A Comprehensive and Secure Approach to Offboarding Employees
Posted by: Carla Brinker
SSO Security Procedures
An employee has given notice, and it’s time to remove their access. Easy! Right? User access was a problem in the past, so SSO (single sign-on) was implemented. Great, user access became so much easier. Now the employee is leaving the organization, so you’ve disabled SSO and you think all access is removed. But wait!
While user access is no longer the bane of administrators, SSO is not the only place to look when removing access. Many points of access cannot be integrated with SSO. Items such as door badges, metal keys, external drives, hardware tokens, certificates, etc. are likely items that cannot be integrated with SSO but allow access to company data (either in whole or in part).
Secure Employee Offboarding Checklist
Other assets, such as the VPN and cloud-based assets, need to be evaluated to determine if the user had access. It will be necessary to determine if they also had access to any service accounts or administrative accounts that now require a password change. Other things that will need to be changed include encryption keys (if the employee had access or knowledge of the keys), cloud root credentials, and credentials for source code repositories, domain registry certificates, non-integrated network and OT (Operational Technology) devices, and security tools such as SIEM (security information and event management), EDR (endpoint detection and response), NDR (network detection and response), FIM (file integrity monitoring), NTP (Network Time Protocol) authorities, etc.
Corporate-owned social media accounts that are managed by an employee should be reassigned while they are still on staff and their access removed before their departure. This reduces the reputational risk to your company. There may be other websites such as administrative portals for platforms or security tools that need to be evaluated in the course of removing the employee’s access. Remove access to the video conferencing solutions in use (Zoom, WebEx, Teams, Google Meet, etc.) Notify third parties that they are no longer with the company. This might include data centers, cloud providers, managed third-party services, technical support companies, legal teams, etc.
All the assets have been collected (laptops, keys, phones, tablets, drives, badges, etc.), the separating employee has been provided a copy of the NDA (non-disclosure agreement) they signed at hire, and their access has been removed. You’ve completed part of the offboarding process. Now it’s time to verify you have not created or suffered a compliance issue.
User and Entity Behavior Analytics (UEBA)
Depending on the situation, it may be advantageous to perform a UEBA (user and entity behavior analytics) review for the last few months. This type of review looks at the user’s past behavior (what data did they access, was all data returned, was data copied, etc.) and determines if sensitive data was handled in a proper manner. This might include a review of all third-party accounts that were created in the last few months to determine if a backdoor was established. A threat hunt should also be conducted to determine if any malware was left behind.
In most cases, it’s a best practice to image the user’s endpoint drive and retain it for future forensic investigations. Forensic investigations are often needed if trade secrets or customer lists are being used at the former employee’s new employer.
It will be necessary to identify which compliance tasks, if any, were assigned to the separating employee. Ensure these tasks are assigned to either another internal resource or a short-term third party. Being short-staffed is hard on the remaining staff and controls can slip.
There are many areas to consider when securely offboarding an employee from your network. An offboarding checklist is the best approach. Offboarding may occur over several days and each task should be documented with the date and time of completion (rather than one completion date and time for the entire checklist).
It’s necessary to treat every valued employee respectfully in hopes they will return to your company again in the future. While the “Great Resignation” continues, it is necessary to watch for both security and compliance offboarding problems and react accordingly.
Carla Brinker
Principal Cybersecurity Consultant,
GuidePoint Security
Carla Brinker, Principal Cybersecurity Consultant at GuidePoint Security, began her career in the security industry in 2000. Her professional experience includes PCI assessments ranging from Fortune 25 companies to small companies, risk assessments, IT governance, oversight of new controls implementation, technical writing, and security education. She has both led and participated in assessments for industries such as banking, retail, ecommerce, and hospitality and has managed teams of consultants delivering information security services. Carla holds several industry certifications, including Certified Information Security Assessor (CISA), Certified Information Security Manager (CISM), and PCI Qualified Security Assessor (PCI QSA).