When an employee is fired or let go, it is critical to disable their accounts and access to resources immediately. How do you handle this at your organization?
Asked
Active
Viewed 1,471 times
1
-
3You've nto told us what sort of network you have, is it Windows, Linux, are you using Active Directory, where does your mail come from, POP? Exchange? We need something to work with. – Sam Cogan Nov 13 '09 at 15:29
-
It's more of an open ended community wiki question. I don't need a solution, just curious how people do it at their organizations with their systems... – Brett G Nov 13 '09 at 16:08
-
sounds like http://serverfault.com/questions/64175/active-directory-delete-vs-disable-departed-employees – warren Nov 13 '09 at 16:20
-
It's a policy question, not a technical question. – Brett G Nov 13 '09 at 19:56
7 Answers
5
HR should coordinate with IT before the employee is actually terminated. This way, IT can remove access before the action takes place. This is important because it prevents the employee from deleting or removing data that they either a) didn't want the company to see or b) wanted to delete to harm the company (via time loss, research loss, record loss, etc) in some way.
It is also important to have IT not remove any data, for similar reasons as with b). Companies often need to go back and retrieve the data of prior employees for legal reasons in addition to business continuity reasons. IT should only grant access to this data to people approved by HR.
kingfish
- 410
- 3
- 11
-
-
+1 for coordinating with IT prior to the firing. I helped restore a damaged Exchange Server computer for a small Firm after their admin attempted to restore the mailbox of a user who'd "cleaned up" after being fired. Ultimately, the sysadmin's inexperience with Exchange restores ("What's a recovery storage group?") caused the disaster, but had HR coordinated with IT and allowed IT to revoke the to-be-fired user's rights at the appropriate time the initial deletion of the user's data wouldn't have happened. – Evan Anderson Nov 13 '09 at 18:43
4
First: Make it your process to tell I/T before you tell the employee that they have been terminated. Have them taken out before they know they're fired.
Second: Keep careful, detailed records of all systems that the user has access to, and remove them in order of priority. Make sure the people in I/T understand whose responsibility it is to remove each piece of access.
Third: In the event of an "off the cuff" firing, detail someone to keep an eye on the employee until I/T finishes removing their privileges.
Satanicpuppy
- 5,917
- 1
- 16
- 18
4
Assuming you aren't firing them for fraud or anything.
Before you start a policy of putting black bags over their head, and dragging them kicking and screaming from the building - consider what future interaction you are going to have with them.
If you need to call a ex-sysadmin a week later to ask how some system you have forgotten about actually works it helps to have dealt with them as a professional not as a potential terrorist.
Martin Beckett
- 317
- 1
- 2
- 11
-
-
Also, its been my experience that sysadmins miss a lot of stuff. One guy still had an open SSH session on a server *after* his account had been closed. He used Unix `talk` to tease us before he closed it down. The point: You pretty much have to have some trust, so you may as well treat them well. – Zan Lynx Jun 14 '11 at 13:54
2
You simply implement the pre-arranged procedure.
i.e. the most important thing is that you've already got a plan and not just scrabbling around doing what comes to mind at the time. If you have months to think about and develop a plan it'll be so much better than if you think about it off the cuff.
Oh and for what it's worth I'd say worry more about physical things (keys, building access, user storage, copies of media) than locking out electronically - most malicious data loss comes in these ways than via purely electronic ways.
Chopper3
- 100,240
- 9
- 106
- 238
-
3
-
No, this place can be nuts, some people just don't properly read posts, so miss the point - it doesn't bother me to be honest but thanks for the comment. – Chopper3 Nov 13 '09 at 15:47
1
- coordinate with HR
- turn off computer while employee is being fired/let go
- HR escorts employee from the building
- at the very least change passwords on accounts
- determine if accounts need to be saved/gone through, etc.
- take appropriate action from here (delete accounts, archive accounts, forward email for a bit, etc.)
As a side note, it's a much more lengthy and immediate issue if it's an I.T. person that you have to let go, given the amount of admin access they may have to everything.
GregD
- 8,713
- 1
- 23
- 35
1
This is more of a procedural question than a technical one. Basically, you need to have a provisioning process and a de-provisioning process. People tend to forget about de-provisioning.
That process might be as simple as "call so and so and create accounts" or may involve opening help desk tickets or may be done by an enterprise application. That isn't really relevant -- what is relevant is that you need to handle this stuff consistently and have a pre-arranged plan.
We have a few user identity stores and a delegated admin model. Essentially, a designated rep in each business unit can access the provisioning system and setup user accounts. A ticket is opened with IT support to assign/deassign PCs, and a ticket with another organization takes care of ID/building/parking access cards.
What happens to data depends on the organization. Places that get sued often tend to purge first, ask questions later. Other places vary widely. I've worked in some places that purged everything, other places that kept critical data in the home directory of an engineer who left 5 years earlier.
I think the best practice is to "impound" the PC and home directory data for a few weeks, then delete everything unless there is a good reason not to.
duffbeer703
- 20,077
- 4
- 30
- 39
0
Every system needs a system owner who's responsible for this. They could delegate tasks like this to that system's administrator but it's the owners task to initiate change hence the owner should know if to prioritize access removal and so on. Depending on the size, the CSO or whatever the english title for the information security officer is should coordinate and/or request specific routines to follow when this happens.
Have a manual routine/policy to begin with if the ownerships aren't clear enough and then start automating the parts that seem costly or generally problematic.
Going the whole way there are identity life-cycle systems to look for as well to help in managing this.
Brett G
- 2,023
- 1
- 27
- 45
Oskar Duveborn
- 10,740
- 3
- 32
- 48