Personnel departures are common, not just from layoffs and terminations, but also resignations, reorganizations, and spin-offs. How do you deal with these from a security standpoint? How do you extinguish access, protect against data theft, and manage the data left behind? The RSA Conference 2017 Peer2Peer session You Can’t Take It with You! How to Manage Security When Personnel Depart provided the opportunity for a great group of attendees to talk to each other in a small session about the risks and best practices for managing off-boarding effectively, decreasing threats and vulnerabilities around processes we all share in common.
This late Thursday afternoon session was almost completely full, and pretty much every one contributed to the conversation. A variety of points of interest were made, coming from different backgrounds and issues, with talk flowing around the room. This is the direct connection opportunity Peer-to-Peer sessions give within the larger conference.
All organizations, including businesses, government, NGO, and others, face personnel departures. The personnel can be employees, contractors, interns, service providers, and short-term visitors, with roles that span from executive, to privileged access, to the general public. The departures can be planned or unplanned, transitioned or immediate, caused by voluntary resignations, terminations, expired contracts, reorganizations, spin-offs, outsourcing and acquisitions.
Key issues of concern voiced and discussed, involving both people and technology, were:
- Much closer monitoring is required for Defense contractors, including activity during employment, and before and after termination. Now looking to address ongoing evaluation of social media activity.
- Specialized software, such as Onyx, and Data Loss Prevention (DLP) packages, are used to track activity during and after termination. But this can be a challenge in mixed-platform environments.
- There is increased risk from transition periods, where departure is delayed and some network access is provided after the termination or departure announcement. Network segmentation is used to reduce exposure to network resources.
- Most risk occurs from activity just before, and within 30 days after termination. Of course, it is difficult to monitor activity before the termination date for voluntary resignations and other unplanned terminations.
- HR is often involved, but is often not adequately prepared to address IT-oriented issues.
- A large group change, the specific case described was a merger, can overwhelm HR and IT processes.
- Particular roles do cause concern; the specific case cited by more than one attendee involved sales people potentially departing with customer lists.
- Identifying residual data can be particularly difficult for people who have had different roles through the years; existing processes focus on cleanup of the current (last) job, but have difficulty moving back through the previous roles.
- Special concern was noted around resignations, where the organization has no control visibility until the departure is announced by the person.
- Contractors are not trained to the level of employees for most processes, leading to increased risk.
- Attendees faced issues with company data on personal devices: what access is allowed, deciding to impose agent control, determining how to reclaim or remove data upon departure.
- Concern was expressed with issues in balancing privacy with monitoring, particularly in countries with differing privacy requirements.
- Who is the Driver of departure processes? It varies. Sometimes HR, sometimes Legal, never IT Security. Whoever the Driver, this group or person gives momentum to the process, which supports funding and teaming.
There are foundational standards documents you can use to guide practices around departing personnel:
ISO/IEC 27001:2013 has content relating to personnel departures, under section A.7, Human Resource Security, 6 controls that are applied before, during, or after employment.
NIST Special Publication 800-53, Revision 4, also has relevant content, under PS: Personnel Security Controls, including Controls PS-2: Position Risk Designation, PS-4: Personnel Termination.
The dynamic energy of this great discussion was a call to continue the conversation. I encourage all interested professionals to comment on the blog, and to reach out to me directly: https://www.rsaconference.com/speakers/kenneth-morrison