We have a set of procedures to follow, or checklists to complete, for all admin tasks that we complete on a regular basis or that we at some point decided needed to be done with consistency. Things like the "New User" procedure have us create the user account in AD, create the user account in the phone system, grant access to the version control system if applicable, etc etc. Every resource that we grant access to, we keep a record on file for that employee, listing all the resources that they've been granted access to. And we have a "Remove User" procedure which does all the same stuff in reverse.
That is sufficient to get a fair level of coverage, preventing *future* access after the employee departs. Nothing in the world can undo access that the employee had prior to departure. If you gave them access to some documents, and they downloaded it, and created backups and stored copies in Dropbox, or printouts or photographs in their "spy" phone... Nothing can undo previous access. Even remote wipe applications are ineffective if the user has backup software or printouts etc. _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
