Review or terminate accounts and access rights upon personnel job change and termination.

UCF ID: 00788

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain IT staff security clearances in accordance with duties and responsibilities. [UCF Control ID 00780]

This control has the following supporting controls:

Deny access to restricted data or information immediately upon termination. [UCF Control ID 01309]

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .24 § 3.5.c; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 30; FFIEC IT Examination Handbook – Information Security, Pg 24, Pg 49, Exam Tier I Obj 4.1, Exam Tier II Obj A.5 (Access Rights Administration); FFIEC IT Examination Handbook – Management, Pg 27; FFIEC IT Examination Handbook – Operations, July 2004, Pg 34, Exam Tier I Obj 5.3; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier II Obj 8.2, Exam Tier II Obj 9.2; Protection of Assets Manual, ASIS International, Pg 12-IV-4, Pg 12-IV-20; C-TPAT Supply Chain Security Best Practices Catalog, Pg 46; Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria, Personnel Termination Procedures; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 3-108, § 5-313, § 8-303.f; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Federal Information System Controls Audit Manual (FISCAM), February 2009, AC-2.1; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.11, Exhibit 4 PS-4, Exhibit 4 PS-5; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.5.2.4, § 3.5.2.5; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PS-4, App F § PS-5; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PS-4, PS-5, PS-5.2; CobiT, Version 4.1, PO7.8; The Standard of Good Practice for Information Security, SM1.3.4, UE1.1.10; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 8.3.1, § 8.3.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, Annex A.8.3.1, Annex A.8.3.3; ISO/IEC 27002 Code of practice for information security management, 2005, § 8.3.1, § 8.3.3; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.3.4, § 7.5.4

Banking and Finance Guidance

User access rights should be modified as necessary when an employee changes job positions. Access rights should removed immediately when an employee is terminated. [Pg 30, FFIEC IT Examination Handbook – E-Banking, August 2003]

If an employee is terminated, his/her access rights should be removed immediately. For a change in job status, the access rights should be reviewed and modified if necessary. [Pg 24, Pg 49, Exam Tier I Obj 4.1, Exam Tier II Obj A.5 (Access Rights Administration), FFIEC IT Examination Handbook – Information Security]

The organization should delete or modify access rights when an employee is terminated or changes positions. [Pg 27, FFIEC IT Examination Handbook – Management]

The organization should have procedures for immediately changing and/or revoking all physical and logical access controls when an employee is terminated for any reason. [Pg 34, Exam Tier I Obj 5.3, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier II Obj 8.2, Exam Tier II Obj 9.2, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

US Federal Security Guidance

Levels of access to systems are assigned by job category and established by the lead office. Access levels should be reviewed when there is a job change, or periodically. [Pg 46, C-TPAT Supply Chain Security Best Practices Catalog]

Procedures must be in place to ensure terminated employees have their identification cards, facility access, and system access removed immediately upon termination. [Personnel Termination Procedures, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria]

The organization must debrief cleared employees when they are terminated; when their personal clearance is terminated, revoked, or suspended; and when the facility clearance is terminated. UserIDs and authenticators must be disabled or deleted when the employee is terminated, loses access to the system, or no longer has a reason to access the system. [§ 3-108, § 5-313, § 8-303.f, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Addresses the need for revoking the access rights of employees who have left the organization and its applicability to financial statement audits. [AC-2.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

US Internal Revenue Guidance

When an employee is terminated, the organization must conduct an exit interview, remove all system access, and ensure the individual returns all property belonging to the organization. When an individual is transferred or reassigned, the organization must review the access rights of the individual and make any appropriate changes. [§ 5.6.11, Exhibit 4 PS-4, Exhibit 4 PS-5, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Provisions are stipulated for both friendly and unfriendly termination. Friendly termination requires removal of access privileges, accounts and tokens, a confidentiality briefing, return of property, and any cryptographic keys should be made available to management. Unfriendly termination dictates that account and access privileges should be revoked as soon as possible, before notification of termination or immediately upon resignation. [§ 3.5.2.4, § 3.5.2.5, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

App F § PS-4 The organization must develop policies and procedures upon termination of individual employment that terminates information system access; conducts exit interviews; retrieves all security-related organizational information system-related property; and retains access to organizational information and information systems formerly controlled by terminated individual.
App F § PS-5 The organization must develop policies and procedures to review logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization. [App F § PS-4, App F § PS-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure the accounts of terminated users are revoked immediately; terminated users return all organization property; exit interviews are conducted with terminated individuals; documents and records created by terminated personnel remain the property of the organization; access authorizations are reviewed and modified, if necessary, when personnel are transferred within the organization; and specific responsibilities and actions are defined for the implementation of the personnel termination control and the personnel transfer control. Any problems discovered during the implementation of the personnel termination control and/or the personnel transfer control should be documented and used to improve the controls.
Test the transfer procedures by comparing a list of current employee access levels to transferred employee access levels to ensure that when personnel are transferred, their system access is reviewed and modified as necessary.
Interviews should be conducted with personnel who perform the exit interviews; personnel who manage the termination of employees; personnel who change access controls; and personnel who manage the transfer of individuals within the organization. [PS-4, PS-5, PS-5.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Termination responsibilities should be clearly defined. If the employee's, contractor's, or third party's responsibilities could continue for a period of time after termination, it should be stated in their contracts. The access rights of terminated personnel should be removed. If the departing person has access to passwords for accounts that will remain active, those passwords should be changed. [§ 8.3.1, § 8.3.3, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Procedures to take when an employee is terminated or changes job positions should be in place. [Annex A.8.3.1, Annex A.8.3.3, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Termination responsibilities should be clearly defined. If the employee's, contractor's, or third party's responsibilities could continue for a period of time after termination, it should be stated in their contracts. The access rights of terminated personnel should be removed. If the departing person has access to passwords for accounts that will remain active, those passwords should be changed. [§ 8.3.1, § 8.3.3, ISO/IEC 27002 Code of practice for information security management, 2005]

Formal procedures should be developed for staff who joins or leaves the service provider or the outsourced service provider. The procedures should cover determining the level of authorized access and issuing physical access control badges for new staff and immediately notifying security staff of resignations, revoking access authorizations, and retrieving physical access control badges for staff resignations. [§ 6.3.4, § 7.5.4, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

General Guidance

The organization should remove user accounts immediately after users are terminated. [¶ .24 § 3.5.c, AICPA Suitable Trust Services Principles and Criteria]

The organization should have an automatic link between the personnel department and access control personnel to ensure access control personnel receive notice when the job status of individuals change in order for them (access control personnel) to immediately delete the applicable userIDs and passwords. [Pg 12-IV-4, Pg 12-IV-20, Protection of Assets Manual, ASIS International]

The organization should take expedient actions regarding job changes, especially job terminations. Knowledge transfer needs to be arranged, responsibilities reassigned and access rights removed such that risks are minimized and continuity of the function is guaranteed. [PO7.8, CobiT, Version 4.1]

When employees leave the organization or no longer require access to the system, their access privileges should be revoked immediately. [SM1.3.4, UE1.1.10, The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of individuals whose access privileges have been reviewed. [UCF Control ID 01690]

Report on the percentage of computer user accounts closed that had been assigned to personnel who have left the organization or who no longer have a need for access. [UCF Control ID 02090]