Employers Forgetting to Remove Access for Ex-Employees?

This devilish Anonymous Coward asks: "Quite by accident, I misdialed the other day and wound up in the voicemail system of my ex-employer, late of some 4 months now. Curious to see what would happen, I punched in my password, and lo-and-behold, I still had access to voicemail. Curious, I checked to see what I still had access to, and discovered that my shell account, Web logins and even the root password still existed as they did when I worked there. While I would never dream of trying anything funny (since they could pretty obviously track it back to me), I'm wondering how prevalent this lax attitude is in today's workplace, particularly in Silicon Valley where employees skip from job to job like mad. I'd bet that way too many Slashdotters still have access to things months or years after they left employment... including some pretty secure things." It's all a matter of the communication channels between the IT Department and Management. Better communication channels means less chance of this sort of security hole happening...or does it?

Gone but not forgotten

[maggard]

I've had old voicemail accounts last at least five years after leaving (that was as-of a few years ago - I'd check again but I can't remember the extension) and email accounts from places I left over a decade ago still working.

In places I've managed one of my first changes has been to insist that HR put a message on a email distribution list every time a position is created (note this is often well before someone is hired but it gives my staff time to determine the future employee's needs), upon a hiring, and the instant they believe someone may or will be leaving. In these communications HR must specify dates and the appropriate managers to contact for direct instruction. I also put an emergency procedure in place for 'rapid-separations' where all of a person's accounts are identified, marked for immediate back-up, and locked down until the situation is clarified.

I generally drive these policies & procedures home by holding a meeting between HR, IS, and Legal with all of us asked to brainstorm on the awful things that could happen should we drop the ball on this. One can usually come up with some very nasty scenarios pretty fast. The folks involved also generally know a few real-life stories we've seen or heard of we can recount just to completely scare everyone into following these policies seriously.

What can really force these policies is privacy laws. Even though many would think that communications to someone via a companies resources would be properly a companies property this changes a bit once the person is no longer an employee. I'm not a lawyer but I do know that in most places one is on shaky ground continuing to allow the former employee's name to remain active in the email system after a reasonable amount of time. To have someone then go through a former employees communications, specifically any that are received after the employee is separated from the company, is very dangerous and just asking for a nasty lawsuit.

My own solution to moved-on employees has been to place an auto-responder on the email account indicating the person is no longer with the company, possibly listing the other person(s) who are now handling the former employees responsibilities, and referring all other communications to HR. Generally this will do for up to a year after which the account just becomes another generic dead one. For voicemail a similar procedure is used by closing the person's inbox and replacing their old greeting with a new one giving the new numbers to contact for various services.

Of course one can avoid many of these problems by encouraging the use of functional email & voicemail accounts. With these many messages go to "Department - Function" instead of individual persons. One can't (and oftentimes shouldn't) get rid of personal email accounts but by keeping much of the purely administrative email on the functional address list does. Utilizing this duplicate system can cut down enormously on mail-list administration and general administrivia.

Another problem I commonly run into is the 'legacy' account where someone has moved on but another simply assumed their accounts, oftentimes their replacement. This sort of thing leads to really confusing situations where one isn't sure who is using what accounts, which are active, and which are linked. This can become particularly problematic when trying to implement unified login systems.

Finally there's the nightmare of IS staff leaving. Oftentimes we know waaay too many passwords, particularly the 'deep-mojo' ones. To help expedite these transitions I generally try to keep a list of all the primary accounts (passwords stored seperately in a secure place)and a instruction sheet on changing them all at need. It's also simply good practice to discourage users from giving passwords to IS staff and simply requiring them to enter themselves when needed.