When a Member of the IT Team Leaves - Reducing the Risk

12 Aug 05:09

Security has added prominence when a member of staff moves to pastures new, especially if he or she is a system or network administrator...

One of the biggest problems that many companies have is that too much vital information resides in the hands of these people. While most departures are amicable and take place in an orderly manner, IDsec knows of circumstances where key staff have left under a cloud and with little or no warning. In a business world where risk management and corporate governance are becoming increasing areas of focus, companies would serve themselves well to not leave themselves vulnerable.

Open for attack

The primary fear is that direct access is still available to the individual concerned, either by normal channels that have not been closed down or by undocumented, back-door connection points and alternative credentials. Similarly, there will be a worry that key systems have been compromised in a way that may leave them open to a simple attack in the future. Beyond this are the personnel issues, such as the signing of non-disclosure and similar documents, subject to the individuals contract of employment.

Non-malicious intent, but still disruptive

Problems can occur even if the departing employee has no intention to harm the company. If he or she has had too much responsibility for a particular area, then that persons departure can leave a knowledge gap. If that employee leaves suddenly, and there is not an efficient handover, then the rest of the department might be left scratching their heads, trying to work out details and procedures that have not been documented and shared.

So what steps can companies take to protect themselves? The most logical solution is to have in place a clear strategy, with agreed policies and procedures, and specific tasks that can be carried out in advance, while others can be conducted on the day of the employees departure.

Five steps that can be taken in advance

Here are some suggestions that can be built into policies and procedures:

Avoid single control dont have key systems in the hands of a single administrator role rotation is a good idea.
Maintain documentation keep track of network structure, systems, users and responsibilities. Carry out regular reviews of this information.
Build procedures try to wrap all significant changes to equipment and personnel in documented procedures and keep them up-to-date as technology moves on and the organisation changes.
Avoid manual maintenance reducing the organisations dependence on manual procedures has its own benefit, as well as easing administrative handovers. This may sound obvious, but it is surprising how many organisations still use manual maintenance, even in the IT department.
Keep logs retain access records, making sure that these can be viewed quickly and easily if there is a security alert.

The creation and promotion of an Information Security Policy has not been mentioned in this list, as it should be a given. Other issues to consider include specific mechanisms, such as file integrity monitoring.

Five steps that can be taken on the day

Of course, the real crunch comes when the member of staff in question departs. There will be a number of actions that have to be carried out in a fairly short space of time, possibly by new staff. These are some of the more immediate actions that need to be tackled:

Remove access disable relevant accounts and collect any keys or other physical tokens.
Scan perimeter check the networks visibility from the Internet, making sure that all services offered are there for a good reason.
Carry out a network inventory make sure that there are no unexpected systems on key networks (this may involve a physical inspection).
Quarantine relevant PCs departing systems administrators own desktop PCs should not be simply passed on to others, but kept in isolation until any security issues are resolved.
Debrief leavers assuming that the departure is relatively amicable, a final review may be of value to the individuals successor.

Sounds draconian? In fact, many of these are steps that should be an integral part of the overall Information Security Strategy anyway and many of them are straightforward without being particularly time-consuming. Furthermore, given that management of risk is becoming increasingly important, especially in a world where security breaches and attacks from outside corporate networks are on the increase, this is not an issue that can be ignored.

[All good advice that it shouldn't really be necessary to repeat. I would add keeping a close eye on any portable digital devices being brought into or out of the organisation by any IT experts, all the time. Also, in my view it is not a good idea to let a sysdamin cary on working in the company after giving, or being given, notice. Employers should normally pay their way out of this type of situation if they can. --Ed.]

Related links: (Open in a new window.)
www.idsec.co.uk/

Taken from Information Security Bulletin.