Employee Termination And Information Security

Author: iAMrjPublished: Apr 30, 2006 at 12:41 am 1 comment

Letting an employee go can be a dirty job, but a company's information technology (IT) department must help do it.

It is necessary to involve IT in the employee termination process because a former employee who still has access to a company's network and proprietary corporate data is a security threat.

Moreover, it is smart to conserve certain technological resources, data, and logs in the event that the former employee or company itself decides to pursue litigation.

Finally, it is essential to integrate IT into the process to help ensure that employee termination controls are comprehensive enough to meet relevant Sarbanes-Oxley requirements.

Information security and data retention policies must be company-specific and tailored to the laws under which the company operates. Nevertheless, there are at least three broad principles to which a company should adhere when and after terminating an employee.

Prompt notification of termination

Every company should have a strictly enforced policy that clearly states who is to notify whom when someone's employment is ending or has ended. This policy should also mandate that these notifications be given immediately.

An information security contact should be among those who are notified, and this person's responsibilities should entail researching, documenting, and revoking an employee's access to the company's electronically stored proprietary information and its information systems.

Prudent revocation of access

In the case of a terminated employee, IT should immediately revoke all computer, network, and data access the former employee has. Remote access should also be removed, and the former employee should be dispossessed of all company-owned property, including technological resources like a notebook computer and intellectual property like corporate files containing customer, sales, and marketing information.

However, in the case of an employee whose end of employment is only imminent, IT should consult with the employee's manager, Human Resources, and other key decision-makers to determine the appropriate manner in which to stagger the revocation of access over the person's remaining days of employment.

Just as the granting of access and security clearances should be documented for future reference, the revocation of access should also be documented, especially for legal purposes. The goal, of course, should always be to revoke access in ways that makes good business sense financially, technologically, and legally.

Continued on the next page Page 1 — Page 2

Article tags

Spread the word
Bookmark and Share
Profile image for iamrj

Article Author: iAMrj

richard jones (www.iamrj.com) is a freelance writer living near Detroit, Michigan, and co-founder of Alopecia World, a unique and exciting social network for hair loss "sufferers," their loved ones and friends.

Visit iAMrj's author pageiAMrj's Blog

Read comments on this article, and add some feedback of your own

Article comments

  • 1 - Aaman

    Apr 30, 2006 at 9:47 am

    Good points, this is standard practice, however, in many large corporations, I believe

Add your comment, speak your mind

Personal attacks are NOT allowed.
Please read our comment policy.
Please preview your comment.

blogcritics lists for Nov 29, 2009

fresh articles Most recent articles site-wide

fresh comments Most recent comments site-wide

most comments Most comments in 24hrs

top writers Most prolific Blogcritics for October

top commenters Most prolific Commenters in 24 hrs

Culture Highlights