IT Considerations When an Employee Leaves

The two most interesting times in any employee-employerrelationship are the employee?s onboarding and departure. One is a time ofexcitement and opportunity; the other, a time of change and potential concern.

Employees leave for many reasons, but regardless of thereason, they have spent time in your company?s environment, where they have hadaccess to some level of your IT systems. A basic problem companies have with ITand departing employees is an inherent trust that grows over time with ourco-workers.

The most critical period in preparing for an employeedeparture, interestingly enough, is well before a worker is hired. The secondcritical period starts a few days before the employee leaves and extends to afew days past the worker?s departure.

Even before you hire a new person, several things shouldalready be in place:

? IT onboarding checklists and policies should have beenprepared and should be required for every new employee. These lists and policiesshould define the IT access levels the employee will receive (based on his orher new position in the company), as well as the IT facilities that will beprovided (i.e., computer, mobile device, tokens, etc.).

? You also need to create employee departure checklists andpolicies. While these won?t be used when an employee begins work, you shouldn?twait till the day of a worker?s departure to figure out what needs to be doneto unwind that individual?s IT presence from your company.

The value of prepared lists and policies is twofold. First,well-established procedures prevent essential pieces of the IT puzzle frombeing overlooked. Second, and just as important, disgruntled employees are lesslikely to claim they were treated unfairly when put through a rigorous exitprocedure.

Some tasks that should be part of your onboarding anddeparture procedures include the following:

? Make a list of IT assets the employee has in his or herpossession (i.e., keys, computers, mobile devices and security devices such astokens) and keep it current.

? Record login access to all internal IT systems with theemployee?s login name. Don?t forget external systems, such as email, phonesystems and bank accounts.

? Record login access to all external IT systems that theemployee can access. Don?t forget ?softer? systems, such as company socialnetworks (i.e., Facebook, LinkedIn, Twitter). Many companies use a single loginfor these social systems and share it throughout the company. As a result,these systems are often hacked months after an employee leaves. Consider usingemployee-specific logins
or change the passwords when an employee leaves.

? Inform both internal and external IT vendors of theemployee?s departure to avoid unauthorized usage. Did the worker have access toexternal vendor systems? If so, your company would be liable for any problemscreated by your former employee.

? Check the employee?s computers and all computers to whichthe individual had access for key loggers and malware. These spyware systemsare easily installed, almost never considered, and can be sending companyinformation to a hacker on a daily basis.

? If the employee had administrator access to IT systems,check for alternative logins and backdoors that the worker might have set upfor unauthorized access. There are many ?hidden? systems and devices thatrequire login access (i.e., routers, firewalls, intrusion prevention systems)that provide the basis of your perimeter (network) security. Be sure thedeparting employee no longer has access to these systems and devices.

 

During Onboarding

As the foundation of your company?s IT security, you shouldwork on a need-to access policy, not on a freedom of information approach.

Many companies provide far more IT access than an employeeneeds. The more access to IT systems a worker is granted, the harder it will beto sort out what threat that person might pose to company systems.

Companies should look toward the IT future (when theemployee leaves), as opposed to providing blanket access. Always remember thatan employee with system administrator rights owns your IT world?even after heor she leaves.

 

During Departure

Employee departures should be an exercise in checklists andprocedures. It is imperative that the departing employee?s IT presence in thecompany is entirely removed before he or she walks out the door for the lasttime.

Tell the IT department an employee?s departure date as soonas it is known. The complexity of unwinding an employee?s IT presence sometimesrequires days to complete, and the staff to perform the IT removal may not beavailable immediately.

Trust is a wonderful quality, but don?t ever forget that ittakes only one unhappy employee to wreak havoc on your business.

 

Alan Wlasuk is CEO of 403 Web Security, a Web application developmentcompany. He is a Bell Labs Fellow award winner with 18-plus years? experiencebuilding secure Web applications.