On Fri, 3 Oct 2014, Esther Schindler wrote:
Howdy, folks. It's me again -- your random writer/journalist who occasionally
asks for input in order to ensure her articles reflect the real world.
In particular: What should a company do to protect its information when an
employee departs? When someone leaves the company, the HR department is quick
to grab the employee's laptop. But what about the data on the employee's
equipment? How can the organization know what's on her mobile devices? Does
anyone know to which websites and other cloud-based software the employee has
access?
I'm aiming to create a checklist for IT (working with HR) to ensure the
company's data doesn't walk out the front door.
For example, I still have access to a surprising number of websites and other
company/client resources. For example, one client had given me access to
Google Analytics in 2009. They closed down the project in 2010 (and I believe
there's NOBODY left at the company who even remembers it existed). But I can
see its web traffic today. I also had access to a major publication's blog
comment system (e.g. "mark as spam") for three years, and the only reason it
went away then is that they changed their commenting system. It's a good thing
I'm ethical, or I could have had entirely too much fun doing naughty things.
So… what advice would you give sysadmins about what to look for? Because while
it might occur to IT to change a user's admin rights on Active Directory, it
might not occur to them to check for all site access (if they even know, and
I'm sure that in neither of my cases anyone did).
I could quote you by name if you like, but I'm just as happy to share your
wisdom without naming names. Here I only care about expertise… not who said
it. So you don't have to worry about getting in trouble!
Can you send me whatever input you have by, say, Tuesday October 7th?
The biggest question is what are your policies about that data to start with?
it's all well and good to grab the laptop, remote wipe their phone and tablet,
but if they have a printout, or a USB stick, or CD with the data on it, you
aren't going to catch it.
Any halfway competent employee is going to be able to walk off with your data if
they really want to and think even a little ahead. So the first defense starts
long before any employee leaves by setting (and enforcing) policies about where
your sensitive data can go.
At the time of termination, I would say the most important thing is to make sure
that the employee no longer has credentials (especially any hardware based
authentication) to get into your systems to gather more data. Beyond that,
reminders of the confidentiality agreement are going to do at least as much good
as any technical means you try to use to gather or delete data.
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
