Timely notification on terminations for non-employee users 2014



  • My client has a large quantity of non-employee users because of 3rd party outsourcing and engaging many temporary consultants. Termination reporting for these users is not well controlled. HR refuses to manage them in their IS. Has anybody encountered this issue in a very large company? Does anyone have ideas for creating controls? Thanks.
    Steve



  • Though we are not a large company, we have encountered a very similar problem. We tried the usual of making the original requestor responsible, which, of course, didn’t work well.
    Our best solution to date is to enter the third party access ID’s with limited time frames. We run everything on Oracle, but I assume this is available in SAP, etc. This way, if the consultant leaves and there is a lack of communication, the sign on access lapses anyhow. We typically us a 30 day time period, unless a longer time is specified at the time of the original request to set up. Not perfect, but at least it limits exposure.



  • Currently the third parties and consultants get a 1 year expiration date when not otherwise specified and we are considering lowering it to 90 days. However, that doesn’t come close to the auditor’s requirement to inactivate within seven days of termination.
    We’ve been considering ways to enforce the requestor to become responsible, but haven’t come up with anything better that a feedback loop when they are delinquent and impacting their review if it becomes a pattern. Not only does that not qualify as a control, it only works for consultants that report to regular employees but doesn’t touch the third parties.



  • I agree that this potential exposure should be carefully monitored. Some ideas follow:

    1. It should be recognized that non-employee access introduces more risk and must be carefully managed. Make sure all IT security policies are up-to-date and have guidelines that promote password rotations, timely termination reporting and deactivation, etc.
    2. As 3rd parties engage for consulting or other services, it’s imperative to establish firm controls up front. Probably, each firm should appoint a coordinator to represent the entire group of consultants (with a backup for vacations). This person should be central contact to coordinate new users coming on board or for terminations.
    3. Also encourage IT professionals and business managers with whom 3rd party folks may be working with to also report this promptly to IT security when they know.
    4. Design a good rigid policy and capture form for 3rd party access. You would want all contact info, PIN#s, etc., (plus spelling out the rules for access and security).


  • I would also suggest considering your actual risk based on how the consultants access your network. If they have access only when connected through a hard-wired connection in your office, then your risk of them logging in once their contract work is completed is much less than if they have remote access capabilities.
    I agree with the other comments that this is a risk that needs to be taken more seriously than it appears to have been in the past.



  • I agree with Kymike about the remote access.
    Sigh…this is again a control which IT is burdened with though business divisions should really be owner of this. HR plays no role with contractors in our firm as business divisions hire them and pay for them.
    We have made mandatory to describe the period requested for access in the ‘user request form’ for consultants. We set the user ID with expiry with that date however it doesn’t covers the full risk. Consultants may not complete the full term and to cover that we have set the system to disable the ID after 30 days of inactivity.
    We worked with business divisions to identify Divisional contacts that can validate the status of employees/contractors/temps. Once in a month a system generated list of active users is sent to them which they validate and send back. The IT then takes action on users identified by the contacts.
    It takes time initially when the first list is compiled and inconsistencies are removed. After some time the lists are refined and consolidated and I have seen it work in the way which our external auditors has found acceptable. However it cant work in a very big organization.



  • I agree with and like calvin’s suggestion of putting overall responsibilities in the system owner’s area (users).
    Most likely the best way for this to work is for the business area and IT to work together as a team . Ideally, the system owners can define the framework based on business needs, while IT security share needs related to the technical side (e.g., tuning security so that it controls the risk, meets best practices for secure access, and provides the minimum level of access needed to meet business requirements.



  • Most likely the best way for this to work is for the business area and IT to work together as a team . Ideally, the system owners can define the framework based on business needs, while IT security share needs related to the technical side (e.g., tuning security so that it controls the risk, meets best practices for secure access, and provides the minimum level of access needed to meet business requirements. %0AThis is what we’ve been trying to do for quite sometime.%0AOriginally, like others have stated, we attempted to place onus on our site managers to deactivate contractors AND employees. Unfortunately, this doesn’t work and only creates undesired hassles.%0AFor the most part, we try to get anyone paid by our company in the same system, whether it be a temp, full-time employee, or contractor. We use Oracle with an ADP front end.%0AThis hasn’t been fully implemented, but our goal is to automate a process that will send out an e-mail notification of the employees/contractors/temps that have been terminated. %0AWhile our Director will ask that this email be sent to the site managers, I think it’s best to control all terminations myself. Putting the onus on others only doubles my work because I must audit the successfulness of site manager request for employee termination (in the past, we’ve never seen better then 50% success).



  • If you are running Microsoft SQL Server 2005, you can have autoexec/login triggers. With that you could log whenever anyone logs in, it wouldn’t take much work to generate an alert if someone did not log on for whatever time period you specify.
    Of course, this only does you any good at the database level, it won’t help you monitor anywhere else in your system.



  • If the contractors need multiple types of access (physical, network, mainframe) then you can sometimes be slightly more compliant if the rules are staggered on the different levels. But, there is never any definitive approach unless you have a person that is accountable for their access or removal.
    The process that was in place where I worked had physical access revoked every 4 months, network every 3 months and mainframe reported at 3-4 months based on last use. This didn’t provide any more assurance but it could be (and was) argued that the manager would then be prompted to remove access from all areas when he realized :roll: that the contractor didn’t need the access any longer. 😉



  • 😄
    I just wanted to point out that this is a major issue plaguing many companies I had pleasure to audit.
    And many companies try to patch up the problem by conducting access recertification every so often, but that still doesn’t constitute a timely removal of access.
    I think solution for this is quite simple; but the problem lies in the fact that no-one will want to own this problem, as it requires a lot of daily effort, especially in a big company.



  • I think solution for this is quite simple; but the problem lies in the fact that no-one will want to own this problem, as it requires a lot of daily effort, especially in a big company. %0AMaybe one ‘simple’ approach that might help is to ensure strict guidelines are in the contractual terms for 3rd party consultants (e.g., where prompt notifications are required and where warnings or even penalties might be involved for serious infractions. It still may not be 100% but putting these guidelines in the best interest of the 3rd party is perhaps the most realistic approach for ensuring outside consultanting firms provide timely updates. Certainly, the company should audit security access every quarter or at least annually to ensure the communications and approach are working 🙂



  • Part of the problem with contractors is that quite often some managers are not certain that they are ‘gone’. Unlike an employee who will have multiple projects that will rotate based on priorities, a contractor is usually in for a small number of projects (maybe one) and since the cost is higher than an employee, the company will use, release and recall the person as needed.
    In some cases, I knew people on both sides of the coin (the contractors and the respective managers). One was perfectly willing to work ‘as needed’ while the other was trying to control his budget with the expensive cost of labor.
    Thus, it was a decision where neither could definitively provide assurance that the person was ‘gone’ until the project was completed.
    My perspective was the security administrator who was trying to get the manager to commit to the removal of the unnecessary access. In the end, we had them temporarily revoking the access when the person wasn’t present and having a local administrator reactivate it when it was then needed.



  • …perhaps the most realistic approach for ensuring outside consultanting firms provide timely updates. Certainly, the company should audit security access every quarter or at least annually to ensure the communications and approach are working 🙂
    Harry, I fail to see how its the 3rd parties responsibility though. If internally you keep on cutting checks for work that is not being performed and/or to a person thats no longer there (consultant or no) there are some major issues.
    As one possible solution I was thinking more of keeping a centralized DB, with all access privileges etc etc. making sure to incorporate the DB entries into processes for grant access and terminations. Yeah redesigning processes is not that fun, and it would require at least one person to enter and monitor the DB based, of course, on population size, and automation… thats still semi cheap approach though, you can always grab a prepackages vendor product of the shelf… If I recall USDAP had HR modules that could handle something like this.
    I find it quite too often that companies in general are struggling with this, and not only they cant track consultant but in many cases they are having hard time tracking regular employees.



  • Harry, I fail to see how its the 3rd parties responsibility though. If internally you keep on cutting checks for work that is not being performed and/or to a person thats no longer there (consultant or no) there are some major issues
    Hi 404 - Yes, a lot depends of the contractual arrangements and I can see your point well. I was thinking in different terms, where a consulting firm might be used to augment permanent resources for the compay – where 15 staff positions might be assigned to help on an IT project, as temporary services, etc. As folks come and go in any organization, it’s better to assign 15 specific rather than generic accounts (so that John Doe’s account isn’t reused by Sally Jones when John leaves the consulting firm).
    Another approach that many use is to pre-set account expirations for 90 days and keep renewing as applicable. This approach shouldn’t be used by itself, as if a person quits on day 5, their account is still live for 85 days. Thus, it’s always advisable for the 3rd party and companies to treat access rights seriously and communicate needed changes promptly. It’s a responsibility that falls on both sides.



  • I also agree with calvin’s suggestion of putting over all responsibilities in the system owner’s area 🙂


Log in to reply