The control area (A.8.3) dealing with termination or change of employment has three important controls. In many organizations, experience suggests that administration of employment termination is, in information security terms, often sloppy; as a result, organizations are creating new vulnerabilities that needed to be assessed. The control objective of this chapter is to ensure that termination of employment (or a change in job role) is carried out in an ordered, controlled and systematic manner, with the return of all equipment and removal of all access rights.
Control A.8.3.1 deals with termination responsibilities and simply requires the organization to document clearly who is responsible for performing terminations and what these responsibilities are. These responsibilities should clearly include dealing with the ongoing clauses in the contract of
employment. Usually, the HR department will be responsible for ensuring that all the termination aspects of an employment contract have been dealt with (usually in conjunction with the ex-employee’s line manager), and these may be standard aspects of a termination interview, which is carried out in a standard way, using a standard checklist.
The termination of contractors and third parties needs also to be dealt with; the organization simply needs to determine how it will achieve, with these personnel, the same clarity as it seeks with ex-employees and who (agency, third-party organization) will be responsible for performing the task.
Control A.8.3.2 requires all employees, third parties and contractors to return all organizational assets upon termination. As well as financial assets (eg credit cards and purchase orders) and HR/fixed assets (eg motor cars), these assets fall into four categories: software, hardware, information and knowledge. Subject to local employment law, the contract of employment should have a clause that allows the employer to withhold any outstanding payments of any description until all organizational assets are proven to have been returned and, after a suitable interval, to deduct from any such outstanding amounts the cost of replacing assets that have not been returned. Of course, this will tend to push the majority of resignations to the day imme- diately after monthly or other substantial payments have cleared the employee’s bank account, but such is life.
The first two asset types are best dealt with procedurally through a centralized recording and authorization process; there should be a record for each employee (maintained by HR or IT) that lists all laptops, PDAs, mobile telephones and other hardware issued to employees. This list could be linked to the asset inventory discussed in Chapter 8, and the nominated owner should clearly be the person to whom the asset is issued. There should be an acceptable use document for each asset, describing what has been provided (and laptops should have a standard, documented ‘kit’; while laptops are often returned, the accessories are often missed), setting out clearly the orga- nization’s expectations for the proper use of the asset and including (for example, for mobile telephones) any expectations about how costs are to be split between employee and organization.
Information – classified documents, whether electronic or paper – should also all be returned. In fact, it is difficult to identify what documentation any individual has removed during the course of employment (unless they were limited-circulation numbered documents), and this control is, in practical terms, best met through the termination interview. One standing item on the schedule for this interview should be a question as to whether or not the employee has any classified information and, if none, a reminder that any such documents must be returned.
Knowledge – the skills and competence that a terminated employee may have – should be retained in the organization. This is, in real terms, not easy to achieve. In the case of people who have critical knowledge, there should be a risk assessment prior to commencement of any termination action, to identify any knowledge that must be retained and to plan methods of retaining it. Unless this step is taken, one can assume that the knowledge – particularly if it is held by someone who is being unwillingly terminated – will leave the company with the employee. It is not unknown for organizations to delay commencing termination procedures with employees until the employees have successfully transferred their knowledge.
Control A.8.3.3, removal of access rights, is critical, as access rights may enable a disgruntled ex-employee to compromise a system; this section should be read in conjunction with Chapter 18. The organization needs a clear documented procedure to ensure that upon termination (and sometimes – subject to risk assessment and local legislation – before termination), an employee’s (or contractor’s or third party’s) access rights are also terminated. Similarly, any change in employment should also lead to a review and adjustment of existing access rights. These access rights include passwords, tokens and other authentication rights, e-mail and internet user accounts and user names, electronic files, etc and should be extended to include any identi- fication cards, including calling cards and headed notepaper. It may be necessary for ex-employee e-mail accounts to continue in use for a period after termination, and this should be covered by a standard policy that sets out how the e-mail auto-responder should be set up, who should have ownership of the account and how any incoming e-mails should be treated.