S 3.6 Regulated procedure for when employees leave the organisation

Initiation responsibility: Supervisor, Information Security Management, Head of Personnel

Implementation responsibility: Personnel Department, Supervisor

The following must be considered when an employee leaves the organisation or changes positions or roles:

• The employee's successor should be trained before the employee leaves the organisation. It helps when there is at least a brief overlap time available for this purpose.
• The employee leaving must be requested to return all documents (as well as all books owned by the organisation that were borrowed by the employee), all keys handed out, and all devices borrowed by the employee (e.g. portable computers, storage media, documentation). In particular, all ID cards handed out by the government agency and/or company, as well as all other cards used as access authorisation must be collected. If biometric procedures are used (such as iris scanners, fingerprints, and hand recognition patterns), the corresponding site access authorisations must be revoked and/or adapted to the new substitution arrangements.
• All access authorisations and data access rights granted to the leaving employee must be revoked and/or deleted. This also applies to the external access authorisations used for data transmission devices. If there are exceptional cases of several people sharing a single access authorisation for an IT system (e.g. a shared password), the access authorisation must be changed after the employee has left the organisation.
• Before the employee leaves, it must be explicitly pointed out that all confidentiality agreements remain in force and that disclosure of any information obtained while working for the organisation is not allowed.
• If the person leaving the organisation was assigned a role in a contingency plan, the contingency plan must be updated.
• All persons entrusted with security tasks, and especially the gatekeepers, must be informed that the employee is leaving and that other employees are changing positions in the organisation.
• Employees who have left the organisation must not be allowed uncontrolled access to the premises of the government agency or company, and especially not to rooms containing IT systems. It may also be necessary to revoke the right to access certain rooms such as server rooms when an employee changes positions.
• Optionally, it is even possible to revoke all site and data access rights for IT systems from the time when the notice of termination was given until the employee actually leaves or even inform the employee that he/she is not allowed to enter any rooms requiring protection any more.

All tasks to be performed when an employee leaves the organisation or changes positions must be clearly defined. Office circulars have proven to be a useful tool containing a list of the individual tasks to be completed by the employee before leaving the government agency and/or company.

Review questions:

• Are the tasks to be performed when an employee leaves or changes positions clearly defined?
• Are the appropriate bodies informed promptly when an employee leaves the organisation?
• Is it ensured that all access authorisations and data access rights of the leaving employee are revoked and deleted?
• Is it ensured that all assets owned by the organisation (e.g. documents, keys, computers, storage media) are returned by and collected from a person leaving the organisation?