The 20th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 20: Develop a comprehensive employee termination procedure. In this post, I discuss the importance of establishing a termination procedure that is consistently communicated and applied across the enterprise.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats and case studies. The final of the 20 best practices follows.

Practice 20: Develop a comprehensive employee termination procedure.

It is essential that an organization have a plan in place when insiders depart. The termination procedure should be timely, consistent, and communicated upfront to all effective business units and stakeholders (e.g., the insider's manager, finance, information security, human resources, and physical security).

When permissible and appropriate, we suggest that the organization notify all employees about any employee's departure. The notification does not need to be specific or detailed, as shown in the example below:

The termination procedure should ensure that both physical access to the facility (e.g., badges) and computer access (e.g., remote VPN, shared and group accounts) are disabled. Furthermore, prior to their departure, the organization should collect the departing employee's company-owned equipment (hardware, software, keys, purchasing cards, etc.).

As part of the termination process, the organization should reaffirm all non-disclosure and IP agreements. To help manage the termination process, we highly recommend using inventory management, account tracking, and termination checklists.

In summary, this best practice helps your organization take all necessary measures to protect its resources when insiders are terminated. Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for further information regarding this best practice.

Check back next week to read a summary of all 20 best practices, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_datapageid_4050=21232, or contact us at info@sei.cmu.edu.