When it comes to letting someone go, very rare will you find a business leader who enjoys that part of the job. When you have to fire a network security administrator, not only is it a downer, it’s a risky proposition – unless you follow basic steps.
Pivot Point Security, an information security assessment firm, has published 24 things to consider when releasing a network security administrator from his or her job. Some of the items on the list go without saying, and others are essential. Here are a few key considerations when you have to let that someone in that all important position go:
• Understand what systems are external to your organization for which the user may have privileged access: hosted web sites, ISP routers, exposed administrative interfaces on firewalls, DR sites, PBX interfaces. User account reviews and changing of administrative level passwords post-firing are likely necessary. Be aware that system-to-system communication may leverage these passwords and that some things may “break” if you don’t map these dependencies before making the changes.
• Ensure that all remote access mechanisms – VPN, Citrix, Terminal Services, and Dial up modems/RAS are secure. Determine if local authentication takes place at any of these points (as post-firing you will need to disable the employee’s accounts), do a review/clean-up of all accounts, and force a password change.
Termination:
• De-provision access to all systems possible just prior to notifying the individual. (Remove all administrative access)
• Ensure that all assets: phones, PDA’s, laptops, credit cards, keys, access cards, and tokens are retrieved and tracked.
• Notify all personnel immediately that the person is no longer an employee and that any communication with the individual needs to be reported to management.
• Notify all consultants, vendors, and business partners immediately that the person is no longer an employee and that any communication with the individual needs to be reported to management.
Post-termination:
• Remove all ex-employee administrative access.
• Change company domain account password with domain name vendors. Change the technical administrative contact if necessary.
• Ghost laptop and make copy of all shares with critical data.
• Change voice mail password.
• For all critical systems (remote access, key applications, firewalls, etc.) validate that logging is enabled and working properly and monitor the logs for a period of time to detect any rogue access attempts.
As the report notes, the greater risk the employee and situation pose – the more of these practices you will need to execute. The full PDF for “Firing a Network Security Administrator – Best Practices” can be found here.