Hiring Process Concerns 2511



  • Hello, Hello again…
    I am currently putting together a package that details the hiring/termination of employee process. I have been able to detail processes needed for the termination of employees, taking into account their access rights to the system, facility, email, etc. Now that i am looking into the hiring process it seems that it is more interperative and specific to the organization. I was hoping that there would be some sort of best practice out there which larger companies use as a blueprint for the process. Is this a valid assumption, or would that just be to easy?
    Concerns that arise with the hiring of an employee is keeping records or logs of what access rights they will be given (specific to their roles), physical access, IT devices (cellular, laptop, etc). This would be useful in the termination process, knowing exactly what they have and what needs to be taken.
    Any help would be greatly appreciated.
    JL



  • Hi JL - Some ideas below:
    – Yes, it is essential that security access be documented in a centralized location maintained by IT security …
    – However using the 80/20 rule, usually most access can be documented at a high-level. In many cases, just keeping track on the equipment and major computing platforms/categories (e.g., specific servers, mainframe, email, VPN, etc) would be enough.
    – Withing a specific computing category, most security systems allow you to run individual reports on a person. For example, if an employee had access to the mainframe, then keeping detailed access on each individual system they have access to would involve too much work and would become out of date. Instead an ACF2 or RACF reports could be run to revoke privileges. Bindview can do this on the Windows side.
    – However, all access to highly privileged or sensitive information should be well documented and controlled (e.g., payroll, financial, credit card info, SSNs, etc). This would also tie in with SOX 404 related concerns as applicable.
    – New employees should sign an acknowledgement and agreement for abiding with IT policies, standards, procedures, best practices, etc … (which BTW should be published on everyone’s Intranet so they are updated electronically and available to all)
    – Existing employees should annually sign to re-agree with security policies as noted in the above point.
    – This search may also help some:
    http-and-#58;//www.google.com/search?hl=en-and-q=IT policies new employees



  • The biggest issue i think we are currently having is aligning the needs of HR with IT. Certain information that is needed for our end isnt currently being captured and makes the termination process a bit of a headache as we currently do not document what that employee has. So, to get around this, we are trying to document what exactly we need HR to capture, so i was thinking of a checklist which they could use in the hiring process. This checklist would be available to HR on the company intranet, and would make the termination process, as well as any auditing issues that arise, a lot more functional and precise.
    I will definatley look into the link you posted,
    Thanks again.
    JL



  • As additional ideas, I’d recommend some of the following ideas in streamlining information capture and termination procedures:
    – For terminations, HR should only be responsible for sending IT security an email with an effective date/time (or calling the ‘hot line’ in the case of a high profile termination). This keeps their job simple and usually they don’t have the details associated with equipment issued to the employee. Once they are in the loop, the timeliness and communications will improve considerably.
    – The manager of the terminating employee or IT should be responsible for maintaining an inventory of physical equipment issued to employees. This can help in collecting cell phones, security entrance cards, tokens, laptops, or any other equipment issued to the employee.
    – The IT security department should perform removal of security access. Usually, they can do this by platform at a high level, without having to go into the granular removal of access by file or server. In fact, removing all detailed access rights can be deterimental as often the new hire needs to be modeled after the departing employee. Some employees find that the ‘pastures aren’t always as green on the other side’ and occasionally they might be even rehired.
    These ideas may not be applicable to all situations or organizations. Also dividing up the responsibilities into multiple areas means that everyone must treat these tasks as critical each time an employee leaves the company. Senior management may also have to promote and reinforce these policies as well. Still, having each area contribute where they have the most appropriate logical role has worked well in the past in my experiences 🙂


Log in to reply