Managing Data Security during employee terminations

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Tuesday January 29, 2013 at 9:00am

Nearly all organisations have to deal with employee contract terminations at some time, whether that’s through an agreed mutual parting of the ways, an end of a fixed term contract, because of redundancy or for disciplinary reasons. Most of the management focus in each case tends to be on human resources processes, legal procedures and the like, to ensure there is no breach of employment legislation.

Good HR Managers will conduct exit interviews and record details of the employee’s observations and feedback about their time with the organisation and the circumstances surrounding their departure. However, few organisations seem to have a robust policy for managing information security when an employee leaves or is suspended.

I have learnt of ex-employees leaving organisations with business assets in the shape of; laptops, mobile devices, USB sticks, access to design and development websites, IPR data, the list goes on. Frighteningly this is usually with the employer having no real knowledge of these assets and the need for their return.

The danger is, of course, that during these sensitive periods, data can be duplicated, altered and used for inappropriate purposes by an ex, or soon to be ex-employee. This of course does not happen in every case. But from experience it’s a bigger problem in the sales function than elsewhere in most businesses.

What should an organisation do to keep data safe?
As always this comes down to some fairly simple systems and procedures, around employee access and use of data and resources.

Upon employment commencement there should be a clear asset log of all items issued to an employee, together with an “Acceptable Use of Assets Policy’. Access rights to nominated programmes and data should be carefully applied and monitored during the course of employment. This should be reviewed with new roles, and during termination and suspension the organisation should reduce the corporate risk by re-evaluation of ‘access rights’ of a departing employee.

Upon termination, all assets should be accounted for and returned and signed for. These assets should be carefully checked. Clear termination procedures should be established within the organisation to ensure the process applied is fair, timely, and accurate and avoids deep embarrassment and maybe data loss further down the line.

ISO27001, the International Standard for Information Security provides clear guidance on the application of suitable controls to remedy this situation and we’re happy to discuss our recommended approach to keeping company data secure.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Comments:  
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here