How Good is Your HR Policy?

The second part of the headline is: "...and Why You Should Care."

What I'm talking about is what happens when you dismiss someone or they decide to leave? How long does it take your HR and IT departments to cancel their user IDs and privileges?

PCI actually has a bit to say about your procedures, and even if you fill out a simplifed SAQ, you should take a look. For example, Requirement 3.5.6 says that if the employee who leaves happens to be an encryption key custodian, you change your encryption key(s). It sounds pretty simple and obvious when you think about it, but will you know of this rather important detail when that happens? Does HR? Does IT know to tell HR (or vice versa)?

Then again, there is our old friend 8.5.4 which requires you to revoke immediately (the Council splits that infinitive, but ...) the password of any terminated employee. But what does "immediately" mean? To me, it means certainly no later than close of business the employee's last day. If you want a classic example of what can happen, you might want to check out this post from SANS.

You may want to terminate the user's ID the day before when the termination is "for cause." And it may be a good idea either to terminate privileges two-weeks (or whenever notice is received) in advance for an employee who is leaving voluntarily. In this last case, you might at least restrict severely the permissions the employee has.

In these difficult times, it makes sense to look all aspects of where PCI can protect your institution.