Exit process? - SANS Internet Storm Center

Exit process?
A recent experience with the exit process used by a company spurred me to write about the process by which an organization terminates employees or contractors. The very first question is, does your organization have both policy and procedures to deal with: a) employees leaving voluntarily b) employees being terminated c) contractors coming and going d) special cases The next question is, do your employees actually follow the policies and procedures, or is there a fair amount of ad-libbing? Discretion in the hands of line management can be a good thing, or a recipe for disaster. I have alsways found checklists to be a good thing. One employer I left I walked my replacement through the checklist, in case I had forgotten to put anything on it before I left. Good trial run for a new procedure. A friend of mine described a special case where a company founder left, however none of his access was changed. Another special case can be letting systems administrators or people like penetration testers go. So, some of the things to address are: - Physical access - Logical access - Anything only that person has access to, or special privileges. - All property - Non-disclosure agreement reminder - Intellectual property issues Update: Chris wrote in with the following: I've worked for several employers that didn't have a proper "exit" process... So I've had to write one up as one of my "final acts". They've tended to be employer-specific as I've worked in various sectors, so I can't share them easily :-( One area where checklists are almost essential is when an employee dies in service. People don't think straight in that situation, they make mistakes, they accidentally do things that others might think insensitive in the situation, and so on. Having checklists drawn up before such an event can save a whole lot of hassle and grief. Also, someone needs to make sure that critical systems don't rely on a leaver's account being present to function properly. I've encountered several systems over the years that were built around a specific person, which would then die horribly when that person's account was later removed. When I design or build a system, I make absolutely sure that it's designed to what I call the "V'Ger Rule". If you've seen "Star Trek: The Motion Picture", you'll understand. Put simply, the "V'Ger Rule" states: "A System must continue to operate in a correct and safe manner in the absence of its Creator". Or, put another way: 1. No blowing up any spaceships ; 2. No joyriding in Carbon Units ; 3. Fat, balding starship captains are to be shot on sight, especially ones that follow the "If you can't eat it, drink it, steal it, spend it or have sex with it, blow it up" mantra. ---------- Cheers, Adrien de Beaupré	Adrien de Beaupre 353 Posts ISC Handler Jul 19th 2008
Thread locked Subscribe	Jul 19th 2008 1 decade ago
If the company is ISO certified this process should be there anyway. But even if there is "no need" (as a certification or similar) it is in the interest of both the employer and the employee to have a process in place and have it documented for both parties, that the procedure was followed. It keeps nasty surprises from happening for everyone.	Anonymous
Quote	Jul 19th 2008 1 decade ago
When I think I'm going to leave a company, I start to make a list of the passwords that will need to be changed, access points that need to be removed, accounts that need to be deactivated or canceled, etc. Then, when I meet with my boss, I give him/her the list and ask that these be done before or as I leave. The reason I go to this trouble is so no question of whether I had still had access after the fact should arise. If something goes wrong after I've left a company, I don't want someone to be able to point a finger at me.	Anonymous
Quote	Jul 19th 2008 1 decade ago

A recent experience with the exit process used by a company spurred me to write about the process by which an organization terminates employees or contractors.

The very first question is, does your organization have both policy and procedures to deal with:
a) employees leaving voluntarily
b) employees being terminated
c) contractors coming and going
d) special cases

The next question is, do your employees actually follow the policies and procedures, or is there a fair amount of ad-libbing? Discretion in the hands of line management can be a good thing, or a recipe for disaster. I have alsways found checklists to be a good thing.

One employer I left I walked my replacement through the checklist, in case I had forgotten to put anything on it before I left. Good trial run for a new procedure. A friend of mine described a special case where a company founder left, however none of his access was changed. Another special case can be letting systems administrators or people like penetration testers go.

So, some of the things to address are:
- Physical access
- Logical access
- Anything only that person has access to, or special privileges.
- All property
- Non-disclosure agreement reminder
- Intellectual property issues

Update:

Chris wrote in with the following:

I've worked for several employers that didn't have a proper "exit" process... So I've had to write one up as one of my "final acts". They've tended to be employer-specific as I've worked in various sectors, so I can't share them easily :-(

One area where checklists are almost essential is when an employee dies in service. People don't think straight in that situation, they make mistakes, they accidentally do things that others might think insensitive in the situation, and so on. Having checklists drawn up before such an event can save a whole lot of hassle and grief.

Also, someone needs to make sure that critical systems don't rely on a leaver's account being present to function properly. I've encountered several systems over the years that were built around a specific person, which would then die horribly when that person's account was later removed.

When I design or build a system, I make absolutely sure that it's designed to what I call the "V'Ger Rule". If you've seen "Star Trek: The Motion Picture", you'll understand.

Put simply, the "V'Ger Rule" states:
"A System must continue to operate in a correct and
safe manner in the absence of its Creator".

Or, put another way:

1. No blowing up any spaceships ;
2. No joyriding in Carbon Units ;
3. Fat, balding starship captains are to be shot on sight,
   especially ones that follow the "If you can't eat it,
   drink it, steal it, spend it or have sex with it, blow
   it up" mantra.
----------
Cheers,
Adrien de Beaupré

Adrien de Beaupre

353 Posts
ISC Handler

Jul 19th 2008

If the company is ISO certified this process should be there anyway. But even if there is "no need" (as a certification or similar) it is in the interest of both the employer and the employee to have a process in place and have it documented for both parties, that the procedure was followed. It keeps nasty surprises from happening for everyone.

Anonymous

When I think I'm going to leave a company, I start to make a list of the passwords that will need to be changed, access points that need to be removed, accounts that need to be deactivated or canceled, etc. Then, when I meet with my boss, I give him/her the list and ask that these be done before or as I leave. The reason I go to this trouble is so no question of whether I had still had access after the fact should arise. If something goes wrong after I've left a company, I don't want someone to be able to point a finger at me.

Anonymous