CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)       9  5.4  Policy and Procedures            9  5.4.1  Security Policy                 9  5.4.1.9  HR (Human Resources) Policy

5.4.1.9  HR (Human Resources) Policy 1 5.4.1.9.2  Hiring

While the web site http://www.cio.com has some great reading on the overall topic termination, in this work we are concerned with your job as an IT person. And it wouldn’t hurt you any to follow the footnote to a specific article⁴³⁸.

Since we are talking about Security+, it would be a reasonable bet to take certain computer security related precautions when someone’s employment is terminated. Going back to the concepts of “need to know” and “least privilege”, once someone is no longer employed by the organization, they no longer require access to internal systems, and are no longer subject to internal policies regarding the use of those systems.

Much of security involves reducing the risks by thinking “What if…?” and taking actions to reduce the probability of that result. In the case of terminations, if the decision originates with the organization rather than the employee, many policies recommend that the employee’s computer access be disabled before the employee is notified⁴³⁹.

The idea is that if the employee no longer has computer access, he or she cannot go back in and steal confidential data, install “logic bombs” to trigger a few weeks from today, etc. There is some debate about this in professional circles, with other experts chiming in to say that if no “cause” is involved (for example, if the termination is due to a financially-motivated layoff rather than an employee misdeed), you can cause more potential harm than good with this policy, by engendering ill will on the part of the terminated employee. Remember, that systems administrator you just RIF’d, who wanted a copy of his current login script, probably knows at least one vulnerability in your network for which vendors have not yet provided a fix. Legally speaking, you’re probably on safer ground locking employees out of the system prior to termination. Practically speaking, we’re not sure that that doesn’t increase, rather than decrease, your actual risk.

5.4.1.9  HR (Human Resources) Policy 1 5.4.1.9.2  Hiring