PO7.8 Job Change and Termination
Take expedient actions regarding job changes, especially job terminations. Knowledge transfer must be arranged, responsibilities reassigned, and access rights removed such that risks are minimized and continuity of the function is guaranteed.
Illustrative Controls and the TIBCO LogLogic Solution
When a person changes jobs or is terminated from a company, user access privileges must be modified according to the company’s business guidelines. To satisfy this control objective, administrators must periodically ensure that only current and authorized employees have access to financial reporting servers. Administrators must ensure that all terminated users have been disabled. In addition, Administrators must ensure that logins to financial reporting servers as well as permissions assigned to users who changed jobs are appropriate for the new role they are in. To ensure that the preceding requirements are met, Administrators must review reports of all user deletions and group member modifications. This ensures that the terminated users are removed and users who changed jobs have been removed from the appropriate groups.
Demonstrate that user access privileges are modified or revoked in a timely manner upon job change or termination. Review reports and alerts on account activities, accounts created or deleted, group members added or deleted, and successful logins to VPN concentrators and critical servers.