Security Experts:

Considerations When Firing a Network Security Administrator

When it comes to letting someone go, very rare will you find a business leader who enjoys that part of the job. When you have to fire a network security administrator, not only is it a downer, it’s a risky proposition – unless you follow basic steps.

Pivot Point Security, an information security assessment firm, has published 24 things to consider when releasing a network security administrator from his or her job. Some of the items on the list go without saying, and others are essential. Here are a few key considerations when you have to let that someone in that all important position go:

ManagementPre-termination:

• Understand what systems are external to your organization for which the user may have privileged access: hosted web sites, ISP routers, exposed administrative interfaces on firewalls, DR sites, PBX interfaces. User account reviews and changing of administrative level passwords post-firing are likely necessary. Be aware that system-to-system communication may leverage these passwords and that some things may “break” if you don’t map these dependencies before making the changes.

• Ensure that all remote access mechanisms - VPN, Citrix, Terminal Services, and Dial up modems/RAS are secure. Determine if local authentication takes place at any of these points (as post-firing you will need to disable the employee’s accounts), do a review/clean-up of all accounts, and force a password change.

Termination:

• De-provision access to all systems possible just prior to notifying the individual. (Remove all administrative access)

• Ensure that all assets: phones, PDA’s, laptops, credit cards, keys, access cards, and tokens are retrieved and tracked.

• Notify all personnel immediately that the person is no longer an employee and that any communication with the individual needs to be reported to management.

• Notify all consultants, vendors, and business partners immediately that the person is no longer an employee and that any communication with the individual needs to be reported to management.

Post-termination:

• Remove all ex-employee administrative access.

• Change company domain account password with domain name vendors. Change the technical administrative contact if necessary.

• Ghost laptop and make copy of all shares with critical data.

• Change voice mail password.

• For all critical systems (remote access, key applications, firewalls, etc.) validate that logging is enabled and working properly and monitor the logs for a period of time to detect any rogue access attempts.

As the report notes, the greater risk the employee and situation pose – the more of these practices you will need to execute. The full PDF for “Firing a Network Security Administrator – Best Practices” can be found here.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.