When an employee leaves an organisation, voluntarily or not, it’s not uncommon for the organisation to forget to remove their access to systems and accounts. In fact, recent research has found that only 24% of companies follow strict post-employment processes to ensure that employees no longer have access to company-sensitive information once they have left.
An ex-employee with access to corporate information can be very dangerous.
If, for example, someone in sales decides another organisation can offer them a better deal, it’s important that you do your best to ensure they don’t take their clients with them.
If a member of the IT team is dismissed, then there’s the risk that they log into your systems in the future and move a few things around, or, worse, delete everything.
If someone in marketing leaves but access to social media accounts remains the same, then damaging updates could be sent out.
None of these examples are new; they’ve happened a countless number of times.
Whose responsibility is it to remove access?
Depending on what needs to be removed or changed, the responsibility will lie with several people. In most cases the majority of the responsibility will sit with HR. I struggle to see a scenario where HR wouldn’t be aware of an employee leaving, but it’s not uncommon for someone to leave and IT having no knowledge of it.
HR should be responsible for letting those who need to know of an employee’s departure aware of the situation, and then the user termination process needs to kick in.
It’s no good just saying that a certain person or business area is responsible, though: you need to have a process in place that will ensure that those who need to know about a departure are informed and are able to do what’s needed.
ISO 27001, the best-practice specification for an information security management system, looks at user termination, and covers the return of assets and the removal of access rights.