Deprovisioning: Firing Line
A poorly handled employee termination can create a slew of security risks, from deprovisioning issues to (in the worst case) threats. That's why CSOs need a process for letting workers go.
By Malcolm Wheatley
September 01, 2003 — CSO — Terminations and Deprovisioning Ian Cheeseman Is President Of LVA Communications, a small public relations consultancy headquartered in Niantic, Conn., with subsidiary offices in New York City and Silicon Valley. But earlier in his career he was the data-processing manager for a municipal insurance company—a fact that may have something to do with one of LVA's employee termination procedures.
LVA is a contractor to its string of high-tech clients, and consequently its employees are routinely granted high-level access to its clients' systems. "With most of our clients, we can get in behind the firewall," Cheeseman says. "But we've noticed that while companies may be diligent about blocking access for their own former employees, they often don't seem to have a system for dealing with contractors' employees. If someone at a contractor left, the client company might not find out about it for months—if at all." So when a worker leaves LVA, the company is proactive about communicating that to affected clients. LVA collects items such as contractor ID badges as a routine part of the termination process. As soon as the employee has left, says Cheeseman, LVA's human resources administrator telephones the client companies on whose behalf the individual in question worked. "Then we follow up that call with an e-mail so that there's a paper trail," he adds. "The message is quite specific: 'This individual has left our employment and should no longer be allowed access to your premises or your data.'"
After a spate of well-publicized incidents where former employees wreaked havoc after gaining access to companies' systems—and premises—the security processes for employee terminations ought to be nailed down hard and fast by now. As every new breach makes clear, though, that's simply not the case. It's not as if the task is a difficult one; updating passwords and retrieving access cards is hardly rocket science. But it's no mystery why it just doesn't get done in a thorough manner. Firing or laying off an employee is an uncomfortable experience that even highly professional line-of-business managers would rather not think about. The result? From the security perspective, the process of firing people is often a mess. As Joe Magee, former CSO of Top Layer Networks, says, "When terminations happen, there's often considerable chaos and a lot going on. It's easy for things to get overlooked and for security measures to take second place."
But by pulling together a thorough, documented, humane procedure for employee terminations, the CSO can help make the process easier—though not painless—for all involved, protecting the physical and digital assets of the company as well as the dignity of the departing employees and their supervisors. Here's some advice, garnered from experts, on aspects of the process frequently overlooked or misunderstood.Absence of ProgressHow widespread is the lack of clear thinking on this subject? Hard-and-fast figures are scarce, but Margaret McCausland, a partner in the Employment/Benefits/Labor practice of national law firm Blank Rome, estimates—based on the calls she gets from clients—that roughly 50 percent of companies with 50 to 100 employees have adequate procedures in place for letting people go. With larger companies, the figure improves—climbing perhaps closer to 80 percent. However, McCausland says that even for those with some kind of documented process, confusion over "the right way" to do the job actually creates more problems.