I’m an 80’s girl and couldn’t help The Communards hit of ‘86, ‘Don’t leave me this way’ popping into my head whilst I was enjoying a recent article from IT Governance regarding the threats posed by exiting employees.
Silly really as in many cases it’s not a case of unrequited love, quite the contrary with an employee and/or company often feeling more than a little disgruntled.
Clearly, disgruntled is one thing, vengeful quite another and so it was interesting to read that a 2014 survey found that 49% of companies in the UK & US have an insider threat programme in place and 37% were planning to implement one in 2015. However, “worryingly, just 24% of IT decision makers are including an exit process for employees leaving the company in their insider threat programmes”.
Worrying indeed but, as IT Governance pointed out, ISO 27001 addresses employee exit well in 7.3.1 - Termination or change of employment and whether organisations seek ISO 27001 accreditation or not, working to this ‘best practice’ specification will provide a strong base for an information security management system (ISMS).
Note also that 7.3.1 includes ‘change’ of employment as, particularly in large organisations, it’s just as relevant to have a process for employees moving departments or changing roles. Continuing to allow an ex marketing employee, who has moved to another department, access to the company's social media accounts or shared folders could result in the wrong information being shared, even if inadvertently. If an employee no longer has responsibilities within a specific area, it’s simple good housekeeping to remove access instantly. If nothing else, it saves you a bigger job later.
In a world of outsourcing and external collaborations, the exit framework, as per ISO 27001, should also apply to contractors who have shared remote access to your systems and information.
What should an exit framework cover?
The exit interview
Don't leave me this way...this is your chance to put it right, an opportunity to “make peace” with disgruntled employees, who might otherwise leave with vengeful intentions.
Carried out correctly, exit interviews are a win-win situation for both the organisation and the leaver. They provide a platform for the transfer of operational knowledge whilst the leaver gets to articulate their feelings and observations from their employment experience. Positive or not, there is learning to be had from their blunt critique and their final contribution should be acknowledged as such.
Return of business cards, keys and passes, company credit cards and equipment.
Reviewing what information may or may not be stored on personal devices and a reminder to the employee about contractual NDA’s and confidentiality obligations.
Final payroll and employment documentation and, of course, the crucial cancellation of all system access and passwords.
As the IT Governance blog pointed out, the responsibilities for the various exit procedures could fall into one or more departments so it’s important your exit framework makes clear who is responsible for what and, of course, when.
This means you need efficient and effective collaboration across departments, especially given the need to act quickly on some more 'serious' exits. Telephone tag and complicated email trails simply don't cut it but a collaboration environment would be perfect, right?
We used our own ISMS.online cloud software to build our employee exit framework template, reflecting our standard process. That way it prevents duplication, is fast and easy to trigger when needed and prevents us 'missing-out' crucial elements of the process. Of course, it has the flexibility to add extra items in that are relevant to a particular role or situation but the basic procedures are fixed and controlled. Each activity/task is assigned to the relevant person in the organisation, sending alerts and deadlines accordingly. Everyone in the predefined 'ownership' group can see what activities have been completed and when and, importantly, no-one has visibility of any of the information unless you invite them to the group.
Notes can be added against each activity so, as an example, the results of the exit interview can be recorded for future learning and further tasks set if necessary. There is even the option for an approval level for final ‘sign-off’ once it is documented that each activity has been completed.
Automating the employee exit procedure keeps it visible and relevant to the person responsible for each individual part of the process.
So, take control of your exiting employee and contractors and don’t leave it to chance. After all, who wants to be singing “can’t stay alive, can’t survive” following a spiteful security attack?