search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 14 (of 19)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Eleni Tsamitis, Insider Threat Administrator for the CERT Program, with the fourteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The fourteenth of the 19 best practices follows.

Practice 14: Develop a comprehensive employee termination procedure.

Organizations need to have procedures in place to reduce possible insider threat risk when an employee departs from the organization. These procedures are protective measures that must encompass all aspects of the termination process. A good way to guarantee that these measures protect the organization is to make sure that there is a termination checklist. Employee accounts are closed; access is terminated; equipment is collected; and remaining employees are notified.

To revoke all organizational access to departing employees, cooperation from many departments may be required. Managers must ensure an exit interview is completed, provide final performance feedback, and determine payment disbursement for the final weeks of employment. The Finance department must ensure employees return company credit cards and close accounts. IT must terminate all accounts and points of access to the former employee's computer, such as email, VPN, and cloud services. All equipment belonging to the organization must also be collected and verified against inventory records. Cooperation from HR and Security departments provides the necessary paperwork for termination, reviews agreements about intellectual property and nondisclosure of information, conducts a security debriefing, and collects all issued access badges and keys from the former employee.

The CERT Insider Threat Database includes several cases that involved damage caused by former employees that were terminated but retained their company's physical property, including but not limited to badges, laptops, access cards, and mobile devices. This property allowed the former employee continued access to information and thus the ability to wreak havoc on company servers. A physical inventory system that tracks all equipment issued to employees is an indispensable mechanism that can be used to track the distribution of and assist in the recovery of company-owned property.

Organizations should also conduct a review of the departing employee's online actions during the final 30 days of employment. The review should include (1) reviewing email activity to ensure confidential information wasn't passed outside the organization and (2) reviewing system logs to determine if any of the organization's information was downloaded to removable media. If a former employee used cloud-based storage, the organization should also ensure that sensitive company information is not stored on an external server.

If remaining employees are unaware of recent terminations, they may unintentionally disclose information to former coworkers. Thus, the organization should notify all remaining employees that the terminated employee is no longer with the company. No further information needs to be disclosed.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 15, Implement secure backup and recovery processes, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to

About the Author