When it comes time to retrieve the keys to the kingdom from “that guy in IT”, there must be a careful assessment of the physical and logical systems that have been controlled by that person up to this moment in time. While it is expected of an IT professional to actually be professional when these actions occur, it’s easy to forget (or remember) just how many ways there are to access the systems that the company depends on to operate on a daily basis.
When the time comes, whether it?s an agreeable departure or a forceful one, stay professional. Make a list of requirements for the team member that must be met before the departure can be considered final.
Require the team member to sign an agreement that there will be a relinquishment of the access controls that were previously owned or shared by that person. Of course, this does not prevent them from accessing them once they leave the office, but it is a written agreement that is legally enforceable if any type of access is discovered.
Require the team member to also release their individual password(s) for any team password management software that is used to store credentials for company-operated systems. If the team member is actually using the password manager properly, they shouldn?t be storing personal information such as banking, insurance or shopping.
Communicate with the vendors and customers that the team member has been working with to notify them that they are no longer with the company. In the rare event that the team member tries to reach out without the customer or vendor knowing that they have been released from the company, the customer or vendor will know how to respond.
Throughout all of this, stay professional! If it?s a bad breakup, the aim here is to give the IT professional an example of how to act in these situations. You want to get the user off of the system as quickly and cleanly as possible. IT pros are a dime a dozen? hopefully this will help them realize they can?t keep working the way they used to.
If your IT team has done their job correctly, then you should already have an accurate list of the systems they have access to. Run a report to gather their assigned inventory from your company asset tracking system. Hopefully you have access to the same team password manager sites used to store credentials for internal and external hosted systems. If you don?t have access already, you should get it immediately.
Grant full access to the user?s Exchange mailbox to an assigned administrator or the team manager.
Set the user?s Exchange mailbox presence to out-of-office and fill out the auto-reply message stating that the team member is no longer with the company, who to contact from now on and when the mailbox will be removed from the system (3-6 months)
Physical Access Control
- Key Card(s) for Door Access
- Door and/or Storage Unit Keys
- Door Access Control Systems
- Building Alarm Code
- Building Alarm Code Remote Access (website and/or smartphone app)
- Security Camera Access
- Firewall Appliances (if in use at home)
- Physical VoIP Phone (if in use at home)
- Smartphones (Remove the Exchange email profile, any team password management apps)
Logical Access Control
- Active Directory
- Primary domain administrator account
- The user?s domain administrator account(s)
- Firewall Appliances (especially if management is accessible from the public internet)
- Team Password Managers (1Password, TeamPassword)
- SSL VPN client access
- Remote Access (LogMeIn, ScreenConnect, Bomgar)
- External hosted services (web applications, antivirus, software licensing, telecom, email)
- Passwords for all users
- Domain Registrars
- Reseller or Retail websites (Amazon, TechData, Ingram Micro)
Group Announcement, Change User Passwords
Send an announcement to all active users of the company that the IT team member is no longer an employee. In the announcement, you should require that all users change their passwords since it?s very likely they have remembered several of your user?s passwords?and it?s likely an executive or two. Executives are known to rarely ever change their passwords, as well as using the the same password for multiple systems. If you?re one of them, change your password on those other systems!