Personnel separation procedures address cybersecurity, at least in an ad hoc manner
Context and Guidance: Ensure that personnel who leave do not continue to have access to assets, especially those who have privileged access or access to financial data, PII, or intellectual property. Create procedures to remove, revoke, or disable access to all organisational assets as of the employee’s termination date. Start by identifying all of the employee’s accounts (including any accounts the employee has with third-party providers, such as company accounts with financial institutions), elevated access of any kind, such as admin or NERC-CIP, all devices in the employee’s possession, and all systems, data, and other assets to which the employee has access. Disable all accounts, remove access to all affected assets, remove remote access, and collect the employee’s devices, badge, tokens, hard-copy proprietary documents, company credit cards, etc. Coordinate with HR to establish the timing of events and who is responsible for what. For employees with privileged access or access to sensitive data, you may want to monitor their network activity to watch for any evidence of data exfiltration. For personnel being terminated involuntarily, consider removing, revoking, or disabling all access to assets immediately upon informing the employee of the termination. Escort the employee from the premises immediately after making the announcement. You may also want to examine any systems or computers the employee used for any signs of data exfiltration or compromise.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: WORKFORCE-1b, WORKFORCE-1d.