Letting staff go? Make sure IT knows about it

December 23, 2008 by
Filed under: In this week's e-newsletter, IT staffing, Latest News & Views, Security and law 

Companies have a lot to think about during staff cutbacks. One important item that’s often overlooked:

Working with IT to delete the former employees’ user accounts.

Upper management often keeps downsizing details as a closely guarded secret. But it’s important to let IT know as soon as possible, so they can take on the task of removing the accounts.

Otherwise, disgruntled former employees may have a window in which they can still access the company’s computer system and do serious damage.

It’s also important for help desk workers to keep an updated list of who is and isn’t an active employee. If they don’t, ex-employees could call and ask to have their access restored.

Tags: , , ,

Comments

2 Comments on Letting staff go? Make sure IT knows about it

  1. Bob on Tue, 6th Jan 2009 5:27 pm

    2. Some HR professionals will argue that they can’t provide a “termination list” to the help desk, due to confidentiality reasons.

    Best practice:
    1. Have a core group of people who manage IT security during RIFs. This should consist of two to three IT people who are trusted regarding security access as well as timing to handle this type of sensitive situation. Even a large RIF (several thousand employees) can be handled by a small IT staff using scripts.

    2. Make sure there is a process in place by which IT denotes in the account description field that it has been disabled, and likewise, that the Help Desk is educated not to re-enable an account if it has been annotated. Changing the description field to “Disabled on mm/dd/yyyy by Person” is sufficient.

    3. Plan out in advance the disposition of information and computing assets used by that employee, as well as workgroup / workflow issues that may arise once the employee is no longer available. Some considerations are:
    - E-mail: The manager or a designated co-worker may need mailbox permissions, or may need the account forwarded in order to be able to respond to internal and external customer requests.
    - Network permissions: What permissions does the employee have? These need to be transferred to another employee.
    - Network files: The manager or a designated co-worker may need access to the employee’s files stored on the network
    - Local files: The manager or a designated co-worker may need access to the employee’s local files. This is especially true of employees with laptops – there may be critical files that are needed quickly if not immediately.
    - Telephone / voice mail: The manager or a designated co-worker may need access to the voice mail. Additionally, the employee’s phone number should be re-routed to the main number or to the manager or co-worker.
    - Application access: The manager or a co-worker may need access to applications such as ERP, CRM, inventory system, SCM, etc. Similarly, the employee may have been part of application workflow (such as review or approval) within these applications, and that workflow may need to be changed as well.
    - Business processes: This may be something as simple as ordering office supplies, or as complex as contract reviews. Make sure there is a designated alternate for functions performed by the employee, and work with IT to validate that they have the appropriate information and computing resources to perform those functions.

  2. Bob on Wed, 7th Jan 2009 10:01 am

    3. A colleage reviewed this post, and pointed out one additional item to me:

    4. Make sure external and vendor resources are controlled.
    - Company-provided cell phones need to be disabled. The last thing you need is for a customer to call an employee that has just been RIFed. This reinforces why the company should provide a cell phone and require its use for company business.

    - Vendor website access and vendor authorizations need to be disabled for the employee: Vendor website logins, phone access authorization, etc… Examples: You don’t want a RIFed employee to be able to make a purchase on behalf of the company, search external e-mail archives, or recall backup tapes to an “alternate location” because they are still authorized to do so. The best way to control this is to maintain an internal “vendor access list” showing who has access to what vendor, so that appropriate steps can be taken to remove access. This only works as long as all departments maintain a central list.

    - Customer relationships: Hopefully, this is NOT the case, but you never know when an employee is using their personal e-mail account to communicate with a customer. Steps should be taken to proactively contact customers that may be affected, and make sure they know the new point of contact. Reinforcing non-compete / non-disclosure agreements during the exit process (hopefully all employees are required to sign these during the onboarding process) can be helpful in avoiding this type of situation as well.