Letting an employee go can be a dirty job, but a company's information technology (IT) department must help do it.
It is necessary to involve IT in the employee termination process because a former employee who still has access to a company's network and proprietary corporate data is a security threat.
Moreover, it is smart to conserve certain technological resources, data, and logs in the event that the former employee or company itself decides to pursue litigation.
Finally, it is essential to integrate IT into the process to help ensure that employee termination controls are comprehensive enough to meet relevant Sarbanes-Oxley requirements.
Information security and data retention policies must be company-specific and tailored to the laws under which the company operates. Nevertheless, there are at least three broad principles to which a company should adhere when and after terminating an employee.
Prompt notification of termination
Every company should have a strictly enforced policy that clearly states who is to notify whom when someone's employment is ending or has ended. This policy should also mandate that these notifications be given immediately.
An information security contact should be among those who are notified, and this person's responsibilities should entail researching, documenting, and revoking an employee's access to the company's electronically stored proprietary information and its information systems.
Prudent revocation of access
In the case of a terminated employee, IT should immediately revoke all computer, network, and data access the former employee has. Remote access should also be removed, and the former employee should be dispossessed of all company-owned property, including technological resources like a notebook computer and intellectual property like corporate files containing customer, sales, and marketing information.
However, in the case of an employee whose end of employment is only imminent, IT should consult with the employee's manager, Human Resources, and other key decision-makers to determine the appropriate manner in which to stagger the revocation of access over the person's remaining days of employment.
Just as the granting of access and security clearances should be documented for future reference, the revocation of access should also be documented, especially for legal purposes. The goal, of course, should always be to revoke access in ways that makes good business sense financially, technologically, and legally.