Most employees will leave your organization, eventually. The only question is when and how they depart. In some situations, a departing employee is a positive event, such as a long-awaited retirement. However, what about other situations, such as joining a competitor or being laid off when your organization has financial struggles? Those situations present heightened security risks. Suppose an employee is pressured by a new employer to bring confidential data to the new role.
User deprovisioning is one of the best ways to reduce this risk with departing employees. Instead of worrying that an ex-employee may use his or her credentials to steal confidential data, or have that credential hacked by a third party, you can rest easy. In our experience, ex-employees represent a major vulnerability, one that’s relatively easy to mitigate. You just need to follow this checklist each time.
Why You Need a Checklist to Reduce User Access Risk
Checklists are a powerful tool to help prevent mistakes and oversights. In fact, commercial pilots rely upon checklists to ensure safe takeoffs and landings. Atul Gawande, a surgeon, found that using checklists played a major role in reducing errors in surgery. We’re used to thinking of doctors as highly educated experts, yet they’ve found considerable value in relying upon checklists. For more insight into how and why checklists work, we highly recommend his book, “The Checklist Manifesto.”
The 7-Step User Deprovisioning Effectiveness Checklist
Use the following steps as an outline for your checklist. Remove any steps that don’t apply to your organization. Gawande found that shorter checklists tend to produce better results.
- Identify a departing employee two business days in advance
With rare exceptions, most employee departures will be known in advance. Ask that HR and IT set up a confidential process to support the departure.
Checkpoint: Are HR and IT coordinated and ready to support the deprovisioning process?
- List the ex-employee’s access and identity credentials
Create a list of the employee’s access credentials and user accounts. Using Identity Enforcer makes it easy to keep this information all in a single place. If your identity management program is still developing, focus your efforts on the most high-risk user access privileges (e.g., customer databases and finance systems).
Checkpoint: Do you have a list of the employee’s access credentials?
- Request the manager deactivate the employee’s access on the last day
To reduce the risk of information loss and misuse, timing is critical. We recommend managers of ex-employees set time aside to carry out the user deprovisioning process. If you’ve equipped managers with a solution such as Identity Enforcer, as well as support from HR, this will be an easy process.
Checkpoint: Remind managers to schedule 30 minutes on their calendar on the employee’s last day to carry out user deprovisioning.
- Collect and verify security tokens and keys
In modern access governance, user IDs and passwords are not the whole story. You also need to collect any access tokens, keys, and related assets. Some employees keep their security tokens at home for work-from-home days, so make sure to ask them in advance to bring these items in. Remember to collect physical keys and access cards as well. In the wrong hands, an office key can enable someone to bypass most of your cybersecurity protections.
Checkpoint: Has the manager collected all access tokens and keys from the departing employee?
- Collect and verify company hardware and other assets
Building on the previous step, collect all company-issued equipment from the employee. Typically, this will include a laptop, a phone, and perhaps other devices. Even small devices such as company-issued USB drives may pose a security risk if employees don’t return them.
Checkpoint: Have you collected all of the employee’s company-owned hardware and verified these assets against company inventories?
- Complete third-party verification of the user deprovisioning process
As an added security check, we recommend a third party review the user deprovisioning process. For example, you may ask the identity and access management program manager to review access requests monthly. Additionally, we recommend asking your internal audit department to review the overall identity management program periodically.
Checkpoint: Has a third party reviewed the user deprovisioning process for completeness?
- Review the checklist semi-annually for process improvement opportunities
No checklist is perfect, especially the first time you implement it. After you’ve used the checklist for a month, set time aside to review it and see if it can be optimized further. If a technical professional created the checklist, look for ways to reduce jargon and make it more accessible to business users.
Checkpoint: Do you have a continuous improvement process for your checklist?
What Software Solutions Make the Process Easier?
While there’s no magic pill that takes care of identity management for you, there are excellent solutions on the market to make it easier. Here are two solutions we recommend considering.
- Identity Enforcer: Users can self-serve their access requests, which means less administrative burden for your help desk. For added convenience, Identity Enforcer supports mobile devices so you can make changes on the fly.
- Single Sign-On: What if there was a way to simplify access for employees without compromising security? You can achieve that result by using a single sign-on solution.
Put them together and these solutions will do much of the heavy lifting in security administration. You might even be able to get by without hiring more people for your security department.
Discover Other Ways to Improve Your Access Governance
You might not be ready to install new access governance or an identity management solution right now. We understand that, sometimes, more pressing problems come up, such as audits. Read “How to Prepare for an Access Governance Audit” for guidance on how to get through your next audit unscathed. If you’re struggling to win support from the human resources department, read our guide on how to Win HR Support for Your User Provisioning Project in 5 Steps.