When BlueOrange is performing security assessments we have a lot of discussion around access controls. Including, what the organization’s processes are when an employee is terminated or leaves the organization. There are a variety of reasons why theses processed are important to security and one of them is disabling access to information systems.
We like to use the example of a health department in Connecticut. They suffered a breach after a former employee accessed a file on a computer that contained ePHI. This employee’s access had not been disabled which allowed her to log into a computer using her credentials and download the PHI of 498 individuals to a USB drive.
There are a variety of steps that could have been taken to prevent this but removing the employee’s access upon termination should have been the first. Was the person who is responsible for removing access not made aware of the employee’s termination and why? It’s important to dive into any holes in this process to see where the breach was allowed to happen.
- What is your organization using to track account changes?
- Who is responsible for submitting those requests?
- Who is responsible for enabling and disabling accounts?
- Is your organization tracking which systems each employee has been granted access, to know what should be disabled?
Along with disabling access, better physical security and disabling USB ports could have helped to prevent this unfortunate situation. Take some time to review your processes around terminations and assess what could be done to make your organization more secure.