Preparing for Key IT Staff Turnover Guide
An FRSecure Self-Help Document of Guidelines and Best Practices
Preparing for Key IT Staff Turnover
Turning over key IT staff requires additional planning activities and steps to ensure that the company protects itself from malicious activities during the turnover process and ensures continued normal business operations. In addition to the standard user turnover activities at your organization such as disabling network access, remote access, system accounts, and access cards; retrieving assets; changing any shared passwords; reminding the turning over user of NDA requirements; etc., there are additional turnover activities to consider when key IT staff depart. When planning for a key IT staff turnover, it’s useful to reference your disaster recovery strategy – the key activities documented in your disaster recovery plan needed to resume business operations are many of the same key IT activities that you want to ensure continue to operate smoothly after the staff’s departure. Below is a list of information security items to address for a key IT staff turnover. While not all-inclusive, this list provides much of the foundational knowledge needed to ensure continued operation of your network:
- Make sure an updated inventory of assets exists – know what assets you have and what assets you need to focus protection on.
- Make sure an updated network diagram and data flow diagram exists – make sure you have full visibility of your network and don’t lose sight of lesser-used resources with the loss of staff.
- Inventory administrative accounts – create an inventory of all administrative accounts and passwords (including service accounts) that the user had access to; if a password keeper is in use, change the password.
- Inventory administrative tools and functions – be sure you know what tools are used for key functions like patch management, AV/malware, email gateway, logging and alerting, backup, etc.
- Inventory all encryption keys and certificates – create an inventory of all encryption keys and certificates along with their use, expiration, and any support details.
- Inventory all key vendors/external contacts and functions – create an inventory of key support contacts that can be utilized to ensure a smooth transition and continued operation of your network; also ensure all maintenance agreements are documented.
- Document key processes – make sure standard and specialty tasks have documented operating procedures.
See Appendix A: Definitions
Waivers from certain policy provisions may be sought following the FR Secure Waiver Process.
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.