Second, when the employee offboarding request has been processed, the Identity Management Server must log an audit event in the Offboarding Event Audit Server to indicate that the offboarding event has been appropriately processed. This event may contain a transaction identifier or similar unit of work identifier that can be used to retrieve a detailed description of all the activity that was performed for that offboarding event.
The employee offboarding event may also need to trigger other IT-related actions. In some cases, the employee may have had privileged access to a particular resource. For example, most employees have privileged administrator access to the machines they use on a day to day basis for e-mail and other business related activity. Most people have administrator access to their organization issued mobile computers. In other cases, the person leaving the organization may have had privileged access to organization servers or other critical components of the IT infrastructure. In these cases, the employee offboarding event may need to trigger processes to remove IT systems from the organization network until they can be assessed or, at least, the systems that the privileged user had access to need to be scanned for malware and other malicious activity.
The Identity Management Servers may also need to use the offboarding events to trigger audit procedures. For example, if an employee is being offboarded and their access to a repository of highly sensitive documents is being removed, the offboarding event may need to trigger a process that runs an audit report on the employee's recent access. This audit trail can be reviewed with management and the departing employee to ensure that the leaving employee knows which documents they can or (more likely) cannot take to their next job. While the offboarding event triggers the generation of the audit report, the audit trail itself has to be built into the access control system with the intention of generating these reports in the future when needed.
Risk and Compliance Assessment
The processes in Risk and Compliance Assessment are used to demonstrate that the offboarding controls are working effectively and that they are meeting their performance objectives.
The security policy for the employee offboarding control processes defines how quickly the employee offboarding processes must be complete based on the HR process that triggered the offboarding event and the classification of the IT system.
When the Identity Management Servers log events in the Offboarding Event Audit Server, the time it took to complete the event can be calculated based on the time difference from when the HR process logged the initial offboarding event in the offboarding event audit and when the Identity Management Servers logged the completion of the offboarding processing.
The Offboarding Event Audit Server must build a database of these records, capturing the type of HR event, IT system and its classification, and the total time it took to process the event. From these records a dashboard or performance report can be generated to show the performance metrics that have been met.
Process integrity and compliance records
For each employee offboarding event logged by the HR processes, the Offboarding Event Audit Server can be queried for the corresponding completion events from the Identity Management Servers. Because each of the audit events include the UID of the person, the audit events can be tied together into a single logical transaction.
Using the IBM Security Blueprint to Address Business Risks for Employee Offboarding