Insights

Information security and the employee exit checklist: Part II

 

Information security and the employee exit checklist: Part II

Oct 14, 2019

In part one of this series, we discussed the importance of policies and procedures in protecting employers and their information (from intellectual property to physical assets). We also detailed what actions employers can take to protect their assets before an employee starts and while they’re a current employee. 

In part two, we’re going to dive into what actions to take when an employee hands in their notice. This is a critical area, and it pays to be well-prepared.

The employee exit checklist

The moment you learn an employee is leaving, there are several crucial steps to take. 

For employees who give notice and have access to sensitive or critical information, the best action to take is an immediate termination with an escort off the premises. It’s essential protection even when the employment relationship appears to end amicably.

If the departing employee is responsible for or has access to critical IT management and support functions, consider placing them on administrative leave for the duration of their remaining time. Escort them out of the building and do not allow them to take anything with them. Your company can return any personal items to them on their last official day. (If your company chooses to let employees pack their personal items, never do so without oversight.)

If, however, employment will continue after they hand in their notice, there are quite a few steps in include in your general departure checklist. All of these steps help mitigate your business or organization’s risk.

  • Revoke all forms of remote access. This includes access to email, VPN, remote desktop and voice mail.
  • Examine the employee’s computer to ensure that no forms of remote-control software have been installed. This includes GoToMyPC, LogMeIn and other similar software.
  • Restrict the user’s ability to access or use scanners, printers and multifunction machines.
  • Remove local administrative rights to their computer. This will prevent any further installation of applications or changes to the operating system.
  • Examine the employee’s rights within Active Directory (for Microsoft operating systems) or other directory services and all applications. Remove all permissions that are not necessary for the employee to perform their duties. (Note that it’s important to not remove or delete user accounts, but rather simply remove all permissions and, for added security, change the associated password to something unknown to the user. This allows for a more successful analysis of the computer, if needed later.)
  • Remove the employee user from all administrative rights or groups within Active Directory and from other critical applications.
  • Restrict the employee’s account login hours.
  • Disable or restrict the employee’s access to any wireless networks.
  • Save all log files on servers, firewalls, proxies or critical applications. If logging wasn’t enabled or logs weren’t being retained, start immediately.
  • Restrict the employee’s ability to access or use removable storage devices or media, such as USB memory sticks or drives, memory cards, tablets and smartphones.
  • Remove the capability for the employee’s smartphone or other mobile devices to sync with the email system.
  • If the employee had access to a laptop, tablet or other portable device, immediately ask that the devices be surrendered and require the employee to use a desktop for the remainder of their employment or that they leave all devices at the workplace.
  • Ask the employee to surrender any company-provided phone, especially smartphones. Lock these away until copies can be made. Do not immediately reassign them to other employees.
  • Restore the last two months of the employee’s user folders on the network (to another location for storage) or suspend the backup rotation. This will allow you to compare the folder contents at the time of departure with older versions to identify items that might have been deleted. Do the same with the employee’s user email account.
  • Restrict the employee’s physical access to sensitive areas. Require a designated management member to be responsible for letting them into and out of the building during business hours. Confirm that logging of physical access is occurring and is being retained and that physical surveillance is also operating and being retained.
  • Restrict or monitor the employee’s access to the internet. This will prevent the use of webmail, online backups and drop boxes. 

What to do on the employee’s last day

These final few measures will tie up the to-do list for transitioning a departure:

  • Request that the employee identify and provide all credentials, including user names and passwords for encryption or access to organizational resources. This includes passwords necessary to access equipment such as cell phones, encrypted devices and encrypted files. Collect and secure all organizational access credentials, such as access cards.
  • And although you may have done so already, remind the employee again of any noncompete and nondisclosure agreements.

What to do immediately when employment ends

The job of protecting your organization and its assets isn’t over yet. There are still some important items you’ll need to consider and address:

  • Notify employees about the individual’s departure and emphasize that the person not be granted physical access to facilities or logical access information systems.
  • Notify key external contacts about the individual’s departure and ask that the departed employee not be granted any access. This includes contacting vendors, customers, contractors, phone vendors, disaster recovery sites, off-site storage contacts, network vendors, etc.
  • Particularly for IT employees, search for scheduled jobs that are unnecessary or that could execute malicious action.
  • Examine email, voice mail and cell phones to confirm that forwarding is not enabled and that messages are appropriate.
  • Change all of the employee’s user passwords and disable all accounts, but DO NOT delete the accounts. This should be done in directory services, remote access and all critical applications.
  • DO NOT use any of the employee’s hardware. Resist the urge to log in and “poke around.”
  • Backup and retain the user’s email files and home folders, as well as any copies of these that might exist from the employee’s final months. This should be a separate backup from your normal rotation. Access should be restricted, and deletion or modification should be prevented at the highest level.
  • Remember, disk drives and storage media are inexpensive. Prior to re-tasking equipment, remove all hard drives or other storage media. Record identifying information of both the media removed and the machines the information is removed from and secure this information in a restricted, safe location (e.g., safe, vault, safety deposit box, etc.).

If you absolutely need the user’s workstation configuration, either have a forensic professional make a bit-level image using forensically sound processes, or have an IT professional use a cloning utility to make an image of the drive. Replace the original drive with the new image to go forward with and remove the original drive, record identifying information and place it in secure storage in the event analysis is needed at a later date.

Why is this so important? Because if the employee was engaged in some wrongdoing, you can’t hold them accountable if you log into their computer to look around, or if you reassign it to another employee. The evidence is no longer there or usable. 

It’s also key to force password changes throughout your organization when one employee leaves. Coworkers tend to trust one another, and it’s not usual to see instances where employees shared their password with another employee because something needed to be done expeditiously, afterhours or while they were out of the office. Forcing a password change organization-wide greatly mitigates this risk.

If the departing employee was a member of IT, don’t forget to change all administrative and service passwords. Examine directory services for unusual accounts and reconfigure wireless access points, remote access, etc. Include mandatory changes to password credentials for all external applications, such as online banking, vendor and customer sites, cloud storage, etc.

Information security policies

Strong policies can help your organization manage and avoid unwanted issues caused by former employees and those who are about to become ex-employees. If individuals can still access your network or are able to take proprietary information with them, you are vulnerable. And if you don’t retain data, logs and even equipment, you’re at a disadvantage should you or the former employee decide to pursue litigation.

At Wipfli, we perform fraud risk assessments, internal controls reviews and assessments, digital forensics and other services that can help your organization mitigate risk. Learn more about our services here, or keep reading on in these articles:

The secrets of fraud prevention

How to respond to fraud

Financial fraud: what to do when an employee steals from you

Author(s)

Marc Courey
Marc W. Courey, CPA/CFF, JD, LLM, CFE, CICA, CCEP, CIA
Director – Forensic & Litigation Services
View Profile