Figure 4 shows the IBM security management approach to risk adapted to the employee offboarding scenario.
Number of malicious incid ents from laid
off empl oyees and th eir financial i mpac .
Ent it le m ent re m ova l control processes
Identity,A ccess & Enti tlement Mgmt
Of -boarding d i r ec t iv e s a n d performance goals
Data & Informati on P rotection Mgmt
Com mand and Contr l Mgmt
S ecu ity Policy Management
S of tware, System & Se rv ic e Ass u ra n ce
I T Se r vic e Ma n ag e me n t
Performance & Com pli an ce
me t r ic s
Threat& Vulnerabilit y Ma n ag e me n t
Directive compliance reports Performance metric reports
P hysical A sset Ma n ag e me n t
Risk & Com pli ance As se ss me n t
Pro cess risk assessment
Performance met i cs fo r of -boarding processes Process completeness and integri y reports
Kno l edge
Figure 4 Foundational Security Management controls closed loop for employee offboarding
The employee offboarding controls are broken down into processes for each of these components of IT system management and are described in the following sections.
Security Policy Management
In the employee offboarding scenario, the necessary security policy is relatively straight forward because the approach to mitigating the risk is simple to describe. Let us take a closer look at the following details:
Develop an employee offboarding policy.
Classification of IT systems and HR processes.
Develop an employee offboarding policy
Based on known past incidents involving the abuse of IT systems access by employees who have left the organization, the Chief Information Security Officer (CISO) should identify the systems that pose the highest risk for abuse and the HR scenarios that are most likely to incite malicious activity by leaving employees.
For the purpose of our discussion, we assume there are two categories of systems with respect to employee offboarding:
High risk systems are those that provide broad access to the IT environment, such as remote VPN accounts, master authentication directories, such as an LDAP directory or Microsoft® Active Directory, and systems that contain highly sensitive information.
Low risk systems include everything else.
Using the IBM Security Blueprint to Address Business Risks for Employee Offboarding