informa

Cybersecurity In-Depth

6 MIN READ
The Edge

CISO Checklist for Offboarding Security Staff

The Great Resignation strikes cybersecurity teams, too. Here's a checklist for CISOs to ensure security is retained even when security staff is not.

The Great Resignation hits every company hard, but it can be terrifying when your security pros leave in droves. There are more than the obvious risks at stake, and CISOs must manage them all. A checklist can help ensure mistakes aren't made and regrets aren't expensive.

"As companies deal with increased rates of employee turnover, they must also consider the fact that highly skilled ex-employees are leaving with key institutional knowledge and confidential information," warns Todd Moore, global head of encryption products at Thales, a France-based multinational provider of electrical systems and services for the aerospace, defense, transportation, and security markets. "This potentially increases the risk of data breaches and other cyber incidents, which is further amplified when data organization and protection is overseen by human managers."

Leave nothing to chance or oversight by working with a checklist instead.

"CISOs should already be monitoring and updating the access rights of all employees and manage administrator access periodically and have a list of tasks and procedures in place when employees leave," says Ahmad Zoua, senior project manager at Guidepost Solutions, a global security, compliance, and investigations consulting firm.

This article assumes that you have already taken the routine measures. If you haven't, fix the basics first. We'll focus only on the extra steps necessary to offboarding security staff, based on the advice of many CISOs and other security professionals.

Time the Parting Well
Some will be "ushered out immediately, others less so," but CSOs/CISOs must have "a protocol in place in conjunction with the sensitivity, systems access, and knowledge, etc., of the position," says Timothy Williams, vice chairman of the global security firm Pinkerton.

In all cases, it's "important to treat the departing employee with dignity [and] try to ensure the departing is viewed by the rest of the department as handled professionally and properly, again in alignment with the sensitivity of the departing employee's position," he adds.

Prepare for the Great Boomerang
Do everything you can to keep the last goodbye a good investment. Ensure you don't have adversarial offboards with your security staff and that anyone who leaves wouldn't hesitate to return one day.

"I think the Great Resignation will include some 'Great Boomerang,'" says James Arlen, CISO at Aiven, a provider of managed open source data technologies for the cloud. "But more importantly, fight hard to maintain the talent you have and be the kind of boss you wish you had earlier in your career. Make sure your staff know that you appreciate their contributions to your joint success."

Enlist Help from Your Security Team
If you've handled the news of an exiting staff member with grace and dignity so that there are no ill feelings and no motivation to do harm, "your existing staff will work just as hard as you to make sure you've covered all the bases here because now this isn't actually a security problem – it's a compliance problem," says Arlen.

Do the Insider Threat Checks
Your insider risk team should conduct a six-month look-back analysis on the employee's activity, "looking for suspicious behaviors or mishandling of protected company data," says Ken Deitz, vice president and chief security officer/CISO at Secureworks. The insider risk team should also review the look-back analysis with the employee's manager to ensure nothing is overlooked from a business perspective.

"No one will know what normal looks like for the employee better than the local leader," says Deitz. Use that knowledge to check every nook and cranny for any evidence of a likely threat.

Do a Last-Day Audit
The insider risk team should do a brief last-day audit to "ensure that all access has been properly terminated and that all assets have been returned," according to Deitz.

Check the Silos
"Legacy access technologies, especially siloed solutions like VPNs, provide way too much access and are too often disconnected from HR or offboarding processes," says Jason Garbis, chief product officer at Appgate. Don't forget to check those communication apps like Microsoft Teams and Zoom, too.

Notify Other Affected Parties
"Notify your organization's help desk, security team, and the systems and facilities team that the employee is no longer with the company," says Greg Crowley, CISO at eSentire, a managed detection and response company. "Also, notify key third-party vendors, including third-party managed services, that the employee is no longer an authorized contact for the account."

He advises following those notifications with "an audit of the past 90 days of account activity for suspicious behavior or indicators of backdoor account creation."

Kill the BYOD Network Permissions and Wipe Devices
Enough said!

Disable/Deny Physical Access Permissions
This means collect any physical access tokens, badges, physical keys, apps, USB sticks, any backups, external drives, and any PINs and biometrics, and perform a forensic backup of drives on the employee's working systems and external drives, advises Adam Perella, manager at Schellman, a global independent security and privacy compliance assessor.

Transfer Data Ownership
Unstructured data has been a unique challenge for enterprises to control, "especially in the shift to work from home, where employees may be storing files in different and unexpected places," says Grady Summers, EVP of product at SailPoint. Exiting employees should be tasked with locating all manner of unstructured data and transferring ownership to remaining employees.

"I think the shift to SaaS-based document storage has helped here. Most services allow access to easily be reassigned to a manager upon termination," Summers adds.

Check All Codes
"Ensure that no scripts or custom code dependencies rely on the exiting employee's existing account. Services should be running under approved service accounts," says Brian Wilson, CISO at SAS. That includes checking other codes, credentials, and certificates, too.

Also, be sure to secure cloud root credentials, source code repository credentials, domain registry certificates, and "any other accounts or systems that are not tied into Secured Sign On [SSO] that may have individual account username and passwords to administer," says Bryan Harper, manager at Schellman.

Shut the Backdoor
"Make sure no back doors or Trojan horses are left behind in production systems and software," says Brian Wrozek, chief information security officer and vice president at Optiv. "Conduct an assessment [threat hunt] if there are any suspicions or concerns. Pay close attention to perimeter access points, as security personnel often know about vulnerabilities from prior security reports."

Secure Security Systems
That sounds like a given, but "the discovery of SIEMs, EDR, firewalls, etc., particularly if the person belongs to multiple groups and next groups, is often a challenge," says Raj Dodhiawala, president of zero-trust privilege security provider Remediant.

Find and Save Configurations
Security tools have configured data like SIEM or firewall rules, as well as related controls designed to make organizations resilient to cyberattacks. CISOs should ensure that these are known, preserved, and kept consistent with policies and controls. "If they are not, they should start to implement methods to save and/or version-control configurations," says Dodhiawala.

Check Incident and Log Data
"You'll be amazed how much is in event logs, device logs, and application logs," says Dodhiawala. "Besides cutting access to this data, the data itself needs to be protected."

Look Again
After all that, assume there are black holes in your processes. When you think you've covered everything, look again with the assumption that you have missed something.

"In theory, as a CISO or security executive, you've done your documentation well and have some sort of an access management tracking system for all of those things which are not part of your nominal SSO realm," says Arlen. "But let's face it: You probably don't have that, and now you need to find everywhere you may have left some kind of access behind."