CSA CCM HRS-06
Employment Termination

When an employee leaves an organization, either voluntarily or involuntarily, it's crucial to have a well-defined process in place to manage the transition. This process should cover everything from revoking access to company resources, to ensuring that the employee upholds their confidentiality obligations. Without a clear employment termination policy, organizations risk data breaches, intellectual property theft, and reputational damage.

Where did this come from?

CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here.

This control aligns with other industry standards and best practices around staff lifecycle management. For example, the ISO 27001 standard has a similar control in section A.7.3 - Termination and change of employment.

Who should care?

  • HR managers responsible for onboarding and offboarding staff
  • IT administrators who provision and deprovision user accounts
  • Information security professionals tasked with protecting company data
  • Legal counsel who draft employment contracts and confidentiality agreements
  • Department managers overseeing team members and intellectual property

What is the risk?

Without a robust employment termination process, ex-employees may:

  • Retain access to sensitive systems and data
  • Share confidential information with competitors
  • Poach clients or staff to a new employer
  • Fail to return company property like laptops and keycards
  • Bad-mouth the company publicly, damaging its reputation

The likelihood of these risks depends on factors like the employee's role, their reason for leaving, and the strength of their confidentiality agreements. The consequences could range from minor embarrassment to significant financial and reputational damage.

What's the care factor?

For most organizations, having a basic employment termination checklist is essential hygiene, much like having an HR department or doing payroll.

However, the more intellectual property and sensitive data your organization handles, the higher priority this control should take. Companies working on cutting-edge products, or storing valuable customer data, are prime targets for IP theft and should invest accordingly in offboarding.

When is it relevant?

Employment termination processes should kick off whenever an employee:

  • Resigns voluntarily
  • Gets fired with or without cause
  • Finishes a fixed term contract
  • Transfers to a new internal role
  • Goes on extended leave like parental leave

They are less relevant for minor role changes that don't involve a change in access permissions, like a promotion or transfer within a department.

What are the trade offs?

Thorough offboarding takes time and coordination between different departments like HR, IT, facilities and legal. Many of the steps like account revocation need to happen ASAP, which can be challenging with limited notice.

There's also a balance between protecting company assets and treating exiting employees with respect. While a certain level of security is prudent, rifling through personal possessions or cutting access too early can burn bridges.

How to make it happen?

  1. Define a clear employment termination policy outlining roles and responsibilities
  2. Include confidentiality and IP clauses in employment contracts
  3. Maintain an up-to-date list of all staff and contractors
  4. Use an HR system to track role changes and terminations
  5. Establish an IT offboarding checklist covering:
    • Disabling accounts (email, VPN, applications)
    • Changing shared passwords
    • Transferring data ownership
    • Wiping and retrieving devices
  6. Recover physical assets like laptops, phones, keycards and credit cards
  7. Conduct an exit interview to identify any loose ends
  8. Transfer knowledge to remaining team members
  9. Notify relevant internal and external stakeholders
  10. Revoke digital certificates and keys
  11. Update website, org charts and phone directories
  12. Disable any automatic scheduled tasks or workflows
  13. Complete required paperwork like tax forms and references

What are some gotchas?

  • Many termination steps require admin permissions to systems and buildings. Ensure these are assigned to a sufficient number of staff.
  • Cloud-based services like AWS, Azure and Google Workspace have granular Identity and Access Management (IAM) permissions that need to be carefully revoked. For example in AWS this may include policies, roles, groups and delegation.
  • Don't forget to offboard service accounts and 'robot users' that ex-employees may have had access to.
  • If doing knowledge handover, ensure the exiting employee doesn't delete or alter any files or documentation.

What are the alternatives?

While there's no replacement for formal offboarding, some steps that can reduce the blast radius of a bad exit include:

  • Implementing least-privilege access so users only have permissions they need
  • Auditing access logs to detect suspicious activity
  • Using tools to automate account de-provisioning
  • Having employees work on company-owned devices that can be remotely wiped
  • Storing data in cloud storage or databases vs individual laptops

Explore further

  • ISO 27001 A.7.3 - Termination and change of employment
  • NIST 800-53 PS-4 - Personnel Termination
  • CIS Control 16 - Account Monitoring and Control
  • CSA CCM IAM-11: User Access Revocation

Blog

Learn cloud security with our research blog

Your queues, your responsibility
August 20, 2024
Things you wish you didn't need to know about S3
May 30, 2024
S3 Bucket Encryption Doesn't Work The Way You Think It Works
April 19, 2024
Read more