very sensitive materials.
- Monitoring of social media accounts.
- Some organizations monitor for "departure patterns" before departures are announced
4. Balancing respect for privacy with certain determination to maintain ownership and confidentiality of resources.
- Consideration of legal and cultural requirements.
5. Subsequent responsibility for information left behind.
- How to review, what to dispose, and what to retain (and for how long).
Several participants noted that the number of departures comes in waves, usually tied to the overall industry economy—good or bad. The challenge they voiced is how organizations can prepare to manage security risk in advance, before the wave breaks.
ISO/IEC 27001:2013 has content relating to personnel departures, under section A.7, Human Resource Security, 6 controls that are applied before, during, or after employment.
NIST Special Publication 800-53, Revision 4, also has relevant content, under PS: Personnel Security Controls, including Controls PS-2: Position Risk Designation, PS-4: Personnel Termination.
The dynamic energy of this great discussion was a call to continue the conversation. I encourage all interested professionals to comment on the blog, and to reach out to me directly:
Kenneth Morrison is the Principal of Morrison Consulting and an IT Security Consultant with Resources Global Professionals (RGP). With 10+ years of global corporate and consulting experience, he has analyzed security for hundreds of systems, local and international, for regulatory compliance, architecture and policy assurance. His work includes cloud migrations, ERP and regulated systems, and design of strategic security architecture frameworks based on COBIT, ITIL, ISO/IEC requirements and controls. He is a contributor to (ISC)2’s Safe and Secure Online project. He is currently working with an IT Security hardware startup. He has an architecture degree from UC Berkeley, and holds CISSP and CISM certifications.