Removal of Accesses: Pull the Key from the Lock
By Gideon T. Rasmussen, CISSP, CISA, CISM, SCSA
Systematic removal of accesses refers to revoking physical
and logical accesses when a person leaves an organization
or their role changes. In the absence of a formal process,
lingering privileges can be used to access systems, applications
and office space. Potential damage includes theft of funds,
equipment or intellectual property, disclosure of confidential
information, and/or damage to property or personnel. In practice
it can be difficult to completely rescind a person's accesses.
Start by inventorying systems, applications and assets and
incorporate the respective administrators into access control
Resources (HR) should initiate outprocessing by sending an
e-mail to a termination distribution list. Upon notification
from HR, Information Technology (IT) and building security
should configure accounts and ID access badges to automatically
expire the day of termination. Members of the termination
list typically include system and application administrators,
the help desk, information security, building security and
Departments and Teams
Out-processing does not end with HR, IT and building security.
Each department and team must track and appropriately rescind
accesses as required. Examples include e-mail distribution
lists, network or Exchange public folders, and group memberships.
Keep an inventory of file cabinet and storage room keys to
control access. If a department administers its own applications,
ensure their administrators are included in termination notification.
This is especially true for financial applications. Each department
is also responsible for rescinding accounts and point of contact
status with external organizations.
for Temporary and Contract Personnel
Temporary and contract personnel should have their accesses
issued to expire at the conclusion of their contract. Send
notification two weeks in advance of disabling accounts. This
will give supervisors a chance to extend access in the event
an engagement has been extended.
A process must exist to ensure personnel are completely out-processed
on their final day. HR should conduct exit interviews and
collect company equipment and building access cards. The finance
department is responsible for providing a final paycheck and
removing employees from payroll. IT accesses must also be
completely rescinded as a matter of process (e.g. network,
email, remote access and voicemail). HR should confirm that
access has been rescinded with recipients of the distribution
list. Confirmation should be in the form of a signature, e-mail
or an entry in an application. Without formal confirmation,
the process is likely to break down. Retain completed checklists
and confirmation artifacts for audit purposes.
Change in Role
When a person is promoted or transfers to another team, a
process should be initiated to consider their current privileges.
Rescind accesses that are not required in the performance
of the duties of the new position.
In the event of a termination or disgruntled employee, information
security personnel should be engaged early on to ensure timely
and comprehensive systematic removal of accesses. There are
many options to be taken into consideration. For example,
a person's accesses can be rescinded immediately, after they
leave for the day or while the person is in a surprise out-processing
meeting. The involvement of information security in advance
also gives them the chance to conduct an inventory of the
person's privileges to ensure they are completely rescinded.
Each function needs to self-audit to ensure their process
is actually working. This is where many organizations fall
down. Physical and logical accesses must be documented (e.g.
through a form, a ticket, an e-mail or a database). Once per
quarter, HR should send a list of current personnel, asking
recipients to compare the list to active accounts and privileges.
Anyone not on the list should have their access rescinded.
HR should follow up with each area to confirm compliance and
record the results.
Systematic removal of accesses and self-audits should be automated
as much as possible. Expire accounts after a period of inactivity.
Where possible, use Active Directory, LDAP and/or single sign-on
software to authenticate applications. In this manner, when
a network account is disabled, application privileges will
be rescinded automatically. Medium-sized organizations may
have the resources to build an entitlements database to track
accesses with notification of terminations and quarterly self-audit
notification built-in. Large organizations should consider
further automation (e.g. integration of HR and finance systems,
with automated revocation of accounts across platforms or
automated ticket creation requesting access to be rescinded).
The information security team should oversee the organization's
access control processes to ensure accesses are appropriately
rescinded and self-audits are conducted. The INFOSEC team
is also responsible for incorporating systematic removal of
accesses into the awareness program. Employees should be encouraged
to take active involvement in out-processing and contact security
if they notice a former employee still has access.
The very nature of out-processing has an awareness component
that strengthens the security program. Maintaining tight access
control throughout the organization helps establish a culture
of security and prevent fraud, waste and abuse. Systematic
removal of accesses is a process that is well worth the effort.
Gideon T. Rasmussen
is a Charlotte-based information security professional with
a background in Fortune 50 and military organizations. His
website is http://www.gideonrasmussen.com.
Copyright © 2006 ISSA Jornal
Reprinted with Permission