Systematic Removal of Accesses: Pull the Key from the Lock
By Gideon T. Rasmussen, CISSP, CISA, CISM, SCSA

Systematic removal of accesses refers to revoking physical and logical accesses when a person leaves an organization or their role changes. In the absence of a formal process, lingering privileges can be used to access systems, applications and office space. Potential damage includes theft of funds, equipment or intellectual property, disclosure of confidential information, and/or damage to property or personnel. In practice it can be difficult to completely rescind a person's accesses. Start by inventorying systems, applications and assets and incorporate the respective administrators into access control procedures.

Initial Termination Practices
Human Resources (HR) should initiate outprocessing by sending an e-mail to a termination distribution list. Upon notification from HR, Information Technology (IT) and building security should configure accounts and ID access badges to automatically expire the day of termination. Members of the termination list typically include system and application administrators, the help desk, information security, building security and departmental contacts.

Departments and Teams
Out-processing does not end with HR, IT and building security. Each department and team must track and appropriately rescind accesses as required. Examples include e-mail distribution lists, network or Exchange public folders, and group memberships. Keep an inventory of file cabinet and storage room keys to control access. If a department administers its own applications, ensure their administrators are included in termination notification. This is especially true for financial applications. Each department is also responsible for rescinding accounts and point of contact status with external organizations.

Special Considerations for Temporary and Contract Personnel
Temporary and contract personnel should have their accesses issued to expire at the conclusion of their contract. Send notification two weeks in advance of disabling accounts. This will give supervisors a chance to extend access in the event an engagement has been extended.

Final Out-Processing
A process must exist to ensure personnel are completely out-processed on their final day. HR should conduct exit interviews and collect company equipment and building access cards. The finance department is responsible for providing a final paycheck and removing employees from payroll. IT accesses must also be completely rescinded as a matter of process (e.g. network, email, remote access and voicemail). HR should confirm that access has been rescinded with recipients of the distribution list. Confirmation should be in the form of a signature, e-mail or an entry in an application. Without formal confirmation, the process is likely to break down. Retain completed checklists and confirmation artifacts for audit purposes.

Change in Role
When a person is promoted or transfers to another team, a process should be initiated to consider their current privileges. Rescind accesses that are not required in the performance of the duties of the new position.

Terminations or Disgruntled Personnel
In the event of a termination or disgruntled employee, information security personnel should be engaged early on to ensure timely and comprehensive systematic removal of accesses. There are many options to be taken into consideration. For example, a person's accesses can be rescinded immediately, after they leave for the day or while the person is in a surprise out-processing meeting. The involvement of information security in advance also gives them the chance to conduct an inventory of the person's privileges to ensure they are completely rescinded.

Self-Assessment Audits
Each function needs to self-audit to ensure their process is actually working. This is where many organizations fall down. Physical and logical accesses must be documented (e.g. through a form, a ticket, an e-mail or a database). Once per quarter, HR should send a list of current personnel, asking recipients to compare the list to active accounts and privileges. Anyone not on the list should have their access rescinded. HR should follow up with each area to confirm compliance and record the results.

Systematic removal of accesses and self-audits should be automated as much as possible. Expire accounts after a period of inactivity. Where possible, use Active Directory, LDAP and/or single sign-on software to authenticate applications. In this manner, when a network account is disabled, application privileges will be rescinded automatically. Medium-sized organizations may have the resources to build an entitlements database to track accesses with notification of terminations and quarterly self-audit notification built-in. Large organizations should consider further automation (e.g. integration of HR and finance systems, with automated revocation of accounts across platforms or automated ticket creation requesting access to be rescinded).

Information Security
The information security team should oversee the organization's access control processes to ensure accesses are appropriately rescinded and self-audits are conducted. The INFOSEC team is also responsible for incorporating systematic removal of accesses into the awareness program. Employees should be encouraged to take active involvement in out-processing and contact security if they notice a former employee still has access.

The very nature of out-processing has an awareness component that strengthens the security program. Maintaining tight access control throughout the organization helps establish a culture of security and prevent fraud, waste and abuse. Systematic removal of accesses is a process that is well worth the effort.


Gideon T. Rasmussen is a Charlotte-based information security professional with a background in Fortune 50 and military organizations. His website is

Copyright © 2006 ISSA Jornal
Reprinted with Permission