How to Reduce Terminated User Exceptions in Your Next Audit

With little notice or time for preparation, remote work arrangements and/or downsizing have placed greater demands on the IT department of many organizations. Even without a pandemic, one of the most common ITGC issues is disabling access in a timely manner to reduce the risk of inappropriate access to systems post-termination. Here are some key procedures that may help your organization minimize the risk surrounding removal of access permissions.

Use the Account Expiration Feature.

In most organizations, deactivation is a two-step communication process initiated first by the employee’s supervisor to Human Resources (HR), then from HR to IT. Even when an employee provides the customary two weeks’ notification, there tends to be a timing delay with these multiple hand-offs and IT typically is notified to disable access the day of or sometimes after a termination date.

Active Directory has the “Account Expires” date field (different than the password expiration function), which does not allow usage of the account after the defined date. Using this field when IT is notified in advance allows for a managed process of ensuring that departing individuals cannot access their accounts after their termination date. Organizations using single sign-on would also benefit as it would prevent terminated users from accessing the application login as well. This will not only reduce the potential for delays on disabling the access, it will also help ensure that the terminated employee will not be able to continue to log in after the last day of employment. Allowing access after the employee’s last day should be documented and managed on a case-by-case basis.

While confidentiality issues may need to be addressed for involuntary terminations, the process of disabling access is likely to go much more smoothly if IT is notified in advance for a voluntary termination. That way, IT can plan for and set up Active Directory (at a minimum) in advance to lock a user out at a planned time on the individual’s last day of employment, as mentioned with the account expiration method.

Track personnel with knowledge of shared passwords.

If your organization does not use a password management tool, IT may face the additional challenge of identifying those who know shared accounts’ credentials. Either use a text field in the system and repurpose it to track personnel who know the account credentials or add the personnel’s initials to the user name/description field. This allows the right personnel to be informed when manually changing the password periodically.

If someone leaves the organization, you will know which accounts’ credentials to change. Maintaining the names in the system allows for a simplified user access review through having one source, rather than multiple sources for identifying ownership and accountability and serves as a reminder of who knows account credentials when the account is used by any individual with knowledge of these credentials.

If it is not possible to document all named individuals tracked in the system, IT should create a list of who has knowledge of these passwords (not the actual passwords themselves) and store it in a file in the network and periodically review the personnel to confirm the appropriateness.

Review segregation of duties.

Organizations going through furloughs or reductions in force often see an increase in segregation of duties (SOD) conflicts. Ideally, conflicting duties should be appropriately segregated. But the reality is that even in good times, staff members may already have conflicting permissions and job responsibilities which are typically managed through mitigating controls.

During periods of downsizing, the likelihood of new SOD conflicts arise as fewer individuals are performing more functions. This potential issue needs to be recognized either through understanding current processes and owners and appropriately mitigating through new monitoring controls or acknowledging that an existing control covers the risk.

For more information about protecting your organizations and IT systems, contact us. We are here to help.

Authored by Reema Parappilly, CISA, and Geoffrey Banez, CIA, CISA. 

© 2020