Letting an employee go can be a dirty job, but a company’s information technology (IT) department must help do it.
It is necessary to involve IT in the employee termination process because a former employee who still has access to a company’s network and proprietary corporate data is a security threat.
Moreover, it is smart to conserve certain technological resources, data, and logs in the event that the former employee or company itself decides to pursue litigation.
Finally, it is essential to integrate IT into the process to help ensure that employee termination controls are comprehensive enough to meet relevant Sarbanes-Oxley requirements.
Information security and data retention policies must be company-specific and tailored to the laws under which the company operates. Nevertheless, there are at least three broad principles to which a company should adhere when and after terminating an employee.
Prompt notification of termination
Every company should have a strictly enforced policy that clearly states who is to notify whom when someone’s employment is ending or has ended. This policy should also mandate that these notifications be given immediately.
An information security contact should be among those who are notified, and this person’s responsibilities should entail researching, documenting, and revoking an employee’s access to the company’s electronically stored proprietary information and its information systems.
Prudent revocation of access
In the case of a terminated employee, IT should immediately revoke all computer, network, and data access the former employee has. Remote access should also be removed, and the former employee should be dispossessed of all company-owned property, including technological resources like a notebook computer and intellectual property like corporate files containing customer, sales, and marketing information.
However, in the case of an employee whose end of employment is only imminent, IT should consult with the employee’s manager, Human Resources, and other key decision-makers to determine the appropriate manner in which to stagger the revocation of access over the person’s remaining days of employment.
Just as the granting of access and security clearances should be documented for future reference, the revocation of access should also be documented, especially for legal purposes. The goal, of course, should always be to revoke access in ways that makes good business sense financially, technologically, and legally.
Preemptive preservation of data
Every company should have data redundancy and retention policies that satisfy its business needs and adhere to applicable laws. Such policies address the backup, restoration, and preservation of corporate data in general.
However, a company should also enact policies that detail when and how IT should go about preserving potentially and particularly sensitive data, records, logs, and other materials that could be of legal significance were the company and former employee to wage a legal battle. It is especially important to do this in the case of a former employee who held a high-level position or left the company under a cloud of suspicion.
Mark McLaughlin of Computer Forensics International notes,
An IT staff should only preserve subject data to the extent they are trained to do so. Creating a backup image of software for later deployment or archive is different than creating an evidentiary image. All evidentiary images must be non-invasive, meaning the original data must not be altered in any way. Further, chain of custody is very important when handling evidence. Not only should narratives of who did what and when be created, but the physical control of the resulting evidence must be secured. I’ve personally handled several cases, and heard of thousands more, where IT departments or even law firms have ventured into uncharted waters to save a buck and cost the company big!
It all comes down to teamwork.
The appropriation and application of these three principles should be the collective work of the company’s executive staff, IT and HR departments, and legal counsel that specializes in computer forensics and the laws governing the company’s use of computing technology.
The results of this cooperative effort should be greater protection of corporate data as well as better preparedness for litigation regarding corporate data theft, hacking, and other forms of illegal or ill-advised uses of computing technology.