Deprovisioning

So deprovisioning, this is when we are removing access. And again, we’re looking for some kind of formal approval, somebody to request this as a process, somebody to trigger this process. What is the trigger for the deprovision? Is this a management notification? Is it the removal of the individual from the HR system? Is it a lack of activity over a period of time for a particular account? We want to understand the completeness of the deprovisioning process. We want all systems and privileges to be removed. And this can be difficult with access to shared keys. If we have somebody who has access to service accounts, door codes, router passwords, how do we manage that consistently?

Again, if we’ve got individual line of business systems, we need to revoke permissions to all of those individual systems and services. Sometimes, we may wish to consider disabling a user rather than deprovisioning as a cautionary step. So when we get the request to deprovision, we may want to disable the account for a period of maybe a week before we process the actual deletion, in case somebody hands the notice in but then withdraws and decides to stay in the organization. Or whether there’s a need for information relating to that account to be recovered. We do need to be careful of personally identifiable information, though. A good example of this was with social media sites like Facebook, where you deleted your account.

But actually if you click ‘Delete account’, it did not delete the account. If you logged in a year later, all of your information came back. This is no longer acceptable if you have personally identifiable information under the European Union General Data Protection Act, General Data Protection requirement, that we will look at in more detail later in the course. So our process needs to cater for different sets of circumstances. Ideally, the manager is involved in this process. The manager of the departing owner of the account has some perspective, has some involvement. Common to have a retention period for information. Some of our records may need to be treated differently, though, as we’ve said regarding personally identifiable information.

But we want to make sure that the business records associated with the account are not deprovisioned. Quite often, the work that a user has done, related to their credential, needs to survive. We do have some common issues. Again, that I’m sure you guys see, and that I certainly see, day-to-day, which is recovering passwords that have been stored in a mailbox, or information that’s been stored in an email account. Good examples of this are Word documents, Excel documents that have been stored in a shared area but which are password protected. And five years later, you need access to that document, the employee has left the organisation, and nobody has any memory of what the document password is.

So do we need to structure information prior to the departure, prior to the deprovisioning? Do we need to archive any information?