Can we talk about the termination process from an IT POV?

pwjohnstonpwjohnston Member Posts: 441
So I’ve been working for this company for the last year as their SysAdmin. Now they don’t have the best system when it comes to firing people, or IT Policy for that matter. It's not unusual for them to have people leave and not even tell me. We’re a small company so everyone knows everyone and talks to just about everyone.

The situation;

Monday night they found out that two employees were going to be fired, I won’t go into detail here. The first thing Tuesday the Call Center guy came up to me and asked if I had read my mail? I said no and he told me that I needed to disable access for the two employees. No big deal usually they take care of the employee end. So I disable AD access, Email, VPN, etc.

Not more than 30 min later I get a call on my personal cell from one of the employees. He’s complaining because his VPN doesn’t work and is kind of upset.

WHAT do you say in that situation???

Essentially they had me turn off access before they even told him. Now I understand there is a *possible* security risk here, but shouldn’t there be a clear process where the SysAdmin shouldn’t be involved?


I told the user that I wasn’t sure what was up. I would test the VPN and have someone call him. So clearly I lied, but considering the situation?

Thoughts?
«1

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    They usually have you cut access first. Just say you're looking into it and wait for HR to take care of things.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    It's probably the most horrible part of the job, especially in a smaller company, but you have to keep your distance. As Dynamik said redirect to their manager and/or HR and don't say a word, don't lie either, don't be concerned about what the employee/ex might read into it just redirect.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • murdatapesmurdatapes Member Posts: 232 ■■■□□□□□□□
    You have to be in a situation to understand this one. I am not a sys admin at a company (not yet) but my company i work for does the same thing. They use their employees as bait, which I can't stand. Happened multiple times, where the manager would come to me and say "hey can you please take john poe to the data center and act like you are showing him something." While I am acting like I am showing him something, he is in the room firing the first guy. Then he comes and says, "Where's john poe?" I tell point to him and then he takes him into the room and fires him.

    The feeling is crazy, cause you feel like you helped the person get fired. Sorry, but I just don't agree with that. Let me start disabling after you tell him/her, don't put me in it. Period.
    Next up
    CIW Web Foundations Associatef(Knock out some certs before WGU)
    ITIL Intermediate Service Operations
  • pwjohnstonpwjohnston Member Posts: 441
    That's total BS murdatapes. If I were you I'd say, look I'm not the manager. You're getting paid to do that, grow a pair.

    I try to get along with my co-workers and you develop a better relationship with some more than others, but I try not to get too close. I probably should have just not answered my phone

    What I'm really looking for is policy. The whole process of terminations are kind of herkey jerky around here to begin with. Are there policies for these sorts of situations or I can't imagine bigger companies just run fast and loose on this?
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    murdatapes wrote: »
    Let me start disabling after you tell him/her, don't put me in it. Period.

    That is a poor security practice and you are in the wrong in those situations. Every organization that is legit should have an IT termination procedural document in place. Network access should be revoked prior to an employee being terminated because once the determination has been made to terminate an employee their services for the company are rendered null and void. This includes access to corporate assets such as the network and provided hardware. It sucks that IT has to be involved in this but hey, thats the nature of the job. Other departments have to deal with the same thing (revoking rights in the organization) but its usually transparent for them. IT is different because it is non-transparent. Most organizations place this either as a separate procedural document or include it in the over-all termination policy.

    In fact, at my old company when someone felt they were on the hot seat they'd try to log into webmail and if they couldn't they assumed the worst and didn't come in. When I got let go they held my last pay check until I returned a one-time token generator that was provided to me for network access.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Paul Boz wrote: »
    That is a poor security practice and you are in the wrong in those situations. Every organization that is legit should have an IT termination procedural document in place. Network access should be revoked prior to an employee being terminated because once the determination has been made to terminate an employee their services for the company are rendered null and void. This includes access to corporate assets such as the network and provided hardware. It sucks that IT has to be involved in this but hey, thats the nature of the job. Other departments have to deal with the same thing (revoking rights in the organization) but its usually transparent for them. IT is different because it is non-transparent.

    In fact, at my old company when someone felt they were on the hot seat they'd try to log into webmail and if they couldn't they assumed the worst and didn't come in.

    I agree here. You must disable access first. It kind of defeats the purpose if you disable access after you fire them.
    An expert is a man who has made all the mistakes which can be made.
  • murdatapesmurdatapes Member Posts: 232 ■■■□□□□□□□
    Paul Boz wrote: »
    That is a poor security practice and you are in the wrong in those situations. Every organization that is legit should have an IT termination procedural document in place. Network access should be revoked prior to an employee being terminated because once the determination has been made to terminate an employee their services for the company are rendered null and void. This includes access to corporate assets such as the network and provided hardware. It sucks that IT has to be involved in this but hey, thats the nature of the job. Other departments have to deal with the same thing (revoking rights in the organization) but its usually transparent for them. IT is different because it is non-transparent.

    In fact, at my old company when someone felt they were on the hot seat they'd try to log into webmail and if they couldn't they assumed the worst and didn't come in.

    Trust me I feel you. I understand the procedure (come to door badge not working, email doesn't work, they let you come to the meeting but after its lets have a talk). My situation was different cause they were friends of mine. So wrong? Maybe. But I will be wrong to get over the fact, that I felt like I helped a friend get fired.

    Try to feel me in that particular situation, before I am totally wrong. I just didn't like how It seemed I help.
    Next up
    CIW Web Foundations Associatef(Knock out some certs before WGU)
    ITIL Intermediate Service Operations
  • tierstentiersten Member Posts: 4,505
    Paul Boz wrote: »
    When I got let go they held my last pay check until I returned a one-time token generator that was provided to me for network access.
    There is no security reason to do that though. The only reason to do so is so they can reuse the token but they're not particularly expensive anyway...
  • tierstentiersten Member Posts: 4,505
    I agree here. You must disable access first. It kind of defeats the purpose if you disable access after you fire them.
    Yup. I've seen people cause havoc because their accounts weren't disabled before they were fired. It ranged from abusive messages sent to everybody to actual attempts to delete or sabotage data. Disabling all of their remote access abilities as well is vital. Security should come escort them to their desk, check what they're packing and then escort them outside after taking any keys or keycards off them.
  • murdatapesmurdatapes Member Posts: 232 ■■■□□□□□□□
    tiersten wrote: »
    Yup. I've seen people cause havoc because their accounts weren't disabled before they were fired. It ranged from abusive messages sent to everybody to actual attempts to delete or sabotage data. Disabling all of their remote access abilities as well is vital. Security should come escort them to their desk, check what they're packing and then escort them outside after taking any keys or keycards off them.

    Yes we have the building guard escort. Matter of fact, they will stand beside the person (watching them pack up) until he's out in the lobby.
    Next up
    CIW Web Foundations Associatef(Knock out some certs before WGU)
    ITIL Intermediate Service Operations
  • ZaitsZaits Member Posts: 142
    The company I work for now uses a product by Quest called ActiveRoles. It ties Active Directory into the payroll system. This allows HR to handle everything from a new hire to a deprovision. When they disable the user in the payroll system it syncs to AD and IT is hands off. We only get involved when a user is re-hired thats when things get tricky with the ActiveRoles software.
  • tierstentiersten Member Posts: 4,505
    murdatapes wrote: »
    Trust me I feel you. I understand the procedure (come to door badge not working, email doesn't work, they let you come to the meeting but after its lets have a talk). My situation was different cause they were friends of mine. So wrong? Maybe. But I will be wrong to get over the fact, that I felt like I helped a friend get fired.

    Try to feel me in that particular situation, before I am totally wrong. I just didn't like how It seemed I help.
    They would have been fired no matter what you did.
  • CompuTron99CompuTron99 Member Posts: 542
    We have to disable the accounts during the meeting with the employee / HR / employee's manager.
  • pwjohnstonpwjohnston Member Posts: 441
    I agree here. You must disable access first. It kind of defeats the purpose if you disable access after you fire them.

    Yes, BUT it seems more logical to me that unless they pose an immediate security risk that the disabling happens just before the employee is terminated.

    eg I'm disabling access while the manager is walking the employee into their office to give them the news or maybe 5 min before.

    This is specifically for non-tech positions. I could understand why it may be different for other Network/Systems Admins since they have more access to cut them off earlier.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    murdatapes wrote: »
    Try to feel me in that particular situation, before I am totally wrong. I just didn't like how It seemed I help.

    Oh I agree with you that it is indeed a stressful situation, but your job is your job and your friends are your friends. If your employer deems that person's services not necessary any more its still your job to comply and put on a good face about it. If they truly are your friends they won't hold you doing your job against you. If they do, they're not really good friends. I've had friends snub me after they got let go because I refused to grind an axe against my employer because of it. They equate my friendship and continued employment as a betrayal. In fact, the guy that got me my job at my current employer quit to go somewhere else then called to talk **** about my current employer for several weeks after he left. I got tired of it and told him that he needed to chill out and not care so much about a place that he no longer worked. We no longer talk to each other beyond courtesy because he couldn't separate my employment from our friendship. That's his problem, not mine.
    pwjohnston wrote: »
    Yes, BUT it seems more logical to me that unless they pose an immediate security risk that the disabling happens just before the employee is terminated.

    eg I'm disabling access while the manager is walking the employee into their office to give them the news or maybe 5 min before.

    This is specifically for non-tech positions. I could understand why it may be different for other Network/Systems Admins since they have more access to cut them off earlier.

    Please show me a corporate environment that employs an IT staff that is capable of coordinating a termination with the guy doing the firing in a five minute window. Your concept of perceived threat and risk is skewed a bit. As soon as an employee is deemed unnecessary for the organization they become a security risk. It ties into the concept of least privilege. If Employee X is going to be fired as soon as he or she shows up to work, you should nix their network access as soon as possible to mitigate sabotage and other scenarios such as the ones tiersten described.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • pwjohnstonpwjohnston Member Posts: 441
    Paul Boz wrote: »
    Please show me a corporate environment that employs an IT staff that is capable of coordinating a termination with the guy doing the firing in a five minute window. Your concept of perceived threat and risk is skewed a bit. As soon as an employee is deemed unnecessary for the organization they become a security risk. It ties into the concept of least privilege.

    Point taken.

    Hey, I can't say I'm not an idealist. I mean is it really that difficult for the manager to call IT and say "do it" right before they go get the person?
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    also keep in mind that termination is an extremely sensitive HR and legal situation, so having a well-defined procedure in place is a must for ensuring that the law is being followed. Wrongful or improper termination is something you do not want to get involved in. These things can be mitigated by having a well-structured and followed termination plan. It isn't that employers are jerks or want to be abrasive, but anyone terminated becomes a potential lawsuit so a strict procedure needs to be followed.

    The former employer which I was discussing earlier wouldn't even allow an individual to pack his or her own belongings. HR would handle that to avoid that individual being in the building. Again, this is abrasive because you don't even get to tell people goodbye, but from a security standpoint it makes sense. I was rather upset about how I was treated in that situation but after getting into security I fully understand why.
    pwjohnston wrote: »
    Point taken.

    I mean is it really that difficult for the manager to call IT and say "do it" right before they go get the person?

    Yes, it usually is. In any decent organization with a well-run IT department, you can't just call the help desk and say "Employee X is being fired right now, I need network access removed right away." These IT professionals have to perform their job functions in a timely manor. In addition, what happens if that help desk or IT guy doesn't pick up the phone? You have just created a security risk. This is why procedures should be in place that dictate how network removal should occur. It mitigates these types of incidental security risks.

    For those who want to do some more reading on this subject please read these links:

    http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci852407,00.html
    http://humanresources.about.com/od/whenemploymentends/a/end_employment.htm
    http://www.csoonline.com/article/501418/Sample_Termination_Checklist
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • sambuca69sambuca69 Member Posts: 262
    At my last job, I did some desktop support. When they term'd people, they would actually ask me to go to their workstations, and physically disconnect them from the LAN.

    Many times, they wouldn't even know yet. lol... talk about awkward. "I have to check something under your desk. *pulls cable and runs*, basically
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,745 ■■■■■■■■■■
    sambuca69 wrote: »
    At my last job, I did some desktop support. When they term'd people, they would actually ask me to go to their workstations, and physically disconnect them from the LAN.

    Many times, they wouldn't even know yet. lol... talk about awkward. "I have to check something under your desk. *pulls cable and runs*, basically

    WOW!! You would think it would be easier to just turn off their ports remotely on the switch or maybe physically at the switch?
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    WOW!! You would think it would be easier to just turn off their ports remotely on the switch or maybe physically at the switch?

    Yes that is a poor security procedure at best.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • sambuca69sambuca69 Member Posts: 262
    Paul Boz wrote: »
    Yes that is a poor security procedure at best.

    I'll tell you why, and guarantee it will blow your minds, lol.

    The desktop manager was in charge of the term process here. Since all he had access to, and all he knew in his world, was based on the desktop, this was the approach here.

    So, he'd get the notice.. ask the Server guys to disable the account. Ask me to make my visit, while HR tries to trick them into their office.

    When they waited to leave their desk, or I got there too soon, is when we ran into each other, and I did my pull and run move.

    What can I say.
  • murdatapesmurdatapes Member Posts: 232 ■■■□□□□□□□
    Paul Boz wrote: »
    Oh I agree with you that it is indeed a stressful situation, but your job is your job and your friends are your friends. If your employer deems that person's services not necessary any more its still your job to comply and put on a good face about it. If they truly are your friends they won't hold you doing your job against you. If they do, they're not really good friends. I've had friends snub me after they got let go because I refused to grind an axe against my employer because of it. They equate my friendship and continued employment as a betrayal. In fact, the guy that got me my job at my current employer quit to go somewhere else then called to talk **** about my current employer for several weeks after he left. I got tired of it and told him that he needed to chill out and not care so much about a place that he no longer worked. We no longer talk to each other beyond courtesy because he couldn't separate my employment from our friendship. That's his problem, not mine.

    Your right. I should of separated myself. Where was this when I was driving home that day :)
    Next up
    CIW Web Foundations Associatef(Knock out some certs before WGU)
    ITIL Intermediate Service Operations
  • RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
    pwjohnston wrote: »
    Not more than 30 min later I get a call on my personal cell from one of the employees. He’s complaining because his VPN doesn’t work and is kind of upset.

    WHAT do you say in that situation???

    Essentially they had me turn off access before they even told him. Now I understand there is a *possible* security risk here, but shouldn’t there be a clear process where the SysAdmin shouldn’t be involved?

    You need to have a sitdown with HR and your manager regarding what they expect you to say. Even directing them to talk to their manager or to talk to HR might be the wrong thing to say. I would get a clear expectation from your boss just incase this ever happens again.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    You need to have a sitdown with HR and your manager regarding what they expect you to say. Even directing them to talk to their manager or to talk to HR might be the wrong thing to say. I would get a clear expectation from your boss just incase this ever happens again.

    Typically the best response is: "Oh I'm sorry to hear that. I'll open a support request and we'll look into that as soon as we can, sorry for the inconvenience!"

    Definitely clarify with your management a canned-response for future use.
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
  • LizanoLizano Member Posts: 230 ■■■□□□□□□□
    Isn´t it mandatory to give the employee access to the PC one last time under supervision to retrieve any personal info he may have in that box? Of course at this point probale email account should be disabled at least and application logins as well, but I think depending on State Legislation, you may be forced to let him retrieve personal info.
  • mikedisd2mikedisd2 Member Posts: 1,096 ■■■■■□□□□□
    Lizano wrote: »
    Isn´t it mandatory to give the employee access to the PC one last time under supervision to retrieve any personal info he may have in that box? Of course at this point probale email account should be disabled at least and application logins as well, but I think depending on State Legislation, you may be forced to let him retrieve personal info.

    I don't think there would be any company that caters for people's personal data. Officially speaking it shouldn't be on the company systems. They might even say that it is now company property (though I doubt it, still why trust em?).
  • veritas_libertasveritas_libertas CISSP, GIAC x5, CompTIA x5 Greenville, SC USAMember Posts: 5,745 ■■■■■■■■■■
    mikedisd2 wrote: »
    I don't think there would be any company that caters for people's personal data. Officially speaking it shouldn't be on the company systems. They might even say that it is now company property (though I doubt it, still why trust em?).

    Agreed. I do have some personal data on my laptop. I try to remember to move it to my home PC once a week. After all, with the economy who knows what could happen?
  • mikedisd2mikedisd2 Member Posts: 1,096 ■■■■■□□□□□
    Paul Boz wrote: »
    Yes, it usually is. In any decent organization with a well-run IT department, you can't just call the help desk and say "Employee X is being fired right now, I need network access removed right away."

    This works quite well in a small org (<100) though. I would have a manager come to me and say we need X disabled immediately. Done.

    When senior staff were being retrenched, the GM called me into a meeting to advise account closures at 11AM.
  • Paul BozPaul Boz Member Posts: 2,620 ■■■■■■■■□□
    Lizano wrote: »
    Isn´t it mandatory to give the employee access to the PC one last time under supervision to retrieve any personal info he may have in that box? Of course at this point probale email account should be disabled at least and application logins as well, but I think depending on State Legislation, you may be forced to let him retrieve personal info.

    Its not mandatory to give the employee access to the hardware and it is actually a bad idea. Depending on the terms of the acceptable use policy you may or may not have to provide them with a COPY of the data once it has been sanitized for corporate data. The corporation has the right to look at what data is leaving the organization and deem whether it is safe to let go or not.

    That being said, if I wrote the IT Acceptable Use policy I would include a clause about forfeiture and or deletion of personal data on company hardware. You can't be liable for providing someone with personal data upon termination if the mere is existence of the data is against company policy. "This would have been deleted if we found it while you were employed, and now that we have found it, we are deleting it."
    CCNP | CCIP | CCDP | CCNA, CCDA
    CCNA Security | GSEC |GCFW | GCIH | GCIA
    [email protected]
    http://twitter.com/paul_bosworth
    Blog: http://www.infosiege.net/
Sign In or Register to comment.