Understanding Network Access Controls
How IT Hiring and Firing Policies Could Expose Your Business to Risk
It was Pauline’s first day at “HiTech Software, Inc.” where she would be a new hire software engineer. She was happy to be introduced to her new cubicle and new colleagues, but disappointed when she discovered the computer equipment and applications she would be using were delayed because IT hadn’t finished the appropriate configuration and credentials. She needs to work initially from her own computer.
Unfortunately, the lack of synchronous policies and procedures between HR and IT for effective onboarding of new hires not only frustrates eager new employees, but also adds unnecessary costs and risks to company projects.
Sensitivity and Timing
Consider another scenario. As Joe P sat in his cubicle typing away on his company computer at “Acme Electronics,” he received a phone call from his manager who said the company was letting him go. He was told to gather is personal belongings and a security representative would stop by his cubicle to walk him to the door. As his manager hung up, Joe’s initial feeling of being stunned changed to anger, then rage. Within the next 10 minutes before the security guard arrived, he rampaged through the software files had been working on for the past few weeks, corrupting everything of value.
Unfortunately, the company had not setup HR and IT policies and procedures that would immediately remove active access roles and credentials applications and data stores prior to employee firings or leaving the company. Even with backups, it would take some time for IT and his colleagues to piece together the project damage he had done.
Access Control is No Simple Matter
Hiring and firing employees are not easy tasks for businesses these days. Networks, data storage and retrieval have significantly evolved since pre-COVID days. Back then, these resources were almost exclusively on-premise and under lock and key by IT departments. It was much easier to give a new hire access credentials, modify those credentials for an employee with a new role, or remove all access when they left the company or were fired.
These days, IT must offer more flexible access to applications and data spread across different clouds. Employees need to able to work from anywhere. Unfortunately, this increase in flexible access has significantly complicated access control management for your IT professionals. Their policies must reduce risks to the company while keeping up-to-date with the increasingly complex steps required to add access to new hires, change access as employee roles change, and remove access when employees leave the company whether fired or resigned.
Let’s face it, access control management has become complicated. An approved process needs to be followed and reviewed for adjustment regularly. Mistakes will cause new hires to have a negative experience and expose company and personnel data to loss and theft, as well as compliance penalties.
Ask yourself these pertinent questions:
- What does “hiring” and “firing” really mean for your manual and automated IT processes and procedures?
- What happens when steps in your policy procedures are missing or not followed by your HR and IT staffs?
- Can you afford delays in employees having the right access for the work they do?
- Can you afford to have employees who are in the process of being fired or leaving the company still having access to critical data and resources, including servers, laptops, applications, emails, and data repositories?
As noted by itglue.com, “IT policies and procedures establish guidelines for the use of information technology within an organization. In other words, it outlines what everyone is expected to do while using company assets. With the help of strong policies and procedures, you can incorporate actions that are consistent, effective and efficient. In addition to helping you combat security threats by creating proper awareness, documented policies and procedures can also define how you incorporate and manage technology in your corporate environment.”
Implementing the Right Access for Your Teams
The best way to limit risk to your business when hiring, changing, or firing personnel is to ensure your IT policies are set up properly for your business. To accomplish this, we recommend you follow CIS Control 6.1 & 6.2, which recommends, “Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity. Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, 
may be necessary to preserve audit trails.”
Your business will be safer and more secure, as well as more productive by following CIS industry recommendations. The readthedocs.org organization notes that the CIS Control 6 focuses on “managing who has access to IT accounts, ensuring users only have access to the data or enterprise assets appropriate for their role, and ensuring that there is strong authentication for critical or sensitive enterprise data or functions. Accounts should only have the minimal authorization needed for the role. Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal.”
Since 1987, CCI Managed Services has been providing local network management expertise. Our experts can inspect, test, and fine tune this process as part of a network security assessment. This is just one of dozens of practical steps we will take to help your organization know and improve your cybersecurity and digital access controls report card.
For further information about how we can help you define and implement your IT policies for your entire business, contact us online or give us a call today at (603) 542-5109.
