04) Does your organisation have a process for editing or removing employee access to business confidential information (whether digital or physical) when they are changing role or leaving the company?
IT Operations Access Removal
Written by Haydn Brooks
Created on March 18, 2019
Modified on April 21, 2020

Answer yes if your organisation has a formal process that ensures employees, contractors and third party users have all access to business information removed when they leave the organisation.

Your company security of information policy should detail the criteria under which information access will be granted and the circumstances under which that access will be removed. To underpin the policy, a robust security procedure should:

  1. record who has access to business information;
  2. have the capability to audit access to business information;
  3. enable access to be immediately revoked as required, for example on an employee leaving the company.

Step 3, removing an employees access upon termination of their employment contract, is a key step within the HR Leaver Process.

How to implement the control:

For small companies a template Leaver’s checklist can be requested at info@riskledger.com. You must ensure that all line managers fill in the checklist when a new employee or contractor joins, and that they complete the checklist when they leave (this includes revoking any access to business information).

For larger companies we suggest the IT team ensure that a formal step for revoking employee access is baked into their IT service desk and leaver processes.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.