Firing an employee is not a pleasant task, however, it is a necessary part of running a business. To properly sever ties, the information technology (IT) department should be a required part of this process to help protect sensitive company information from being mishandled or leaked to outsiders.
It is also essential to integrate the IT security process into the company's policies and procedures to help ensure that employee termination controls meet relevant Sarbanes-Oxley requirements. Information security and data retention policies must be company-specific and tailored to the laws under which a company operates.
3 IT Principles for Employee Termination
There are at least 3 broad IT principles that a company should follow when and after terminating an employee:
- Prompt notification of the termination to the IT department. Advanced notice of the termination prior to the termination meeting gives the IT department sufficient time to bar access while the meeting is taking place.
- Those to be notified. Every company should have a strictly enforced policy that clearly states those to be notified when someone's employment is ending or has ended. This policy should also mandate that these notifications are to be given immediately so all of the departments involved can take prompt action. An information security contact should be among those who are notified, and this person's responsibilities should entail researching, documenting, and revoking an employee's access to the company's electronically stored proprietary information and its information systems.
- Prudent revocation of access. Once notified, IT is responsible for immediate revocation of access and preserving any records that the company might need now or in the future.
A former employee who still has access to a company's network and proprietary corporate data is a security threat.
Employee Termination Process
The employee termination process should focus on severing all ties between the employee and the company. This includes blocking the employee's internal access to all company data. IT should immediately revoke the former employee's computer, network, and data access. Remote access should also be removed, and the former employee should be dispossessed of all company-owned property, including technological resources such a notebook computer and intellectual property such as corporate files containing customer, sales, and marketing information.
For employees whose end of employment is only imminent, IT should consult with the employee's manager, human resources (HR), and other key decision-makers to determine the appropriate manner in which to stagger the revocation of access over the person's remaining days of employment.
Just as the granting of access and security clearances should be documented for future reference, the revocation of access should also be documented, especially for legal purposes. The goal, of course, should always be to revoke access in ways that make good business sense financially, technologically, and legally.
Preemptive Preservation of Data
Every company needs to have data redundancy and retention policies that satisfy its business needs and adhere to applicable laws. Such policies address the backup, restoration, and preservation of corporate data in general.
However, a company should also enact policies that detail when and how IT should go about preserving potentially and particularly sensitive data, records, logs, and other material that could be of legal significance, should the company and former employee wage a legal battle. This is especially important in the case of a former employee who held a high-level position or left the company under a cloud of suspicion.
Conserving certain technological resources, data, and logs can also protect the company if the former employee or the company decides to pursue litigation.
The appropriation and application of these three principles should be the collective work of the company's executive staff, IT and HR departments, and legal counsel that specializes in computer forensics and the laws governing the company's use of computing technology.
The results of this cooperative effort should be greater protection of corporate data as well as better preparedness for litigation regarding corporate data theft, hacking, and other forms of illegal or ill-advised uses of computing technology. Working with IT as a valued partner guarantees that these goals are achieved in the event of employment termination.