Quitting employee has privileged access to critical informationAddressing client's security and controllability concernsWould it be inappropriate for me to push back on download privileges on my work PC?Should I disclose I know sensitive information about a company relation that I wasn't supposed to know?How to use personal accounts like Github on work computers?Client's convoluted security measures are creating bigger risks, how to rebuild but preserve the original intent?Found out co-worker got IT to get into my computerHandling fallout due to new security policiesHow can I help team members be more discreet and judicious?Forcing usage of clients laptops because of VPN accessHow to help new team member with security best practices without escalation to management
When did hardware antialiasing start being available?
Print last inputted byte
Does convergence of polynomials imply that of its coefficients?
"Marked down as someone wanting to sell shares." What does that mean?
Why does Surtur say that Thor is Asgard's doom?
If I cast the Enlarge/Reduce spell on an arrow, what weapon could it count as?
What will the Frenchman say?
Writing in a Christian voice
Imaginary part of expression too difficult to calculate
Have any astronauts/cosmonauts died in space?
PTIJ: Why do we make a Lulav holder?
Could any one tell what PN is this Chip? Thanks~
UK Tourist Visa- Enquiry
PTIJ: Which Dr. Seuss books should one obtain?
Is VPN a layer 3 concept?
Did Nintendo change its mind about 68000 SNES?
Homology of the fiber
Symbolism of 18 Journeyers
Animating wave motion in water
Jem'Hadar, something strange about their life expectancy
Do native speakers use "ultima" and "proxima" frequently in spoken English?
Why are there no stars visible in cislunar space?
Error in master's thesis, I do not know what to do
How are passwords stolen from companies if they only store hashes?
Quitting employee has privileged access to critical information
Addressing client's security and controllability concernsWould it be inappropriate for me to push back on download privileges on my work PC?Should I disclose I know sensitive information about a company relation that I wasn't supposed to know?How to use personal accounts like Github on work computers?Client's convoluted security measures are creating bigger risks, how to rebuild but preserve the original intent?Found out co-worker got IT to get into my computerHandling fallout due to new security policiesHow can I help team members be more discreet and judicious?Forcing usage of clients laptops because of VPN accessHow to help new team member with security best practices without escalation to management
A colleague of mine had some very privileged access to sensitive information, that was kept in remote machines with no internet access whose files could not be copied to local machines.
He quit the company for a new job, and there was bit of trouble in the transition when he left.
One point that seemed obvious to me, but other people in the company seem not to agree was:
I believe the severing of his accesses should not have been discussed with him.
Part of this, was because some of his accesses were made through methods that were not agreed upon (pretty sure he was never authorized to do so). And it may not be clear to everyone that this happened. The area's director was informed and took no action in the past, he claimed now not to have understood the situation before.
But also, I feel like talking to a person on how you cut his privileges is somewhat lack of professionalism, like telling to his face "I don't trust you, so I'm concerned you might want to do something bad". Or otherwise you may be giving a final chance for the person to collect some collateral: "Hey, just letting you know that tomorrow you won't be able to access that classified info, so steal it now if you forgot to do so before!".
Are there known practices or guidelines for this situation? Is the correct approach to discuss with the person or not?
EDIT:
I've mentioned that he had unauthorized accesses to a shared machine with sensitive info, which was supposed to be accessible only from computers at the company's VPN. I'm not so sure myself how this came to be, but while one authorized connection to the machine was being severed (and the leaving person was the one who set it up), it was found out that there were at least three unauthorized firewall exceptions. It was also seen at some point that he could remotely access the machine from anywhere and copy sensitive files, which should be impossible even for machines in the company. Hence there was at least this malpractice in his record, even if it does not (necessarily) cause a breach of trust. Also, we do have IT people who are generally responsible for this sort of stuff and have their procedures, but this employee was not with the IT team.
professionalism security confidentiality
|
show 7 more comments
A colleague of mine had some very privileged access to sensitive information, that was kept in remote machines with no internet access whose files could not be copied to local machines.
He quit the company for a new job, and there was bit of trouble in the transition when he left.
One point that seemed obvious to me, but other people in the company seem not to agree was:
I believe the severing of his accesses should not have been discussed with him.
Part of this, was because some of his accesses were made through methods that were not agreed upon (pretty sure he was never authorized to do so). And it may not be clear to everyone that this happened. The area's director was informed and took no action in the past, he claimed now not to have understood the situation before.
But also, I feel like talking to a person on how you cut his privileges is somewhat lack of professionalism, like telling to his face "I don't trust you, so I'm concerned you might want to do something bad". Or otherwise you may be giving a final chance for the person to collect some collateral: "Hey, just letting you know that tomorrow you won't be able to access that classified info, so steal it now if you forgot to do so before!".
Are there known practices or guidelines for this situation? Is the correct approach to discuss with the person or not?
EDIT:
I've mentioned that he had unauthorized accesses to a shared machine with sensitive info, which was supposed to be accessible only from computers at the company's VPN. I'm not so sure myself how this came to be, but while one authorized connection to the machine was being severed (and the leaving person was the one who set it up), it was found out that there were at least three unauthorized firewall exceptions. It was also seen at some point that he could remotely access the machine from anywhere and copy sensitive files, which should be impossible even for machines in the company. Hence there was at least this malpractice in his record, even if it does not (necessarily) cause a breach of trust. Also, we do have IT people who are generally responsible for this sort of stuff and have their procedures, but this employee was not with the IT team.
professionalism security confidentiality
34
One place let me set up access for my replacement, and discussed how they would be transitioning me out so that I wouldn't be in the middle of working on something when access got shut down. As @thursdaysgeek said, why be offended if you're trusted?
– Richard U
Mar 6 at 21:33
6
I don’t understand. Do you expect that you would still have admin access to your employers machines if you leave a company? Did the employee expect that? Why? I expect that I would lose access. I would be weirded out if I didn’t and then actively tell them to sever access so that they could not accuse me of wrongdoing later.
– zero298
Mar 6 at 23:58
3
@what unauthorized means of access? Do you mean backdoors? Or did he simply have some privileges he was not officially supposed to have? Was he granted those extra privileges by someone, or did he obtain those by breaking security? What malpractice did he perform while still at the company? Without knowing such facts, I couldn't even begin to answer your main question...
– marcelm
Mar 7 at 12:16
9
@Mefitico, Please edit this information into the question. Currently is is so heavily abstracted as to be effectively unreadable.
– Sean Houlihane
Mar 7 at 13:18
10
I'm having a hard time understanding what your question is. The employee quit. Therefore, the company should and will revoke all access to all of their systems. The employee should be well aware of this. It's how all companies work. Why would you need or want to discuss it with him? Just revoke his access. There should be nothing to discuss—he doesn't work for your company anymore! This is very confusing...
– only_pro
Mar 7 at 16:55
|
show 7 more comments
A colleague of mine had some very privileged access to sensitive information, that was kept in remote machines with no internet access whose files could not be copied to local machines.
He quit the company for a new job, and there was bit of trouble in the transition when he left.
One point that seemed obvious to me, but other people in the company seem not to agree was:
I believe the severing of his accesses should not have been discussed with him.
Part of this, was because some of his accesses were made through methods that were not agreed upon (pretty sure he was never authorized to do so). And it may not be clear to everyone that this happened. The area's director was informed and took no action in the past, he claimed now not to have understood the situation before.
But also, I feel like talking to a person on how you cut his privileges is somewhat lack of professionalism, like telling to his face "I don't trust you, so I'm concerned you might want to do something bad". Or otherwise you may be giving a final chance for the person to collect some collateral: "Hey, just letting you know that tomorrow you won't be able to access that classified info, so steal it now if you forgot to do so before!".
Are there known practices or guidelines for this situation? Is the correct approach to discuss with the person or not?
EDIT:
I've mentioned that he had unauthorized accesses to a shared machine with sensitive info, which was supposed to be accessible only from computers at the company's VPN. I'm not so sure myself how this came to be, but while one authorized connection to the machine was being severed (and the leaving person was the one who set it up), it was found out that there were at least three unauthorized firewall exceptions. It was also seen at some point that he could remotely access the machine from anywhere and copy sensitive files, which should be impossible even for machines in the company. Hence there was at least this malpractice in his record, even if it does not (necessarily) cause a breach of trust. Also, we do have IT people who are generally responsible for this sort of stuff and have their procedures, but this employee was not with the IT team.
professionalism security confidentiality
A colleague of mine had some very privileged access to sensitive information, that was kept in remote machines with no internet access whose files could not be copied to local machines.
He quit the company for a new job, and there was bit of trouble in the transition when he left.
One point that seemed obvious to me, but other people in the company seem not to agree was:
I believe the severing of his accesses should not have been discussed with him.
Part of this, was because some of his accesses were made through methods that were not agreed upon (pretty sure he was never authorized to do so). And it may not be clear to everyone that this happened. The area's director was informed and took no action in the past, he claimed now not to have understood the situation before.
But also, I feel like talking to a person on how you cut his privileges is somewhat lack of professionalism, like telling to his face "I don't trust you, so I'm concerned you might want to do something bad". Or otherwise you may be giving a final chance for the person to collect some collateral: "Hey, just letting you know that tomorrow you won't be able to access that classified info, so steal it now if you forgot to do so before!".
Are there known practices or guidelines for this situation? Is the correct approach to discuss with the person or not?
EDIT:
I've mentioned that he had unauthorized accesses to a shared machine with sensitive info, which was supposed to be accessible only from computers at the company's VPN. I'm not so sure myself how this came to be, but while one authorized connection to the machine was being severed (and the leaving person was the one who set it up), it was found out that there were at least three unauthorized firewall exceptions. It was also seen at some point that he could remotely access the machine from anywhere and copy sensitive files, which should be impossible even for machines in the company. Hence there was at least this malpractice in his record, even if it does not (necessarily) cause a breach of trust. Also, we do have IT people who are generally responsible for this sort of stuff and have their procedures, but this employee was not with the IT team.
professionalism security confidentiality
professionalism security confidentiality
edited Mar 7 at 19:56
Mefitico
asked Mar 6 at 21:27
MefiticoMefitico
6091314
6091314
34
One place let me set up access for my replacement, and discussed how they would be transitioning me out so that I wouldn't be in the middle of working on something when access got shut down. As @thursdaysgeek said, why be offended if you're trusted?
– Richard U
Mar 6 at 21:33
6
I don’t understand. Do you expect that you would still have admin access to your employers machines if you leave a company? Did the employee expect that? Why? I expect that I would lose access. I would be weirded out if I didn’t and then actively tell them to sever access so that they could not accuse me of wrongdoing later.
– zero298
Mar 6 at 23:58
3
@what unauthorized means of access? Do you mean backdoors? Or did he simply have some privileges he was not officially supposed to have? Was he granted those extra privileges by someone, or did he obtain those by breaking security? What malpractice did he perform while still at the company? Without knowing such facts, I couldn't even begin to answer your main question...
– marcelm
Mar 7 at 12:16
9
@Mefitico, Please edit this information into the question. Currently is is so heavily abstracted as to be effectively unreadable.
– Sean Houlihane
Mar 7 at 13:18
10
I'm having a hard time understanding what your question is. The employee quit. Therefore, the company should and will revoke all access to all of their systems. The employee should be well aware of this. It's how all companies work. Why would you need or want to discuss it with him? Just revoke his access. There should be nothing to discuss—he doesn't work for your company anymore! This is very confusing...
– only_pro
Mar 7 at 16:55
|
show 7 more comments
34
One place let me set up access for my replacement, and discussed how they would be transitioning me out so that I wouldn't be in the middle of working on something when access got shut down. As @thursdaysgeek said, why be offended if you're trusted?
– Richard U
Mar 6 at 21:33
6
I don’t understand. Do you expect that you would still have admin access to your employers machines if you leave a company? Did the employee expect that? Why? I expect that I would lose access. I would be weirded out if I didn’t and then actively tell them to sever access so that they could not accuse me of wrongdoing later.
– zero298
Mar 6 at 23:58
3
@what unauthorized means of access? Do you mean backdoors? Or did he simply have some privileges he was not officially supposed to have? Was he granted those extra privileges by someone, or did he obtain those by breaking security? What malpractice did he perform while still at the company? Without knowing such facts, I couldn't even begin to answer your main question...
– marcelm
Mar 7 at 12:16
9
@Mefitico, Please edit this information into the question. Currently is is so heavily abstracted as to be effectively unreadable.
– Sean Houlihane
Mar 7 at 13:18
10
I'm having a hard time understanding what your question is. The employee quit. Therefore, the company should and will revoke all access to all of their systems. The employee should be well aware of this. It's how all companies work. Why would you need or want to discuss it with him? Just revoke his access. There should be nothing to discuss—he doesn't work for your company anymore! This is very confusing...
– only_pro
Mar 7 at 16:55
34
34
One place let me set up access for my replacement, and discussed how they would be transitioning me out so that I wouldn't be in the middle of working on something when access got shut down. As @thursdaysgeek said, why be offended if you're trusted?
– Richard U
Mar 6 at 21:33
One place let me set up access for my replacement, and discussed how they would be transitioning me out so that I wouldn't be in the middle of working on something when access got shut down. As @thursdaysgeek said, why be offended if you're trusted?
– Richard U
Mar 6 at 21:33
6
6
I don’t understand. Do you expect that you would still have admin access to your employers machines if you leave a company? Did the employee expect that? Why? I expect that I would lose access. I would be weirded out if I didn’t and then actively tell them to sever access so that they could not accuse me of wrongdoing later.
– zero298
Mar 6 at 23:58
I don’t understand. Do you expect that you would still have admin access to your employers machines if you leave a company? Did the employee expect that? Why? I expect that I would lose access. I would be weirded out if I didn’t and then actively tell them to sever access so that they could not accuse me of wrongdoing later.
– zero298
Mar 6 at 23:58
3
3
@what unauthorized means of access? Do you mean backdoors? Or did he simply have some privileges he was not officially supposed to have? Was he granted those extra privileges by someone, or did he obtain those by breaking security? What malpractice did he perform while still at the company? Without knowing such facts, I couldn't even begin to answer your main question...
– marcelm
Mar 7 at 12:16
@what unauthorized means of access? Do you mean backdoors? Or did he simply have some privileges he was not officially supposed to have? Was he granted those extra privileges by someone, or did he obtain those by breaking security? What malpractice did he perform while still at the company? Without knowing such facts, I couldn't even begin to answer your main question...
– marcelm
Mar 7 at 12:16
9
9
@Mefitico, Please edit this information into the question. Currently is is so heavily abstracted as to be effectively unreadable.
– Sean Houlihane
Mar 7 at 13:18
@Mefitico, Please edit this information into the question. Currently is is so heavily abstracted as to be effectively unreadable.
– Sean Houlihane
Mar 7 at 13:18
10
10
I'm having a hard time understanding what your question is. The employee quit. Therefore, the company should and will revoke all access to all of their systems. The employee should be well aware of this. It's how all companies work. Why would you need or want to discuss it with him? Just revoke his access. There should be nothing to discuss—he doesn't work for your company anymore! This is very confusing...
– only_pro
Mar 7 at 16:55
I'm having a hard time understanding what your question is. The employee quit. Therefore, the company should and will revoke all access to all of their systems. The employee should be well aware of this. It's how all companies work. Why would you need or want to discuss it with him? Just revoke his access. There should be nothing to discuss—he doesn't work for your company anymore! This is very confusing...
– only_pro
Mar 7 at 16:55
|
show 7 more comments
7 Answers
7
active
oldest
votes
This breaks down to several things.
Yes, discussing something with an employee on the way out is risky, but so is shutting him down without a word.
There are several things that factor in:
- Reason for separation
- Difficulty of transition
- Level of trust
Reason for separation
Is this a voluntary separation, or an involuntary one?
If the person is leaving on good terms, then there's every reason to discuss the transition period, including when access will be shut off? Even if it's involuntary, there's quite a difference between someone leaving due to layoffs and someone being fired. Someone being laid off and not fired for cause may need to transition someone, and if severance is involved, they have quite the incentive to leave on a high note.
The risk in not discussing these things with someone leaving voluntarily or due to a layoff is that you would be showing them disrespect, which then opens you up to sabotage through malicious compliance, and having made an enemy unnecessarily. If you don't trust a person with access to the systems, then send them home with pay for the remainder of their notice period.
If the person is being fired for cause, you want to shut things down the moment he's notified.
Difficulty of transition
A person could be involved in projects where access to critical systems is required for them to wind down/teach a replacement to ramp up to taking over. If this is the case, then you certainly want to discuss termination of access with him. If Joe gave his notice, you'll want to discuss how long it will take for him to transfer his duties to Bob, and how much time it will take. This also goes hand in hand with the "Hit by a bus theory". A friend of mine was let go, they terminated his access, and there was literally no one to handle his work. Oooops. Yes, the people who were responsible were themselves terminated.
Level of trust
This is the big one, and remember, trust is a two way street. If you trust Bob, and Bob has good intentions, why wouldn't you discuss it with him. Personally, I wouldn't want access a day longer than I needed it, because I wouldn't want to be associated with any difficulties, or want to fix it.
The degree of discussions should be directly proportionate to trust.
If you don't trust him, why even have him in the building? If you do, why make him think he's not trusted? Who knows, you may want to hire Bob back if things change, or you may need to consult him on something in the future. A former employee who was shown trust on the way out might be amenable to taking a few phone calls if questions arise after his departure, one who was shut down without any notice might think, "Well, the heck with them then!"
2
I think you said the same thing as me, only much better.
– thursdaysgeek
Mar 6 at 21:57
48
When I've left places (whether on my terms or theirs) I've have always given them all the passwords I had and reminded them to cut my access. The reason is that I never wanted to be accused of whatever might happen after I left.
– NotMe
Mar 6 at 22:09
10
@NotMe: Yes, that's how it should be. One nitpick: You should never (need to) give any passwords - instead, the company should lock your account (for personal accounts), or reset the password (for shared accounts and single-account situations such as devices passcodes).
– sleske
Mar 7 at 10:40
11
@sleske I read that as "I knew the password for these Service Accounts, and these protected repositories - you might want to run their next change a bit early", et cetera, not as "Here are all my personal passwords"
– Chronocidal
Mar 7 at 13:03
7
@jean That seems unnecessarily dangerous. If someone does anything with your credentials you'll have a hard time proving that it was someone else and not you. You don't gain anything from doing this, compared to simply telling people to lock your accounts and risk someone abusing your account and claiming it was you.
– Voo
Mar 7 at 18:13
|
show 4 more comments
This is a common problem with a common solution. When an employee leaves
On their last day, their SSO account is disabled.
If the company has any higher security areas not tied to SSO, then the security chief needs to review access and remove the now ex-employee.
The security chief should review access to the above areas at least once a month.
If the parting might become heated (i.e. firing), then also
1) Call the person into an office, and tell them to leave their computer. In general, there should be 2 employees in this meeting along with the soon to be fired person. If possible, escort this person to a non-secure area.
2) One of the employees should email, call, or text as soon as the person is away from their computer. You can also begin the firing.
3) Follow the steps above.
4) Do not leave the person unattended until all the step above are complete. If they need a bathroom break, escort them to the bathroom door and wait outside for them.
5) Once you receive the all clear from the security chief + SSO has been disabled, they are allowed to return to their desk, with an escort, and pack personal belongings.
EDIT:
Several commenters have mentioned this seems extreme, which I don't understand at all.
The first 3 steps (hopefully) what every company does when someone moves on. Ex-employees shouldn't have access to their old work-place once they leave. That's a danger to bo the employer, and the employee. (What happens if there is a theft)
The "firing" steps are pretty normal too. Even if it's a layoff, people will get emotional, and some of them may lash out (like live-tweeting the event).
Hopefully, it will only take a few minutes to turn off SSO, and revoke access. It should not be a 30-minute ordeal.
3
I feel this answer can be improved by defining what you mean by "Secret rooms" Also, why a month? It has been my experience in InfoSec that frequency of controls should be commensurate with risk, but maybe I am missing something here
– Anthony
Mar 7 at 2:42
3
@Anthony - not cynicism, experience. I've known too many vindictive people who will try to cause one last problem on their way out the door.
– sevensevens
Mar 7 at 6:14
13
Most efficient way to burn all bridges with your ex-employees.
– RemcoGerlich
Mar 7 at 10:32
1
If I was escorted to a secret room, I imagine that I would need a bathroom break. Do they have secret bathrooms too?
– Mawg
Mar 7 at 14:13
2
@Kevin I worked at companies with <30 people that managed to do something similar quite easily. You should be able to tie almost everything to their AD account and the handful of exceptions should be a well known list.
– Voo
Mar 7 at 18:29
|
show 4 more comments
Telling an employee who's on the way out that you'll be terminating their access to company resources should not be considered any kind of insult. It's standard procedure that only employees with a need for access should have them, and he would be more surprised if his access to critical information were maintained after he leaves. It has nothing to do with trust -- he no longer has a need to access that information, so he shouldn't have the ability.
If he currently has the primary responsibility for the data, his input may be helpful in implementing the transition. If he's leaving on good terms, he'd probably want to be involved in this.
1
+1 for emphasizing the need for access, not merely trust in the employee. Least privilege is always a good idea
– Anthony
Mar 7 at 2:43
4
Not only is not an insult, it's something you should want any big company to do for you when you leave. Having access to sensitive systems is a risk not only to the company but also to the employee: if the company screws up later and has a security breach and don't have the logging required to determine how it happened, any ex-employee with access to the system and some kind of plausible motive is likely to be a suspect in the crime. Removing your access protects you from getting your door kicked in by angry men with guns and uniforms a couple of years down the line.
– Mark Amery
Mar 7 at 13:14
@MarkAmery I would hope that angry men with guns and uniforms would get search and/or arrest warrants by first showing "probable cause" to a judge. Showing that a former employee had access is nowhere near probable cause. It is judicial supervision (not revoking access) that protect one from the police.
– emory
Mar 7 at 20:25
I like to hope that @MarkAmery was exaggerating for emphasis, and he really means that you might get questioned.
– Barmar
Mar 7 at 21:17
add a comment |
If the employee is trustworthy and has given notice, then it is very appropriate to work on a transition plan together, including setting up new accesses for replacements and shutting down access for the employee who is leaving. This can be a valuable part of the hand-off, making sure that the replacement truly does have adequate access. When the employee is leaving for a new job, unless there were issues with them, this is common.
The problem comes when the employee is being fired or is leaving under bad circumstances. The access still needs to be removed, but it is also important to make sure that all the access points are known, both for removal and for the replacement to have. A discussion is usually not the best way. If the business has overlooked that part of their security, and have that single point of failure, then a discussion or hiring someone to help them find the access points are often the only options.
In the US, often those who are laid-off were trusted and professional employees who would be glad to do a standard hand off of access information, but the current standards is that they are treated the same as firings: remove access without their knowledge, as they are being told of their redundancy.
That is why setting up documentation before hand is always better. It is always better to already know what servers there are and how to connect to them, just in case a key player leaves, for whatever reason.
add a comment |
There are lots of good answers here already, but what I have not seen mentioned is application of trust but verify. You do need to have certain degree of trust in your employees, particularly employees with very privileged access (e.g: An IT employee with domain admin privileges). However, you also need to verify that a particular employee is behaving in an appropriate, secure manner.
As to how to verify, upon the termination of an employee, it is best practice to continuously monitor the account of that terminated employee for any activity and such activity discovered should be promptly investigated to determine if malicious activity is taking place. Why unlikely to occur, there is still a risk, albeit how slight, that the terminated employee used company computing resources for unauthorized purposes, such as installing a backdoor to retain remote access.
At my employer, I worked with management to implement additional detection mechanisms, and improve the ones the Information Security team is already using, mechanisms such as DLP software, IDS / IPS, and SIEM. Any activity on the accounts of terminated employees triggers an SIEM alert to our team, and such alert is to be treated as a critical priority, to be either remediated or escalated within a certain SLA. Having such procedures means the importance of trust can be somewhat lessened.
The other answer also mention the need to communicate transitioning procedures to whoever will be taking over the role. Assuming the employee is leaving voluntarily, I agree the transition discussion should be held with the departing employee, but not necessarily to discuss the specific termination procedures, unless departing employee had a need to know such information when employed. Access administration procedures are usually sensitive, and distribution of that information should be based on least privilege. Only individuals with a job need to know such procedures, such as IT Security or HR, should be privy to it. As remote as it may be, excessive details provided to the terminated employee, could possibly be exploited for company harm.
add a comment |
On the contrary
It is in his best interest to have a complete handover, including explicit acknowledgement of access rights revoked. This is in no way insulting or a sign of distrust or anything. It's an administrative step and may well be explicitly required by company policies and/or compliance regulations.
Picture this: Three weeks after your friend left, something happens with that sensitive information. Thanks to the explicit handover he received, he is clear. It cannot possibly have been him. No accusations, no assumptions, no investigation.
I have in the past left positions where I had access to highly sensitive information. The company did not have such a procedure. So I stood behind my successor and made him change all passwords on all my accounts.
add a comment |
Are there known practices or guidelines for this situation?
Yes - it's called "Garden leave"; named that way because the company pays the person to sit in their garden.
The employee remains on the pay roll for the remainder of their notice period, but is not allowed to start a new roll until that period has expired. This hides the lack of trust of an employee with what seems a gracious offer of giving them a modest amount of holiday.
If the employee is unable to do anything productive anyway, then there's no point in having them in the office.
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "423"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: false,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f131025%2fquitting-employee-has-privileged-access-to-critical-information%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
StackExchange.ready(function ()
$("#show-editor-button input, #show-editor-button button").click(function ()
var showEditor = function()
$("#show-editor-button").hide();
$("#post-form").removeClass("dno");
StackExchange.editor.finallyInit();
;
var useFancy = $(this).data('confirm-use-fancy');
if(useFancy == 'True')
var popupTitle = $(this).data('confirm-fancy-title');
var popupBody = $(this).data('confirm-fancy-body');
var popupAccept = $(this).data('confirm-fancy-accept-button');
$(this).loadPopup(
url: '/post/self-answer-popup',
loaded: function(popup)
var pTitle = $(popup).find('h2');
var pBody = $(popup).find('.popup-body');
var pSubmit = $(popup).find('.popup-submit');
pTitle.text(popupTitle);
pBody.html(popupBody);
pSubmit.val(popupAccept).click(showEditor);
)
else
var confirmText = $(this).data('confirm-text');
if (confirmText ? confirm(confirmText) : true)
showEditor();
);
);
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
This breaks down to several things.
Yes, discussing something with an employee on the way out is risky, but so is shutting him down without a word.
There are several things that factor in:
- Reason for separation
- Difficulty of transition
- Level of trust
Reason for separation
Is this a voluntary separation, or an involuntary one?
If the person is leaving on good terms, then there's every reason to discuss the transition period, including when access will be shut off? Even if it's involuntary, there's quite a difference between someone leaving due to layoffs and someone being fired. Someone being laid off and not fired for cause may need to transition someone, and if severance is involved, they have quite the incentive to leave on a high note.
The risk in not discussing these things with someone leaving voluntarily or due to a layoff is that you would be showing them disrespect, which then opens you up to sabotage through malicious compliance, and having made an enemy unnecessarily. If you don't trust a person with access to the systems, then send them home with pay for the remainder of their notice period.
If the person is being fired for cause, you want to shut things down the moment he's notified.
Difficulty of transition
A person could be involved in projects where access to critical systems is required for them to wind down/teach a replacement to ramp up to taking over. If this is the case, then you certainly want to discuss termination of access with him. If Joe gave his notice, you'll want to discuss how long it will take for him to transfer his duties to Bob, and how much time it will take. This also goes hand in hand with the "Hit by a bus theory". A friend of mine was let go, they terminated his access, and there was literally no one to handle his work. Oooops. Yes, the people who were responsible were themselves terminated.
Level of trust
This is the big one, and remember, trust is a two way street. If you trust Bob, and Bob has good intentions, why wouldn't you discuss it with him. Personally, I wouldn't want access a day longer than I needed it, because I wouldn't want to be associated with any difficulties, or want to fix it.
The degree of discussions should be directly proportionate to trust.
If you don't trust him, why even have him in the building? If you do, why make him think he's not trusted? Who knows, you may want to hire Bob back if things change, or you may need to consult him on something in the future. A former employee who was shown trust on the way out might be amenable to taking a few phone calls if questions arise after his departure, one who was shut down without any notice might think, "Well, the heck with them then!"
2
I think you said the same thing as me, only much better.
– thursdaysgeek
Mar 6 at 21:57
48
When I've left places (whether on my terms or theirs) I've have always given them all the passwords I had and reminded them to cut my access. The reason is that I never wanted to be accused of whatever might happen after I left.
– NotMe
Mar 6 at 22:09
10
@NotMe: Yes, that's how it should be. One nitpick: You should never (need to) give any passwords - instead, the company should lock your account (for personal accounts), or reset the password (for shared accounts and single-account situations such as devices passcodes).
– sleske
Mar 7 at 10:40
11
@sleske I read that as "I knew the password for these Service Accounts, and these protected repositories - you might want to run their next change a bit early", et cetera, not as "Here are all my personal passwords"
– Chronocidal
Mar 7 at 13:03
7
@jean That seems unnecessarily dangerous. If someone does anything with your credentials you'll have a hard time proving that it was someone else and not you. You don't gain anything from doing this, compared to simply telling people to lock your accounts and risk someone abusing your account and claiming it was you.
– Voo
Mar 7 at 18:13
|
show 4 more comments
This breaks down to several things.
Yes, discussing something with an employee on the way out is risky, but so is shutting him down without a word.
There are several things that factor in:
- Reason for separation
- Difficulty of transition
- Level of trust
Reason for separation
Is this a voluntary separation, or an involuntary one?
If the person is leaving on good terms, then there's every reason to discuss the transition period, including when access will be shut off? Even if it's involuntary, there's quite a difference between someone leaving due to layoffs and someone being fired. Someone being laid off and not fired for cause may need to transition someone, and if severance is involved, they have quite the incentive to leave on a high note.
The risk in not discussing these things with someone leaving voluntarily or due to a layoff is that you would be showing them disrespect, which then opens you up to sabotage through malicious compliance, and having made an enemy unnecessarily. If you don't trust a person with access to the systems, then send them home with pay for the remainder of their notice period.
If the person is being fired for cause, you want to shut things down the moment he's notified.
Difficulty of transition
A person could be involved in projects where access to critical systems is required for them to wind down/teach a replacement to ramp up to taking over. If this is the case, then you certainly want to discuss termination of access with him. If Joe gave his notice, you'll want to discuss how long it will take for him to transfer his duties to Bob, and how much time it will take. This also goes hand in hand with the "Hit by a bus theory". A friend of mine was let go, they terminated his access, and there was literally no one to handle his work. Oooops. Yes, the people who were responsible were themselves terminated.
Level of trust
This is the big one, and remember, trust is a two way street. If you trust Bob, and Bob has good intentions, why wouldn't you discuss it with him. Personally, I wouldn't want access a day longer than I needed it, because I wouldn't want to be associated with any difficulties, or want to fix it.
The degree of discussions should be directly proportionate to trust.
If you don't trust him, why even have him in the building? If you do, why make him think he's not trusted? Who knows, you may want to hire Bob back if things change, or you may need to consult him on something in the future. A former employee who was shown trust on the way out might be amenable to taking a few phone calls if questions arise after his departure, one who was shut down without any notice might think, "Well, the heck with them then!"
2
I think you said the same thing as me, only much better.
– thursdaysgeek
Mar 6 at 21:57
48
When I've left places (whether on my terms or theirs) I've have always given them all the passwords I had and reminded them to cut my access. The reason is that I never wanted to be accused of whatever might happen after I left.
– NotMe
Mar 6 at 22:09
10
@NotMe: Yes, that's how it should be. One nitpick: You should never (need to) give any passwords - instead, the company should lock your account (for personal accounts), or reset the password (for shared accounts and single-account situations such as devices passcodes).
– sleske
Mar 7 at 10:40
11
@sleske I read that as "I knew the password for these Service Accounts, and these protected repositories - you might want to run their next change a bit early", et cetera, not as "Here are all my personal passwords"
– Chronocidal
Mar 7 at 13:03
7
@jean That seems unnecessarily dangerous. If someone does anything with your credentials you'll have a hard time proving that it was someone else and not you. You don't gain anything from doing this, compared to simply telling people to lock your accounts and risk someone abusing your account and claiming it was you.
– Voo
Mar 7 at 18:13
|
show 4 more comments
This breaks down to several things.
Yes, discussing something with an employee on the way out is risky, but so is shutting him down without a word.
There are several things that factor in:
- Reason for separation
- Difficulty of transition
- Level of trust
Reason for separation
Is this a voluntary separation, or an involuntary one?
If the person is leaving on good terms, then there's every reason to discuss the transition period, including when access will be shut off? Even if it's involuntary, there's quite a difference between someone leaving due to layoffs and someone being fired. Someone being laid off and not fired for cause may need to transition someone, and if severance is involved, they have quite the incentive to leave on a high note.
The risk in not discussing these things with someone leaving voluntarily or due to a layoff is that you would be showing them disrespect, which then opens you up to sabotage through malicious compliance, and having made an enemy unnecessarily. If you don't trust a person with access to the systems, then send them home with pay for the remainder of their notice period.
If the person is being fired for cause, you want to shut things down the moment he's notified.
Difficulty of transition
A person could be involved in projects where access to critical systems is required for them to wind down/teach a replacement to ramp up to taking over. If this is the case, then you certainly want to discuss termination of access with him. If Joe gave his notice, you'll want to discuss how long it will take for him to transfer his duties to Bob, and how much time it will take. This also goes hand in hand with the "Hit by a bus theory". A friend of mine was let go, they terminated his access, and there was literally no one to handle his work. Oooops. Yes, the people who were responsible were themselves terminated.
Level of trust
This is the big one, and remember, trust is a two way street. If you trust Bob, and Bob has good intentions, why wouldn't you discuss it with him. Personally, I wouldn't want access a day longer than I needed it, because I wouldn't want to be associated with any difficulties, or want to fix it.
The degree of discussions should be directly proportionate to trust.
If you don't trust him, why even have him in the building? If you do, why make him think he's not trusted? Who knows, you may want to hire Bob back if things change, or you may need to consult him on something in the future. A former employee who was shown trust on the way out might be amenable to taking a few phone calls if questions arise after his departure, one who was shut down without any notice might think, "Well, the heck with them then!"
This breaks down to several things.
Yes, discussing something with an employee on the way out is risky, but so is shutting him down without a word.
There are several things that factor in:
- Reason for separation
- Difficulty of transition
- Level of trust
Reason for separation
Is this a voluntary separation, or an involuntary one?
If the person is leaving on good terms, then there's every reason to discuss the transition period, including when access will be shut off? Even if it's involuntary, there's quite a difference between someone leaving due to layoffs and someone being fired. Someone being laid off and not fired for cause may need to transition someone, and if severance is involved, they have quite the incentive to leave on a high note.
The risk in not discussing these things with someone leaving voluntarily or due to a layoff is that you would be showing them disrespect, which then opens you up to sabotage through malicious compliance, and having made an enemy unnecessarily. If you don't trust a person with access to the systems, then send them home with pay for the remainder of their notice period.
If the person is being fired for cause, you want to shut things down the moment he's notified.
Difficulty of transition
A person could be involved in projects where access to critical systems is required for them to wind down/teach a replacement to ramp up to taking over. If this is the case, then you certainly want to discuss termination of access with him. If Joe gave his notice, you'll want to discuss how long it will take for him to transfer his duties to Bob, and how much time it will take. This also goes hand in hand with the "Hit by a bus theory". A friend of mine was let go, they terminated his access, and there was literally no one to handle his work. Oooops. Yes, the people who were responsible were themselves terminated.
Level of trust
This is the big one, and remember, trust is a two way street. If you trust Bob, and Bob has good intentions, why wouldn't you discuss it with him. Personally, I wouldn't want access a day longer than I needed it, because I wouldn't want to be associated with any difficulties, or want to fix it.
The degree of discussions should be directly proportionate to trust.
If you don't trust him, why even have him in the building? If you do, why make him think he's not trusted? Who knows, you may want to hire Bob back if things change, or you may need to consult him on something in the future. A former employee who was shown trust on the way out might be amenable to taking a few phone calls if questions arise after his departure, one who was shut down without any notice might think, "Well, the heck with them then!"
answered Mar 6 at 21:48
Richard URichard U
101k73274405
101k73274405
2
I think you said the same thing as me, only much better.
– thursdaysgeek
Mar 6 at 21:57
48
When I've left places (whether on my terms or theirs) I've have always given them all the passwords I had and reminded them to cut my access. The reason is that I never wanted to be accused of whatever might happen after I left.
– NotMe
Mar 6 at 22:09
10
@NotMe: Yes, that's how it should be. One nitpick: You should never (need to) give any passwords - instead, the company should lock your account (for personal accounts), or reset the password (for shared accounts and single-account situations such as devices passcodes).
– sleske
Mar 7 at 10:40
11
@sleske I read that as "I knew the password for these Service Accounts, and these protected repositories - you might want to run their next change a bit early", et cetera, not as "Here are all my personal passwords"
– Chronocidal
Mar 7 at 13:03
7
@jean That seems unnecessarily dangerous. If someone does anything with your credentials you'll have a hard time proving that it was someone else and not you. You don't gain anything from doing this, compared to simply telling people to lock your accounts and risk someone abusing your account and claiming it was you.
– Voo
Mar 7 at 18:13
|
show 4 more comments
2
I think you said the same thing as me, only much better.
– thursdaysgeek
Mar 6 at 21:57
48
When I've left places (whether on my terms or theirs) I've have always given them all the passwords I had and reminded them to cut my access. The reason is that I never wanted to be accused of whatever might happen after I left.
– NotMe
Mar 6 at 22:09
10
@NotMe: Yes, that's how it should be. One nitpick: You should never (need to) give any passwords - instead, the company should lock your account (for personal accounts), or reset the password (for shared accounts and single-account situations such as devices passcodes).
– sleske
Mar 7 at 10:40
11
@sleske I read that as "I knew the password for these Service Accounts, and these protected repositories - you might want to run their next change a bit early", et cetera, not as "Here are all my personal passwords"
– Chronocidal
Mar 7 at 13:03
7
@jean That seems unnecessarily dangerous. If someone does anything with your credentials you'll have a hard time proving that it was someone else and not you. You don't gain anything from doing this, compared to simply telling people to lock your accounts and risk someone abusing your account and claiming it was you.
– Voo
Mar 7 at 18:13
2
2
I think you said the same thing as me, only much better.
– thursdaysgeek
Mar 6 at 21:57
I think you said the same thing as me, only much better.
– thursdaysgeek
Mar 6 at 21:57
48
48
When I've left places (whether on my terms or theirs) I've have always given them all the passwords I had and reminded them to cut my access. The reason is that I never wanted to be accused of whatever might happen after I left.
– NotMe
Mar 6 at 22:09
When I've left places (whether on my terms or theirs) I've have always given them all the passwords I had and reminded them to cut my access. The reason is that I never wanted to be accused of whatever might happen after I left.
– NotMe
Mar 6 at 22:09
10
10
@NotMe: Yes, that's how it should be. One nitpick: You should never (need to) give any passwords - instead, the company should lock your account (for personal accounts), or reset the password (for shared accounts and single-account situations such as devices passcodes).
– sleske
Mar 7 at 10:40
@NotMe: Yes, that's how it should be. One nitpick: You should never (need to) give any passwords - instead, the company should lock your account (for personal accounts), or reset the password (for shared accounts and single-account situations such as devices passcodes).
– sleske
Mar 7 at 10:40
11
11
@sleske I read that as "I knew the password for these Service Accounts, and these protected repositories - you might want to run their next change a bit early", et cetera, not as "Here are all my personal passwords"
– Chronocidal
Mar 7 at 13:03
@sleske I read that as "I knew the password for these Service Accounts, and these protected repositories - you might want to run their next change a bit early", et cetera, not as "Here are all my personal passwords"
– Chronocidal
Mar 7 at 13:03
7
7
@jean That seems unnecessarily dangerous. If someone does anything with your credentials you'll have a hard time proving that it was someone else and not you. You don't gain anything from doing this, compared to simply telling people to lock your accounts and risk someone abusing your account and claiming it was you.
– Voo
Mar 7 at 18:13
@jean That seems unnecessarily dangerous. If someone does anything with your credentials you'll have a hard time proving that it was someone else and not you. You don't gain anything from doing this, compared to simply telling people to lock your accounts and risk someone abusing your account and claiming it was you.
– Voo
Mar 7 at 18:13
|
show 4 more comments
This is a common problem with a common solution. When an employee leaves
On their last day, their SSO account is disabled.
If the company has any higher security areas not tied to SSO, then the security chief needs to review access and remove the now ex-employee.
The security chief should review access to the above areas at least once a month.
If the parting might become heated (i.e. firing), then also
1) Call the person into an office, and tell them to leave their computer. In general, there should be 2 employees in this meeting along with the soon to be fired person. If possible, escort this person to a non-secure area.
2) One of the employees should email, call, or text as soon as the person is away from their computer. You can also begin the firing.
3) Follow the steps above.
4) Do not leave the person unattended until all the step above are complete. If they need a bathroom break, escort them to the bathroom door and wait outside for them.
5) Once you receive the all clear from the security chief + SSO has been disabled, they are allowed to return to their desk, with an escort, and pack personal belongings.
EDIT:
Several commenters have mentioned this seems extreme, which I don't understand at all.
The first 3 steps (hopefully) what every company does when someone moves on. Ex-employees shouldn't have access to their old work-place once they leave. That's a danger to bo the employer, and the employee. (What happens if there is a theft)
The "firing" steps are pretty normal too. Even if it's a layoff, people will get emotional, and some of them may lash out (like live-tweeting the event).
Hopefully, it will only take a few minutes to turn off SSO, and revoke access. It should not be a 30-minute ordeal.
3
I feel this answer can be improved by defining what you mean by "Secret rooms" Also, why a month? It has been my experience in InfoSec that frequency of controls should be commensurate with risk, but maybe I am missing something here
– Anthony
Mar 7 at 2:42
3
@Anthony - not cynicism, experience. I've known too many vindictive people who will try to cause one last problem on their way out the door.
– sevensevens
Mar 7 at 6:14
13
Most efficient way to burn all bridges with your ex-employees.
– RemcoGerlich
Mar 7 at 10:32
1
If I was escorted to a secret room, I imagine that I would need a bathroom break. Do they have secret bathrooms too?
– Mawg
Mar 7 at 14:13
2
@Kevin I worked at companies with <30 people that managed to do something similar quite easily. You should be able to tie almost everything to their AD account and the handful of exceptions should be a well known list.
– Voo
Mar 7 at 18:29
|
show 4 more comments
This is a common problem with a common solution. When an employee leaves
On their last day, their SSO account is disabled.
If the company has any higher security areas not tied to SSO, then the security chief needs to review access and remove the now ex-employee.
The security chief should review access to the above areas at least once a month.
If the parting might become heated (i.e. firing), then also
1) Call the person into an office, and tell them to leave their computer. In general, there should be 2 employees in this meeting along with the soon to be fired person. If possible, escort this person to a non-secure area.
2) One of the employees should email, call, or text as soon as the person is away from their computer. You can also begin the firing.
3) Follow the steps above.
4) Do not leave the person unattended until all the step above are complete. If they need a bathroom break, escort them to the bathroom door and wait outside for them.
5) Once you receive the all clear from the security chief + SSO has been disabled, they are allowed to return to their desk, with an escort, and pack personal belongings.
EDIT:
Several commenters have mentioned this seems extreme, which I don't understand at all.
The first 3 steps (hopefully) what every company does when someone moves on. Ex-employees shouldn't have access to their old work-place once they leave. That's a danger to bo the employer, and the employee. (What happens if there is a theft)
The "firing" steps are pretty normal too. Even if it's a layoff, people will get emotional, and some of them may lash out (like live-tweeting the event).
Hopefully, it will only take a few minutes to turn off SSO, and revoke access. It should not be a 30-minute ordeal.
3
I feel this answer can be improved by defining what you mean by "Secret rooms" Also, why a month? It has been my experience in InfoSec that frequency of controls should be commensurate with risk, but maybe I am missing something here
– Anthony
Mar 7 at 2:42
3
@Anthony - not cynicism, experience. I've known too many vindictive people who will try to cause one last problem on their way out the door.
– sevensevens
Mar 7 at 6:14
13
Most efficient way to burn all bridges with your ex-employees.
– RemcoGerlich
Mar 7 at 10:32
1
If I was escorted to a secret room, I imagine that I would need a bathroom break. Do they have secret bathrooms too?
– Mawg
Mar 7 at 14:13
2
@Kevin I worked at companies with <30 people that managed to do something similar quite easily. You should be able to tie almost everything to their AD account and the handful of exceptions should be a well known list.
– Voo
Mar 7 at 18:29
|
show 4 more comments
This is a common problem with a common solution. When an employee leaves
On their last day, their SSO account is disabled.
If the company has any higher security areas not tied to SSO, then the security chief needs to review access and remove the now ex-employee.
The security chief should review access to the above areas at least once a month.
If the parting might become heated (i.e. firing), then also
1) Call the person into an office, and tell them to leave their computer. In general, there should be 2 employees in this meeting along with the soon to be fired person. If possible, escort this person to a non-secure area.
2) One of the employees should email, call, or text as soon as the person is away from their computer. You can also begin the firing.
3) Follow the steps above.
4) Do not leave the person unattended until all the step above are complete. If they need a bathroom break, escort them to the bathroom door and wait outside for them.
5) Once you receive the all clear from the security chief + SSO has been disabled, they are allowed to return to their desk, with an escort, and pack personal belongings.
EDIT:
Several commenters have mentioned this seems extreme, which I don't understand at all.
The first 3 steps (hopefully) what every company does when someone moves on. Ex-employees shouldn't have access to their old work-place once they leave. That's a danger to bo the employer, and the employee. (What happens if there is a theft)
The "firing" steps are pretty normal too. Even if it's a layoff, people will get emotional, and some of them may lash out (like live-tweeting the event).
Hopefully, it will only take a few minutes to turn off SSO, and revoke access. It should not be a 30-minute ordeal.
This is a common problem with a common solution. When an employee leaves
On their last day, their SSO account is disabled.
If the company has any higher security areas not tied to SSO, then the security chief needs to review access and remove the now ex-employee.
The security chief should review access to the above areas at least once a month.
If the parting might become heated (i.e. firing), then also
1) Call the person into an office, and tell them to leave their computer. In general, there should be 2 employees in this meeting along with the soon to be fired person. If possible, escort this person to a non-secure area.
2) One of the employees should email, call, or text as soon as the person is away from their computer. You can also begin the firing.
3) Follow the steps above.
4) Do not leave the person unattended until all the step above are complete. If they need a bathroom break, escort them to the bathroom door and wait outside for them.
5) Once you receive the all clear from the security chief + SSO has been disabled, they are allowed to return to their desk, with an escort, and pack personal belongings.
EDIT:
Several commenters have mentioned this seems extreme, which I don't understand at all.
The first 3 steps (hopefully) what every company does when someone moves on. Ex-employees shouldn't have access to their old work-place once they leave. That's a danger to bo the employer, and the employee. (What happens if there is a theft)
The "firing" steps are pretty normal too. Even if it's a layoff, people will get emotional, and some of them may lash out (like live-tweeting the event).
Hopefully, it will only take a few minutes to turn off SSO, and revoke access. It should not be a 30-minute ordeal.
edited Mar 7 at 20:38
answered Mar 6 at 21:45
sevensevenssevensevens
12.6k42844
12.6k42844
3
I feel this answer can be improved by defining what you mean by "Secret rooms" Also, why a month? It has been my experience in InfoSec that frequency of controls should be commensurate with risk, but maybe I am missing something here
– Anthony
Mar 7 at 2:42
3
@Anthony - not cynicism, experience. I've known too many vindictive people who will try to cause one last problem on their way out the door.
– sevensevens
Mar 7 at 6:14
13
Most efficient way to burn all bridges with your ex-employees.
– RemcoGerlich
Mar 7 at 10:32
1
If I was escorted to a secret room, I imagine that I would need a bathroom break. Do they have secret bathrooms too?
– Mawg
Mar 7 at 14:13
2
@Kevin I worked at companies with <30 people that managed to do something similar quite easily. You should be able to tie almost everything to their AD account and the handful of exceptions should be a well known list.
– Voo
Mar 7 at 18:29
|
show 4 more comments
3
I feel this answer can be improved by defining what you mean by "Secret rooms" Also, why a month? It has been my experience in InfoSec that frequency of controls should be commensurate with risk, but maybe I am missing something here
– Anthony
Mar 7 at 2:42
3
@Anthony - not cynicism, experience. I've known too many vindictive people who will try to cause one last problem on their way out the door.
– sevensevens
Mar 7 at 6:14
13
Most efficient way to burn all bridges with your ex-employees.
– RemcoGerlich
Mar 7 at 10:32
1
If I was escorted to a secret room, I imagine that I would need a bathroom break. Do they have secret bathrooms too?
– Mawg
Mar 7 at 14:13
2
@Kevin I worked at companies with <30 people that managed to do something similar quite easily. You should be able to tie almost everything to their AD account and the handful of exceptions should be a well known list.
– Voo
Mar 7 at 18:29
3
3
I feel this answer can be improved by defining what you mean by "Secret rooms" Also, why a month? It has been my experience in InfoSec that frequency of controls should be commensurate with risk, but maybe I am missing something here
– Anthony
Mar 7 at 2:42
I feel this answer can be improved by defining what you mean by "Secret rooms" Also, why a month? It has been my experience in InfoSec that frequency of controls should be commensurate with risk, but maybe I am missing something here
– Anthony
Mar 7 at 2:42
3
3
@Anthony - not cynicism, experience. I've known too many vindictive people who will try to cause one last problem on their way out the door.
– sevensevens
Mar 7 at 6:14
@Anthony - not cynicism, experience. I've known too many vindictive people who will try to cause one last problem on their way out the door.
– sevensevens
Mar 7 at 6:14
13
13
Most efficient way to burn all bridges with your ex-employees.
– RemcoGerlich
Mar 7 at 10:32
Most efficient way to burn all bridges with your ex-employees.
– RemcoGerlich
Mar 7 at 10:32
1
1
If I was escorted to a secret room, I imagine that I would need a bathroom break. Do they have secret bathrooms too?
– Mawg
Mar 7 at 14:13
If I was escorted to a secret room, I imagine that I would need a bathroom break. Do they have secret bathrooms too?
– Mawg
Mar 7 at 14:13
2
2
@Kevin I worked at companies with <30 people that managed to do something similar quite easily. You should be able to tie almost everything to their AD account and the handful of exceptions should be a well known list.
– Voo
Mar 7 at 18:29
@Kevin I worked at companies with <30 people that managed to do something similar quite easily. You should be able to tie almost everything to their AD account and the handful of exceptions should be a well known list.
– Voo
Mar 7 at 18:29
|
show 4 more comments
Telling an employee who's on the way out that you'll be terminating their access to company resources should not be considered any kind of insult. It's standard procedure that only employees with a need for access should have them, and he would be more surprised if his access to critical information were maintained after he leaves. It has nothing to do with trust -- he no longer has a need to access that information, so he shouldn't have the ability.
If he currently has the primary responsibility for the data, his input may be helpful in implementing the transition. If he's leaving on good terms, he'd probably want to be involved in this.
1
+1 for emphasizing the need for access, not merely trust in the employee. Least privilege is always a good idea
– Anthony
Mar 7 at 2:43
4
Not only is not an insult, it's something you should want any big company to do for you when you leave. Having access to sensitive systems is a risk not only to the company but also to the employee: if the company screws up later and has a security breach and don't have the logging required to determine how it happened, any ex-employee with access to the system and some kind of plausible motive is likely to be a suspect in the crime. Removing your access protects you from getting your door kicked in by angry men with guns and uniforms a couple of years down the line.
– Mark Amery
Mar 7 at 13:14
@MarkAmery I would hope that angry men with guns and uniforms would get search and/or arrest warrants by first showing "probable cause" to a judge. Showing that a former employee had access is nowhere near probable cause. It is judicial supervision (not revoking access) that protect one from the police.
– emory
Mar 7 at 20:25
I like to hope that @MarkAmery was exaggerating for emphasis, and he really means that you might get questioned.
– Barmar
Mar 7 at 21:17
add a comment |
Telling an employee who's on the way out that you'll be terminating their access to company resources should not be considered any kind of insult. It's standard procedure that only employees with a need for access should have them, and he would be more surprised if his access to critical information were maintained after he leaves. It has nothing to do with trust -- he no longer has a need to access that information, so he shouldn't have the ability.
If he currently has the primary responsibility for the data, his input may be helpful in implementing the transition. If he's leaving on good terms, he'd probably want to be involved in this.
1
+1 for emphasizing the need for access, not merely trust in the employee. Least privilege is always a good idea
– Anthony
Mar 7 at 2:43
4
Not only is not an insult, it's something you should want any big company to do for you when you leave. Having access to sensitive systems is a risk not only to the company but also to the employee: if the company screws up later and has a security breach and don't have the logging required to determine how it happened, any ex-employee with access to the system and some kind of plausible motive is likely to be a suspect in the crime. Removing your access protects you from getting your door kicked in by angry men with guns and uniforms a couple of years down the line.
– Mark Amery
Mar 7 at 13:14
@MarkAmery I would hope that angry men with guns and uniforms would get search and/or arrest warrants by first showing "probable cause" to a judge. Showing that a former employee had access is nowhere near probable cause. It is judicial supervision (not revoking access) that protect one from the police.
– emory
Mar 7 at 20:25
I like to hope that @MarkAmery was exaggerating for emphasis, and he really means that you might get questioned.
– Barmar
Mar 7 at 21:17
add a comment |
Telling an employee who's on the way out that you'll be terminating their access to company resources should not be considered any kind of insult. It's standard procedure that only employees with a need for access should have them, and he would be more surprised if his access to critical information were maintained after he leaves. It has nothing to do with trust -- he no longer has a need to access that information, so he shouldn't have the ability.
If he currently has the primary responsibility for the data, his input may be helpful in implementing the transition. If he's leaving on good terms, he'd probably want to be involved in this.
Telling an employee who's on the way out that you'll be terminating their access to company resources should not be considered any kind of insult. It's standard procedure that only employees with a need for access should have them, and he would be more surprised if his access to critical information were maintained after he leaves. It has nothing to do with trust -- he no longer has a need to access that information, so he shouldn't have the ability.
If he currently has the primary responsibility for the data, his input may be helpful in implementing the transition. If he's leaving on good terms, he'd probably want to be involved in this.
answered Mar 7 at 0:26
BarmarBarmar
1,653411
1,653411
1
+1 for emphasizing the need for access, not merely trust in the employee. Least privilege is always a good idea
– Anthony
Mar 7 at 2:43
4
Not only is not an insult, it's something you should want any big company to do for you when you leave. Having access to sensitive systems is a risk not only to the company but also to the employee: if the company screws up later and has a security breach and don't have the logging required to determine how it happened, any ex-employee with access to the system and some kind of plausible motive is likely to be a suspect in the crime. Removing your access protects you from getting your door kicked in by angry men with guns and uniforms a couple of years down the line.
– Mark Amery
Mar 7 at 13:14
@MarkAmery I would hope that angry men with guns and uniforms would get search and/or arrest warrants by first showing "probable cause" to a judge. Showing that a former employee had access is nowhere near probable cause. It is judicial supervision (not revoking access) that protect one from the police.
– emory
Mar 7 at 20:25
I like to hope that @MarkAmery was exaggerating for emphasis, and he really means that you might get questioned.
– Barmar
Mar 7 at 21:17
add a comment |
1
+1 for emphasizing the need for access, not merely trust in the employee. Least privilege is always a good idea
– Anthony
Mar 7 at 2:43
4
Not only is not an insult, it's something you should want any big company to do for you when you leave. Having access to sensitive systems is a risk not only to the company but also to the employee: if the company screws up later and has a security breach and don't have the logging required to determine how it happened, any ex-employee with access to the system and some kind of plausible motive is likely to be a suspect in the crime. Removing your access protects you from getting your door kicked in by angry men with guns and uniforms a couple of years down the line.
– Mark Amery
Mar 7 at 13:14
@MarkAmery I would hope that angry men with guns and uniforms would get search and/or arrest warrants by first showing "probable cause" to a judge. Showing that a former employee had access is nowhere near probable cause. It is judicial supervision (not revoking access) that protect one from the police.
– emory
Mar 7 at 20:25
I like to hope that @MarkAmery was exaggerating for emphasis, and he really means that you might get questioned.
– Barmar
Mar 7 at 21:17
1
1
+1 for emphasizing the need for access, not merely trust in the employee. Least privilege is always a good idea
– Anthony
Mar 7 at 2:43
+1 for emphasizing the need for access, not merely trust in the employee. Least privilege is always a good idea
– Anthony
Mar 7 at 2:43
4
4
Not only is not an insult, it's something you should want any big company to do for you when you leave. Having access to sensitive systems is a risk not only to the company but also to the employee: if the company screws up later and has a security breach and don't have the logging required to determine how it happened, any ex-employee with access to the system and some kind of plausible motive is likely to be a suspect in the crime. Removing your access protects you from getting your door kicked in by angry men with guns and uniforms a couple of years down the line.
– Mark Amery
Mar 7 at 13:14
Not only is not an insult, it's something you should want any big company to do for you when you leave. Having access to sensitive systems is a risk not only to the company but also to the employee: if the company screws up later and has a security breach and don't have the logging required to determine how it happened, any ex-employee with access to the system and some kind of plausible motive is likely to be a suspect in the crime. Removing your access protects you from getting your door kicked in by angry men with guns and uniforms a couple of years down the line.
– Mark Amery
Mar 7 at 13:14
@MarkAmery I would hope that angry men with guns and uniforms would get search and/or arrest warrants by first showing "probable cause" to a judge. Showing that a former employee had access is nowhere near probable cause. It is judicial supervision (not revoking access) that protect one from the police.
– emory
Mar 7 at 20:25
@MarkAmery I would hope that angry men with guns and uniforms would get search and/or arrest warrants by first showing "probable cause" to a judge. Showing that a former employee had access is nowhere near probable cause. It is judicial supervision (not revoking access) that protect one from the police.
– emory
Mar 7 at 20:25
I like to hope that @MarkAmery was exaggerating for emphasis, and he really means that you might get questioned.
– Barmar
Mar 7 at 21:17
I like to hope that @MarkAmery was exaggerating for emphasis, and he really means that you might get questioned.
– Barmar
Mar 7 at 21:17
add a comment |
If the employee is trustworthy and has given notice, then it is very appropriate to work on a transition plan together, including setting up new accesses for replacements and shutting down access for the employee who is leaving. This can be a valuable part of the hand-off, making sure that the replacement truly does have adequate access. When the employee is leaving for a new job, unless there were issues with them, this is common.
The problem comes when the employee is being fired or is leaving under bad circumstances. The access still needs to be removed, but it is also important to make sure that all the access points are known, both for removal and for the replacement to have. A discussion is usually not the best way. If the business has overlooked that part of their security, and have that single point of failure, then a discussion or hiring someone to help them find the access points are often the only options.
In the US, often those who are laid-off were trusted and professional employees who would be glad to do a standard hand off of access information, but the current standards is that they are treated the same as firings: remove access without their knowledge, as they are being told of their redundancy.
That is why setting up documentation before hand is always better. It is always better to already know what servers there are and how to connect to them, just in case a key player leaves, for whatever reason.
add a comment |
If the employee is trustworthy and has given notice, then it is very appropriate to work on a transition plan together, including setting up new accesses for replacements and shutting down access for the employee who is leaving. This can be a valuable part of the hand-off, making sure that the replacement truly does have adequate access. When the employee is leaving for a new job, unless there were issues with them, this is common.
The problem comes when the employee is being fired or is leaving under bad circumstances. The access still needs to be removed, but it is also important to make sure that all the access points are known, both for removal and for the replacement to have. A discussion is usually not the best way. If the business has overlooked that part of their security, and have that single point of failure, then a discussion or hiring someone to help them find the access points are often the only options.
In the US, often those who are laid-off were trusted and professional employees who would be glad to do a standard hand off of access information, but the current standards is that they are treated the same as firings: remove access without their knowledge, as they are being told of their redundancy.
That is why setting up documentation before hand is always better. It is always better to already know what servers there are and how to connect to them, just in case a key player leaves, for whatever reason.
add a comment |
If the employee is trustworthy and has given notice, then it is very appropriate to work on a transition plan together, including setting up new accesses for replacements and shutting down access for the employee who is leaving. This can be a valuable part of the hand-off, making sure that the replacement truly does have adequate access. When the employee is leaving for a new job, unless there were issues with them, this is common.
The problem comes when the employee is being fired or is leaving under bad circumstances. The access still needs to be removed, but it is also important to make sure that all the access points are known, both for removal and for the replacement to have. A discussion is usually not the best way. If the business has overlooked that part of their security, and have that single point of failure, then a discussion or hiring someone to help them find the access points are often the only options.
In the US, often those who are laid-off were trusted and professional employees who would be glad to do a standard hand off of access information, but the current standards is that they are treated the same as firings: remove access without their knowledge, as they are being told of their redundancy.
That is why setting up documentation before hand is always better. It is always better to already know what servers there are and how to connect to them, just in case a key player leaves, for whatever reason.
If the employee is trustworthy and has given notice, then it is very appropriate to work on a transition plan together, including setting up new accesses for replacements and shutting down access for the employee who is leaving. This can be a valuable part of the hand-off, making sure that the replacement truly does have adequate access. When the employee is leaving for a new job, unless there were issues with them, this is common.
The problem comes when the employee is being fired or is leaving under bad circumstances. The access still needs to be removed, but it is also important to make sure that all the access points are known, both for removal and for the replacement to have. A discussion is usually not the best way. If the business has overlooked that part of their security, and have that single point of failure, then a discussion or hiring someone to help them find the access points are often the only options.
In the US, often those who are laid-off were trusted and professional employees who would be glad to do a standard hand off of access information, but the current standards is that they are treated the same as firings: remove access without their knowledge, as they are being told of their redundancy.
That is why setting up documentation before hand is always better. It is always better to already know what servers there are and how to connect to them, just in case a key player leaves, for whatever reason.
answered Mar 6 at 21:46
thursdaysgeekthursdaysgeek
31.7k1554116
31.7k1554116
add a comment |
add a comment |
There are lots of good answers here already, but what I have not seen mentioned is application of trust but verify. You do need to have certain degree of trust in your employees, particularly employees with very privileged access (e.g: An IT employee with domain admin privileges). However, you also need to verify that a particular employee is behaving in an appropriate, secure manner.
As to how to verify, upon the termination of an employee, it is best practice to continuously monitor the account of that terminated employee for any activity and such activity discovered should be promptly investigated to determine if malicious activity is taking place. Why unlikely to occur, there is still a risk, albeit how slight, that the terminated employee used company computing resources for unauthorized purposes, such as installing a backdoor to retain remote access.
At my employer, I worked with management to implement additional detection mechanisms, and improve the ones the Information Security team is already using, mechanisms such as DLP software, IDS / IPS, and SIEM. Any activity on the accounts of terminated employees triggers an SIEM alert to our team, and such alert is to be treated as a critical priority, to be either remediated or escalated within a certain SLA. Having such procedures means the importance of trust can be somewhat lessened.
The other answer also mention the need to communicate transitioning procedures to whoever will be taking over the role. Assuming the employee is leaving voluntarily, I agree the transition discussion should be held with the departing employee, but not necessarily to discuss the specific termination procedures, unless departing employee had a need to know such information when employed. Access administration procedures are usually sensitive, and distribution of that information should be based on least privilege. Only individuals with a job need to know such procedures, such as IT Security or HR, should be privy to it. As remote as it may be, excessive details provided to the terminated employee, could possibly be exploited for company harm.
add a comment |
There are lots of good answers here already, but what I have not seen mentioned is application of trust but verify. You do need to have certain degree of trust in your employees, particularly employees with very privileged access (e.g: An IT employee with domain admin privileges). However, you also need to verify that a particular employee is behaving in an appropriate, secure manner.
As to how to verify, upon the termination of an employee, it is best practice to continuously monitor the account of that terminated employee for any activity and such activity discovered should be promptly investigated to determine if malicious activity is taking place. Why unlikely to occur, there is still a risk, albeit how slight, that the terminated employee used company computing resources for unauthorized purposes, such as installing a backdoor to retain remote access.
At my employer, I worked with management to implement additional detection mechanisms, and improve the ones the Information Security team is already using, mechanisms such as DLP software, IDS / IPS, and SIEM. Any activity on the accounts of terminated employees triggers an SIEM alert to our team, and such alert is to be treated as a critical priority, to be either remediated or escalated within a certain SLA. Having such procedures means the importance of trust can be somewhat lessened.
The other answer also mention the need to communicate transitioning procedures to whoever will be taking over the role. Assuming the employee is leaving voluntarily, I agree the transition discussion should be held with the departing employee, but not necessarily to discuss the specific termination procedures, unless departing employee had a need to know such information when employed. Access administration procedures are usually sensitive, and distribution of that information should be based on least privilege. Only individuals with a job need to know such procedures, such as IT Security or HR, should be privy to it. As remote as it may be, excessive details provided to the terminated employee, could possibly be exploited for company harm.
add a comment |
There are lots of good answers here already, but what I have not seen mentioned is application of trust but verify. You do need to have certain degree of trust in your employees, particularly employees with very privileged access (e.g: An IT employee with domain admin privileges). However, you also need to verify that a particular employee is behaving in an appropriate, secure manner.
As to how to verify, upon the termination of an employee, it is best practice to continuously monitor the account of that terminated employee for any activity and such activity discovered should be promptly investigated to determine if malicious activity is taking place. Why unlikely to occur, there is still a risk, albeit how slight, that the terminated employee used company computing resources for unauthorized purposes, such as installing a backdoor to retain remote access.
At my employer, I worked with management to implement additional detection mechanisms, and improve the ones the Information Security team is already using, mechanisms such as DLP software, IDS / IPS, and SIEM. Any activity on the accounts of terminated employees triggers an SIEM alert to our team, and such alert is to be treated as a critical priority, to be either remediated or escalated within a certain SLA. Having such procedures means the importance of trust can be somewhat lessened.
The other answer also mention the need to communicate transitioning procedures to whoever will be taking over the role. Assuming the employee is leaving voluntarily, I agree the transition discussion should be held with the departing employee, but not necessarily to discuss the specific termination procedures, unless departing employee had a need to know such information when employed. Access administration procedures are usually sensitive, and distribution of that information should be based on least privilege. Only individuals with a job need to know such procedures, such as IT Security or HR, should be privy to it. As remote as it may be, excessive details provided to the terminated employee, could possibly be exploited for company harm.
There are lots of good answers here already, but what I have not seen mentioned is application of trust but verify. You do need to have certain degree of trust in your employees, particularly employees with very privileged access (e.g: An IT employee with domain admin privileges). However, you also need to verify that a particular employee is behaving in an appropriate, secure manner.
As to how to verify, upon the termination of an employee, it is best practice to continuously monitor the account of that terminated employee for any activity and such activity discovered should be promptly investigated to determine if malicious activity is taking place. Why unlikely to occur, there is still a risk, albeit how slight, that the terminated employee used company computing resources for unauthorized purposes, such as installing a backdoor to retain remote access.
At my employer, I worked with management to implement additional detection mechanisms, and improve the ones the Information Security team is already using, mechanisms such as DLP software, IDS / IPS, and SIEM. Any activity on the accounts of terminated employees triggers an SIEM alert to our team, and such alert is to be treated as a critical priority, to be either remediated or escalated within a certain SLA. Having such procedures means the importance of trust can be somewhat lessened.
The other answer also mention the need to communicate transitioning procedures to whoever will be taking over the role. Assuming the employee is leaving voluntarily, I agree the transition discussion should be held with the departing employee, but not necessarily to discuss the specific termination procedures, unless departing employee had a need to know such information when employed. Access administration procedures are usually sensitive, and distribution of that information should be based on least privilege. Only individuals with a job need to know such procedures, such as IT Security or HR, should be privy to it. As remote as it may be, excessive details provided to the terminated employee, could possibly be exploited for company harm.
answered Mar 7 at 3:19
AnthonyAnthony
6,0031659
6,0031659
add a comment |
add a comment |
On the contrary
It is in his best interest to have a complete handover, including explicit acknowledgement of access rights revoked. This is in no way insulting or a sign of distrust or anything. It's an administrative step and may well be explicitly required by company policies and/or compliance regulations.
Picture this: Three weeks after your friend left, something happens with that sensitive information. Thanks to the explicit handover he received, he is clear. It cannot possibly have been him. No accusations, no assumptions, no investigation.
I have in the past left positions where I had access to highly sensitive information. The company did not have such a procedure. So I stood behind my successor and made him change all passwords on all my accounts.
add a comment |
On the contrary
It is in his best interest to have a complete handover, including explicit acknowledgement of access rights revoked. This is in no way insulting or a sign of distrust or anything. It's an administrative step and may well be explicitly required by company policies and/or compliance regulations.
Picture this: Three weeks after your friend left, something happens with that sensitive information. Thanks to the explicit handover he received, he is clear. It cannot possibly have been him. No accusations, no assumptions, no investigation.
I have in the past left positions where I had access to highly sensitive information. The company did not have such a procedure. So I stood behind my successor and made him change all passwords on all my accounts.
add a comment |
On the contrary
It is in his best interest to have a complete handover, including explicit acknowledgement of access rights revoked. This is in no way insulting or a sign of distrust or anything. It's an administrative step and may well be explicitly required by company policies and/or compliance regulations.
Picture this: Three weeks after your friend left, something happens with that sensitive information. Thanks to the explicit handover he received, he is clear. It cannot possibly have been him. No accusations, no assumptions, no investigation.
I have in the past left positions where I had access to highly sensitive information. The company did not have such a procedure. So I stood behind my successor and made him change all passwords on all my accounts.
On the contrary
It is in his best interest to have a complete handover, including explicit acknowledgement of access rights revoked. This is in no way insulting or a sign of distrust or anything. It's an administrative step and may well be explicitly required by company policies and/or compliance regulations.
Picture this: Three weeks after your friend left, something happens with that sensitive information. Thanks to the explicit handover he received, he is clear. It cannot possibly have been him. No accusations, no assumptions, no investigation.
I have in the past left positions where I had access to highly sensitive information. The company did not have such a procedure. So I stood behind my successor and made him change all passwords on all my accounts.
answered Mar 7 at 12:44
TomTom
5,3761422
5,3761422
add a comment |
add a comment |
Are there known practices or guidelines for this situation?
Yes - it's called "Garden leave"; named that way because the company pays the person to sit in their garden.
The employee remains on the pay roll for the remainder of their notice period, but is not allowed to start a new roll until that period has expired. This hides the lack of trust of an employee with what seems a gracious offer of giving them a modest amount of holiday.
If the employee is unable to do anything productive anyway, then there's no point in having them in the office.
add a comment |
Are there known practices or guidelines for this situation?
Yes - it's called "Garden leave"; named that way because the company pays the person to sit in their garden.
The employee remains on the pay roll for the remainder of their notice period, but is not allowed to start a new roll until that period has expired. This hides the lack of trust of an employee with what seems a gracious offer of giving them a modest amount of holiday.
If the employee is unable to do anything productive anyway, then there's no point in having them in the office.
add a comment |
Are there known practices or guidelines for this situation?
Yes - it's called "Garden leave"; named that way because the company pays the person to sit in their garden.
The employee remains on the pay roll for the remainder of their notice period, but is not allowed to start a new roll until that period has expired. This hides the lack of trust of an employee with what seems a gracious offer of giving them a modest amount of holiday.
If the employee is unable to do anything productive anyway, then there's no point in having them in the office.
Are there known practices or guidelines for this situation?
Yes - it's called "Garden leave"; named that way because the company pays the person to sit in their garden.
The employee remains on the pay roll for the remainder of their notice period, but is not allowed to start a new roll until that period has expired. This hides the lack of trust of an employee with what seems a gracious offer of giving them a modest amount of holiday.
If the employee is unable to do anything productive anyway, then there's no point in having them in the office.
answered Mar 8 at 9:47
UKMonkeyUKMonkey
2,527616
2,527616
add a comment |
add a comment |
Thanks for contributing an answer to The Workplace Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f131025%2fquitting-employee-has-privileged-access-to-critical-information%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
34
One place let me set up access for my replacement, and discussed how they would be transitioning me out so that I wouldn't be in the middle of working on something when access got shut down. As @thursdaysgeek said, why be offended if you're trusted?
– Richard U
Mar 6 at 21:33
6
I don’t understand. Do you expect that you would still have admin access to your employers machines if you leave a company? Did the employee expect that? Why? I expect that I would lose access. I would be weirded out if I didn’t and then actively tell them to sever access so that they could not accuse me of wrongdoing later.
– zero298
Mar 6 at 23:58
3
@what unauthorized means of access? Do you mean backdoors? Or did he simply have some privileges he was not officially supposed to have? Was he granted those extra privileges by someone, or did he obtain those by breaking security? What malpractice did he perform while still at the company? Without knowing such facts, I couldn't even begin to answer your main question...
– marcelm
Mar 7 at 12:16
9
@Mefitico, Please edit this information into the question. Currently is is so heavily abstracted as to be effectively unreadable.
– Sean Houlihane
Mar 7 at 13:18
10
I'm having a hard time understanding what your question is. The employee quit. Therefore, the company should and will revoke all access to all of their systems. The employee should be well aware of this. It's how all companies work. Why would you need or want to discuss it with him? Just revoke his access. There should be nothing to discuss—he doesn't work for your company anymore! This is very confusing...
– only_pro
Mar 7 at 16:55