Steps to take when technical staff leave

Solution 1:

I'd suggest creating a checklist of things you do when a new sysadmin joins the company (systems you need to add them to, groups their account has to go in, etc) and include both technical and physical things - e.g. physical keys and alarm codes are just as important as SSH keys and passwords.

Ensure you keep this list up to date - easier said than done, I know. But it makes it easier both to process new team members into the company and again to process them out. You can still do this now and get at least some of the benefit of using it to help with the person who is leaving. The reason I mention a checklist is because we all tend to think in our own spheres of comfort and different things might be missed out otherwise, depending on who is processing the leaver. For example: a "building security manager" or an "office manager" is going to be thinking more about door keys than SSH keys and an IT person will be the exact opposite and end up revoking their access to the system while leaving them able to walk into the building at night.

Then just go through their checklist when they leave, use it as a checklist of things to undo/get returned. All your IT team should be enthusiastic about this if they are professional as having an agreed process like this protects them from unwarranted blame from a former employer just as much as it protects the employer from them.

Don't forget things like access to remote datacentres or physical access to a 3rd party backup data repository.

Solution 2:

I'm surprised no one mentioned that one before but...

If your WiFi network uses WPA or (I hope not) WEP as opposed to tapping in the Radius server, you might want to consider changing that key.

It's a huge door left open, if you're the network admin, there's a pretty good chance you know that key by heart...imagine how easy it would be to get back on the network from the parking lot or something of that nature.

Solution 3:

Other things that spring to mind:

  • Physical security - take away keys / access tags / vpn tags / laptops
  • Take away phones / blackberries
  • Remove / disable any accounts they have on external services / sites
  • Lock their user account
  • Change any shared passwords they may know (I appreciate you shouldn't have any shared passwords)
  • Disable VPN account
  • Ensure all bugs / tickets / issues etc in any tracking systems are reassigned

Solution 4:

  • Take them off the nagios/paging system
  • Remove their sudo (just in case)
  • Tell the datacentre(s)
  • Disable/revoke any vpn system into the office network
  • Disable any web applications/apache confs/firewalls that have their IP addresses hardcoded in

Solution 5:

If some sysadmin leaves the company, we change all passwords for users (instead of the monthly password change). We have ldap and radius, so it isn't very difficult. Then we look at systems he was working on, as well as files that were created by/modified by him. If there is important data on his workstation, we clean or archive it.

We have access audit for all services that have users. If there is some unknown user using the service, we block him, at least until identification is passed.

Other systems will be cleaned in a week; most are for developing purposes and have no valuable information, and they're regularly cleaned by reinstallation.

Tags:

Security

Physical Security

Recent Posts