- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - The vast majority of employees who leave a company are honest, upstanding corporate citizens. But you never know when someone might leave on bad terms and then attempt to hack back into your corporate systems.
Protecting company assets from former employees is more difficult in today’s world where corporate data can live in so many places, from the cloud to the employee’s BYOD smartphone.
Here are steps to protect corporate data from former employees.
According to Joe DiVito in PricewaterhouseCoopers’ risk assurance practice, de-provisioning should be the first step in protecting data.
"Many organizations wrestle with de-provisioning. They may do well at the network level, but the application level can be left open. The administration of application-level access is often decentralized and resident with application owners or business units," says DiVito
He adds that companies need processes in place that provide notice of terminations to all application owners." DiVito cautions that de-provisioning can be tricky, especially when access administration and associated controls are split between a central IT function and the data owner.
"There is a level of control risk associated with the design and operation of user provisioning controls. The organization needs to have an accurate accounting of the access assigned to an employee. Determine who owns the authorization and ongoing access to that data and ensure that you communicate amongst the parties when access needs to be modified or revoked. Often times the solution to managing that risk requires nothing more sophisticated than improved communication," he says.
At Steelcase, the office furniture company, a custom Microsoft .NET tool handles the task of de-provisioning. And IT is tightly coordinated with HR.
According to Steelcase CIO Bob Krestakos, “The .NET tool uses as many standard APIs as possible to reach various systems and disable or remove user accounts. For example, email accounts can be suspended or removed, access to our Active Directory can be removed, SharePoint access is removed via this application. Access to internal social media and product development systems are managed this way, too.” The .NET tool also eliminates SAP IDs, as well as the PTC product data vault in product development, he adds.
In addition, he adds, the application automatically sends email notifications to the user accounts manager, creating an audit trail.
"The .NET tools make it easy in a large IT environment to turn off access to all systems. It automates quite a few steps," says Krestakos. He adds that the whole process is triggered by the HR department.
"When someone is leaving or resigns, especially if they're in data-sensitive departments like corporate strategy or product development, we might start the de-provisioning process before they leave. In other cases, we let the manager of their department know, and we leave the accounts in place until he or she says it's OK to shut them off," says Krestakos.