Information security specialists have access to information assets, including sensitive data. How do you ensure that what happens in the company stays in the company, and former security employees won’t do any malicious actions after they wave goodbye?
Information security staff are a company’s secret keepers. So the selection of future cyber security specialists falls on the shoulders of experienced HR managers, or even those who specialize in recruitment in the information security domain only. Employment termination in this case requires no less attention to ensure that harmful activities done by resigning security specialists are detected in time.
Threat after leaving
Once a security employee has left the company, any attempt to log in from his account should be detected and investigated.
One of the functions of SIEM solutions is to monitor the activities of privileged users, including information security staff. For this purpose, SIEM specialists build two reference sets in the system: one is filled with the account names of security department staff; the other with resigned employees’ account names. After that, correlation rules are created. They generate an offence each time the following conditions are met: a user logged into a corporate system and this user is listed in both reference sets.
A pre-requisite for success in investigating the cases of malicious user activities from security department in a corporate network is to follow the golden rule: no default privileged accounts. There is no way to identify who logged in as “admin” in a particular session.
Don’t disregard standard security measures
Employers shouldn’t also forget about the measures which are universal for all employees, regardless of the department.
It may sound paradoxical, but the dismissal process of a security department member starts at the stage of recruitment. Together with the contract, a future employee should sign an acceptable use agreement (AUA). This document reflects the organization’s security policy, as it outlines the limits to the corporate resources (information, hardware and software) use.
Get back all the physical items issued by the company
These include mobile devices (cell phones, tablets and laptops), security tokens (smart cards, proximity cards, biometric keyless entry fobs, badges) that provide physical access to corporate internal and external locations. Pay special attention to physical keys to facilities with restricted use for information security department only.
Regulate BYOD policy
More and more companies adopt a bring-your-own-device (BYOD) policy. It results in corporate data stored on private computers, which poses an additional security threat. During the exit interview, former security department employees should provide evidence that their private devices don’t contain any corporate information.
Still, employers can never be 100% sure that an ex-employee hasn’t made back-ups on other personal devices. Storing corporate data in a unified knowledge base (KB) with no permission to copy it to personal devices may partially solve this problem. Be advised, that it’s not possible to store all the data in a KB (such as application data).
BYOD policy compliance can be monitored through special agents installed on all employees’ personal devices which restrict sensitive information from being sent to any personal device.
Block all corporate network accounts
Make sure that remote access and all corporate accounts belonging to a resigning security employee are blocked, but not deleted. This way you will ensure continuity of knowledge, as the remaining security department employees will be able to get information from a former employee’s e-mails in their work routine.
On final note
The secret of a smooth farewell to a security department employees lies not only in prompt revocation of privileges. It’s crucial to understand that monitoring of security staff’s activities in a corporate network should continue before and after they officially say goodbye.