Jamie Davis, Education Manager
As Donald Trump says, “You’re Fired” and the most famous response,”You can’t fire me, I quit!”. No matter how employees leave your bank, one thing is certain, they will leave. If death and taxes are the only guarantees in life, company turnover and taxes are the only guarantees in business. For this reason defining steps to take when employees leave is very important. Change control is no longer a nice theory but more a requirement for a safe and secure business. When someone is hired, there should be an approval process in place to ensure that they are given the appropriate credentials and rights. This should be defined and signed by the appropriate individuals. The same should be true for employees on their last day. There should be a sign off sheet with the appropriate roles and accounts to disable or change.
Defining a checklist that all banks should follow is not practical since every bank has their own nuances. Your checklist should include some or all of the items in the list below. The job of determining the exact checklist is up to you. The goal is to ensure the safety of the bank’s and customers’ information so erring on the side of paranoia is not a bad thing.
Your checklist may also want to take into account the following:
- The employee should be escorted and closely monitored after separation has been stated.
- Disable all Active Directory accounts. This should include their user account and any administrator accounts. This should also include disabling or changing passwords of any generic accounts the user may have known or used (asmith, ssmith, etc.).
- Remove email access.
- OWA for Exchange users will be unusable once the account is disabled.
- For MDaemon users, the account password needs to be reset in MDaemon until a time when the account can be deleted from the system.
- For most users, you will not want to delete or disable email accounts as soon as the user leaves. You will want to forward his or her mail to someone else until you can determine there is no longer a business related need for the account. You may want to consider proving an auto-reply on the user’s email account stating the employee is no longer employed by your bank but another employee is monitoring the messages.
- Disable any VPN or remote access available to the employee.
- Reclaim all bank issued equipment (computers, laptops, jump/thumb drives, cell phones, etc.)
- Disable or change passwords on all software specific user accounts (teller, platform, loan app, etc.).
- Cancel any bank issued credit cards.
- Account for their role and backup role with another employee in your BCP plan and line of succession.
- Training may be involved to successfully account for certain roles.
If the person leaving is an Administrator, a more thorough job must be done to ensure bank security.
Ensure that all devices’ usernames/passwords are changed. The firewall, routers, local admin accounts on computers, admin software accounts, etc. all most likely have usernames and passwords that were known by the Administrator.
- Ensure the servers do not have any services that use the Administrator’s credentials.
- Redirect all notifications. Notify Safe Systems and Gladiator Technology to change their contact list and notification options. Change backup and WSUS notifications to the person now assuming this job.
- Notify all vendors the user had contact with to inform them of the change in employment.
The Safe Systems Network Operations Center (NOC) is available to help with the IT aspects of employee separation. Additionally, your Safe Systems Account Manager is available to assist you with any information security related questions.