X hits on this document





11 / 28

We also assume there are two basic types of HR offboarding processes

  • Normal termination of employment

  • Emergency Block

Normal termination of employment processes occur when people retire from the organization or otherwise resign. In these situations, they go through normal HR processes for legal separation from the organization, whether the relationship is an employee/employer relationship, contractor relationship, business partner relationship, and so on. The Emergency Block process is used when an urgent personnel matter has caused the organization or manager to no longer trust an employee until a further investigation is conducted and needs to remove the employees access to IT systems as quickly as possible.

Of course, an organization could have more than two types of system classification or more than two types of HR offboarding processes. For example, the processes for offboarding contractors may be significantly different than offboarding employees and may carry with it a much different level of risk.

For each system classification and HR process, a security policy must be developed to address the business risks. The fundamental objective is to eliminate the window of opportunity for employees who have left the organization to engage in malicious activities, so the security policy would be expressed in terms of reducing the window of opportunity to a particular goal. These security policy goals would reflect the particular combination of risk level and HR process and might be expressed in a similar way as shown in Table 1.The CISO will ensure that access to IT systems by former employees will be removed within the time frames shown in Table 1.

Offboarding process

Low risk systems

High risk systems

Normal termination of employment

Access removed within 1 week

Access removed within 48 hours

Emergency Block

Access removed within 24 hours

Access removed within 24 hours

Table 1

Time frames for access removal

Note that a policy addresses delegation of responsibility and goals to be achieved, not necessarily how the policy's goals should be met.

Classification of IT systems and HR processes

Once the risk levels and offboarding processes have been identified, the key IT system within the organization must be inventoried and classified according to the policy's risk definitions. There may be unique characteristics for each IT system's offboarding process that may need to be negotiated in per-IT system policies.

For example, in some cases, offboarding an employee may be a labor and cost expensive process, and if there is any chance that the employee may be brought back, for example, unblocked from an Emergency Block, it may make sense for the IT system to first suspend the employee's access for a certain amount of time before finalizing the removal of credentials. So a policy may need to be negotiated with that IT system owner about the amount of time it keeps credentials suspended.


Document info
Document views120
Page views121
Page last viewedSat Jan 21 13:14:12 UTC 2017