The HR processes that originated the offboarding event include a logical unit of work identifier or a transaction identifier, so that the employee offboarding activity can be traced back to the individual who authorized the offboarding activity.
Likewise, because the Identity Management Servers can include a transaction identifier in their completion audit events, it is possible to track down the process and all of the activities that the Identity Management Servers performed in response to the employee-offboarding event.
Command and Control Management
Command and Control processes monitor security incidents and the IT controls to ensure that they are in place and effective at reducing risk.
Control effectiveness assessment process
The performance metric reports will show which parts of the employee offboarding control processes have been working as desired and which have not. If one particular IT system is consistently unable to manage its offboarding activities in the time frame specified by the security policy, the IT organization can either focus on how to improve the performance of that system's offboarding processes, or choose to accept the risk.
Accepting the risk may be an indication that the system in question can be reclassified to a lower risk category or may be an indication that the security policy metrics are too stringent and can be relaxed without significantly increasing the risk.
Outcomes assessment process
An outcomes assessment process can periodically look at the numbers of incidents of data theft and other malicious incidents to determine if the employee offboarding control processes have been effective at reducing the business risks.
Outcomes assessment would also look at the incidents from a root cause analysis perspective to determine if any changes need to be made to the security policy. For example, analysis of the incidents might reveal that some systems formerly classified as low risk need to be classified as high risk.
Introducing a maturity model for employee offboarding controls
Different organizations may require different levels of rigor and oversight in their offboarding processes, based on the level of risk they perceive when employees, contractors, and business partners end their relationship with the company. The maturity levels described below are designed to enable a company to tailor its offboarding processes to its level of risk;
1. Level 1: Reactive
For Level 1 maturity in employe offboarding, the organization is aware of incidents and is collecting documentation about how the incidents are occurring. IT staff and other employees are taking the initiative to close the opportunity window by removing accounts and credentials that they are aware of when an employee leaves. Offboarding policies are handled at the department or organizational unit level and are scoped to the IT systems that are important to that organization.