Nondisclosure agreements with teeth. If the breach is significant enough [meaning cost you more than an attorney does], exercise them.
Most of us do a thorough job of deleting anything from previous jobs off any device that may have been contaminated with them ... because we don't want the liability that goes with keeping copies anywhere odd. Things get sticky sometimes. A lot of places tend to argue that anything you write belongs to them. I have had to go the route, sometimes, of writing something and then informally 'licensing' it to an employer for $0. As long as I have the originals with proper timestamps, this works well. Usually it's not worth the effort and I just rewrite whatever it was - the value is between my ears, not what's dated on a private git repo somewhere. I've signed a few agreements that specify that i WILL NOT put documents anywhere weird, but sometimes people do things like mailing a document to a personal address by accident... and it's hard to completely purge something that someone's mailed to your personal gmail, for instance. If the company concerned is doing something really sticky --- it's possible to turn on a heck of a lot of audit controls, and track when things go out from your tightly controlled network -- you can ask people what they were doing, that way, but it doesn't prevent the data slipping out into the world. If you're a government entity, you have two PCs on every desk, one on a secure network and one with access to the outside world for email and web traffic. Things get 'difficult' when you have mandatory security training and classified documents around. No wifi, no usb sticks, no internet, et cetera. I'm not sure we're answering the question you're actually asking - there are all the policies and procedures that a well-organized group of operations/security people will insist on, and then there's validation and auditing to make sure that no one is screwing up too badly - necessary for things like datacenter security standards, Fedramp programs, et cetera. I guess the thing I'd stress is that - it's hard to rewind history, and it is very very hard to take back access once it has been granted. Don't grant access to resources to anyone without logging it, and make sure that there are comprehensive lists of what folks have access to use. In a reasonable company, setting up a new company-wide service should be an organized and repeatable process: you don't want project manager X signing up for a private hosted Atlassian account for a team of five to use, on a private credit card, because eventually there's going to come a reckoning when either 1) someone leaks data or 2) there's a re-org and suddenly nobody knows the admin credentials anymore. You want all of these processes to be "inside the walls" so to speak -- where there is at least some sanity in the process. This is *really hard* stuff for a small business. It tends to be quite nuts at a very small scale - it gets better with growth... sort of. Really, the problems just change around.... best, --e On Sat, Oct 4, 2014 at 9:10 AM, Edward Ned Harvey (lopser) <[email protected]> wrote: > We have a set of procedures to follow, or checklists to complete, for all > admin tasks that we complete on a regular basis or that we at some point > decided needed to be done with consistency. Things like the "New User" > procedure have us create the user account in AD, create the user account in > the phone system, grant access to the version control system if applicable, > etc etc. Every resource that we grant access to, we keep a record on file > for that employee, listing all the resources that they've been granted access > to. And we have a "Remove User" procedure which does all the same stuff in > reverse. > > That is sufficient to get a fair level of coverage, preventing *future* > access after the employee departs. > > Nothing in the world can undo access that the employee had prior to > departure. If you gave them access to some documents, and they downloaded > it, and created backups and stored copies in Dropbox, or printouts or > photographs in their "spy" phone... Nothing can undo previous access. Even > remote wipe applications are ineffective if the user has backup software or > printouts etc. > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
