CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide. Gibson Darril
Чтение книги онлайн.

Читать онлайн книгу CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide - Gibson Darril страница 26

СКАЧАТЬ fraud, or negligence on the part of the original employee.

Employment Termination Processes

      When an employee must be terminated, numerous issues must be addressed. A strong relationship between the security department and HR is essential to maintain control and minimize risks during termination. An employee termination process or procedure policy is essential to maintaining a secure environment when a disgruntled employee must be removed from the organization. The reactions of terminated employees can range from calm, understanding acceptance to violent, destructive rage. A sensible procedure for handling terminations must be designed and implemented to reduce incidents.

The termination of an employee should be handled in a private and respectful manner. However, this does not mean that precautions should not be taken. Terminations should take place with at least one witness, preferably a higher-level manager and/or a security guard. Once the employee has been informed of their release, they should be escorted off the premises and not allowed to return to their work area without an escort for any reason. Before the employee is released, all organization-specific identification, access, or security badges as well as cards, keys, and access tokens should be collected (Figure 2.3). Generally, the best time to terminate an employee is at the end of their shift midweek. A early to midweek termination provides the ex-employee with time to file for unemployment and/or start looking for new employment before the weekend. Also, end-of-shift terminations allow the worker to leave with other employees in a more natural departure, thus reducing stress.

Figure 2.3 Ex-employees must return all company property.

      When possible, an exit interview should be performed. However, this typically depends on the mental state of the employee upon release and numerous other factors. If an exit interview is unfeasible immediately upon termination, it should be conducted as soon as possible. The primary purpose of the exit interview is to review the liabilities and restrictions placed on the former employee based on the employment agreement, nondisclosure agreement, and any other security-related documentation.

      The following list includes some other issues that should be handled as soon as possible:

      ■ Make sure the employee returns any organizational equipment or supplies from their vehicle or home.

      ■ Remove or disable the employee’s network user account.

      ■ Notify human resources to issue a final paycheck, pay any unused vacation time, and terminate benefit coverage.

      ■ Arrange for a member of the security department to accompany the released employee while they gather their personal belongings from the work area.

      ■ Inform all security personnel and anyone else who watches or monitors any entrance point to ensure that the ex-employee does not attempt to reenter the building without an escort.

      In most cases, you should disable or remove an employee’s system access at the same time or just before they are notified of being terminated. This is especially true if that employee is capable of accessing confidential data or has the expertise or access to alter or damage data or services. Failing to restrict released employees’ activities can leave your organization open to a wide range of vulnerabilities, including theft and destruction of both physical property and logical data.

       Firing: Not Just a Pink Slip Anymore

      Firing an employee has become a complex process. Gone are the days of firing merely by placing a pink slip in an employee’s mail slot. In most IT-centric organizations, termination can create a situation in which the employee could cause harm, putting the organization at risk. That’s why you need a well-designed exit interview process.

      However, just having the process isn’t enough. It has to be followed correctly every time. Unfortunately, this doesn’t always happen. You might have heard of some fiasco caused by a botched termination procedure. Common examples include performing any of the following before the employee is officially informed of their termination (thus giving the employee prior warning of their termination):

      ■ The IT department requesting the return of a notebook computer

      ■ Disabling a network account

      ■ Blocking a person’s PIN or smartcard for building entrance

      ■ Revoking a parking pass

      ■ Distributing a company reorganization chart

      ■ Positioning a new employee in the cubicle

      ■ Allowing layoff information to be leaked to the media

      It should go without saying that in order for the exit interview and safe termination processes to function properly, they must be implemented in the correct order and at the correct time (that is, at the start of the exit interview), as in the following example:

      ■ Inform the person that they are relieved of their job.

      ■ Request the return of all access badges, keys, and company equipment.

      ■ Disable the person’s electronic access to all aspects of the organization.

      ■ Remind the person about the NDA obligations.

      ■ Escort the person off the premises.

Vendor, Consultant, and Contractor Controls

      Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. Often these controls are defined in a document or policy known as a service-level agreement (SLA).

      Using SLAs is an increasingly popular way to ensure that organizations providing services to internal and/or external customers maintain an appropriate level of service agreed on by both the service provider and the vendor. It’s a wise move to put SLAs in place for any data circuits, applications, information processing systems, databases, or other critical components that are vital to your organization’s continued viability. SLAs are important when using any type of third-party service provider, which would include cloud services. The following issues are commonly addressed in SLAs:

      ■ System uptime (as a percentage of overall operating time)

      ■ Maximum consecutive downtime (in seconds/minutes/and so on)

      ■ Peak load

      ■ Average load

      ■ Responsibility for diagnostics

      ■ Failover time (if redundancy is in place)

      SLAs also commonly include financial and other contractual remedies that kick in if the agreement is not maintained. For example, if a critical circuit is down for more than 15 minutes, the service provider might agree to waive all charges on that circuit for one week.

      SLAs and vendor, consultant, and contractor controls are an important part of risk reduction and risk avoidance. By clearly defining the expectations and penalties for external parties, everyone involved knows what is expected of them and what the consequences are in the event of a failure to meet those expectations. Although it may be very cost effective to use outside providers for a variety of business functions or services, it does increase potential risk by expanding the potential attack surface and range of vulnerabilities. СКАЧАТЬ