Perhaps one of the most challenging situations in an IT organization is to let a systems administrator go. This individual has the proverbial keys to the kingdom as a trusted member of your corporate team. If the time comes to part ways, it’s imperative to do a thorough job of removing the employee’s physical and logical access to your network and facilities.
The first step is to consult with the appropriate legal, human resources and management personnel to ensure a proper basis for the termination or to work out the severance specifics for the layoff. Next you can zero in on the technical and security issues that need to be addressed. The goal is to complete the process with little or no disruption of business processes and to do it in a professional and complete manner.
You need to eliminate the employee’s access to corporate sites and assets, networks, systems and applications to prevent him from damaging company property and data. Accomplishing this requires inventory, planning, execution and monitoring. What follows are some guidelines for completing the four-step process.
Inventory
Inventory all the devices, systems and applications to which that individual might have access. List all the accounts the employee holds and any orphan accounts (that don’t have known owners). Pay special attention to privileged accounts that either have administrator rights or can modify accounts. List all systems and application accounts that are used by various processes on those systems. Finally, look for any rogue devices and systems processes or applications that should not be on legitimate systems builds.
Now is a good time to review the company’s current information security position. A third party often can perform a vulnerability assessment or audit. This will provide you with a current list of threats and vulnerabilities that require attention.
Plan
Identify the specific personnel and management necessary to complete the termination process. Ideally, you’ll apprise them of what they need to do and why with as little notice as possible. Try to pick a time when the systems administrator is busy.
Have your network, systems and backups inventoried, checked, verified and available for use in case you need to rebuild and reinstall any of the network devices, operating systems or data.
Figure out how you’ll go about eliminating physical access, network/systems access and application access. Human resources, security or facilities departments usually handle physical security. Human resources will coordinate the retrieval of the employee’s ID badge, access swipe cards, keys, combination locks and safe combinations, and inform security personnel of the employee’s departure.
Network/systems access must be removed at the same time. Based on the inventory completed in Phase One, you should know all the network devices the employee controls. You’ll need an IT professional to handle the task of disabling access and changing passwords on those devices. A second person might be required to disable network access and change passwords to operating systems.
Application access also needs to be disabled and passwords changed on all the privileged accounts the administrator uses.
Execute
Executing the plan requires that all the management and personnel resources are available to complete the termination process. The timing of the event is in your control unless the employee or contractor has violated a law or policy that requires immediate dismissal. If you can pick the time, midweek is best because technical resources are more readily available to deal with any operational issues.
Document all assignments and whom you’ve chosen to complete each task. Record all activity in a log and create a report that is turned into senior management. Begin executing the plan the evening before or early the day that the systems administrator will be terminated.
Follow all human resources policies and procedures and use the termination-process notification and exit interview as an opportunity to ask if the employee or contractor set up any devices, software or accounts that aren’t documented. Immediately disable or change any that you identify. Be civil and polite during this process, and maintain your professionalism at all times.
Tell the employee that this was a business decision and that your concerns are about the safety and security of the company’s information resources. Escort or remove the terminated employee according to human resources policies and procedures.
Monitor
Monitoring should begin immediately once all access is removed and the terminated employee has been notified. Pay particular attention to the privileged accounts for usage and access to the devices formerly under the employee’s control. Any use of those accounts should be considered suspicious and investigated thoroughly. Many intrusion-detection systems (IDS) will consolidate the audit and log files of various devices and software. The IDS can monitor the trends of all usage of privileged accounts.
Even in the best of circumstances, a systems administrator’s dismissal and the clean-up process can be lengthy and laborious. With a proper process in place you can reduce the risks associated with such a termination and minimize the stress on all involved.
Howell is a consultant and Lawson is managing consultant for the security practice of Greenwich Technology Partners, and both are also Certified Information Systems Security Professionals. They can be reached at [email protected] and dlawson@ greenwichtech.com, respectively.
