Control of the Week #5: Access Control – Access Revocation During Employee Termination
This week’s control is on revoking departing employees' access to your systems and data. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why revoking your departing employees' access is important and how you can implement it for your audits.
Why this control is important " AC3.2 - Revoke Access on Termination - Management utilizes an employee termination checklist to ensure that the termination process is consistently executed and access is revoked for terminated employees in a timely manner. " Revoking former employees' access to your systems and data in a timely manner is one of the most common mistakes that lead to auditors finding you non-compliant. Auditors will check whether you terminated access and when you did so (like everything in life, timing is key).
Short-term, you need to implement this control to pass your audit. Long-term, you need this control in order to "protect ya neck" to quote the lyrical masters from Shaolin aka the Wu-Tang Clan. Think about it: employees who part with any organization (regardless of choice) could have malicious intent and steal truckloads of data. Or worse, they could sabotage your systems and lock their former co-workers out!
As your org grows, more users are going to have access to your data, which makes it difficult to manage who should and should not have access. Ideally, these users would be managed with an on/offboarding process, but organizations sometimes overlook that documentation process.
How to implement this control for your audits Like other access controls (e.g. Control of the Week #4 on reviewing user access), having a list of employees in each role and the types of access they have helps to ensure compliance during offboarding. Also, make sure an offboarding checklist exists, is being followed to a "T", and that access termination is a part of it. Designate people to own these tasks and then have them execute those tasks whenever people leave your org. Offboarding Tasks You Need to Think About
The type of access that needs to be revoked (e.g. physical access to the building or administrator access to a software tool). Physical assets that need to be returned (e.g. ID cards or laptops). Network and system access – ensure access is terminated on the same day. Also, to any applications or system components that the terminated user had access to. Passwords for shared accounts – ensure passwords to shared accounts are either changed or disabled (as required). This also includes email and remote access.
Other things to keep in mind for this control
While creating or defining an offboarding checklist, leverage the checklist you used for onboarding to determine what kind of access was originally provided. Think of the on/offboarding process as two different processes: access / assets provided during onboarding can be leveraged during offboarding for return / removal. The key is to determine what kind of access users had during termination, and then revoke all access accordingly. Have the departing employee sign a "Termination Agreement" that contains responsibilities and their associated consequences of ensuring confidentiality of company data post-employment. As always, give us a shout if you have any questions about the controls and how to implement them.