Step 5 of 5 to Quantifying Insider Risk

by Mike Tierney | Feb 14, 2017

Address Risk During your Termination Process

One of the best practices found in the Common Sense Guide to Mitigating Insider Threats – a document written well ahead of its time by the world-renown CERT division of Carnegie Mellon University’s Software Engineering Institute (SEI) – is the need to develop an employee termination process that takes into account the threat a departing employee can pose.

Whether being terminated or leaving on their own accord, the exit period poses one of the highest risk timeframes to an organization. Loyalties quickly shift from the organization to the individual, and thoughts move from responsibilities to their soon-to-be “former” employer to a focus on the next job and its’ requirements.

To mitigate insider risk during this high-risk exit period, two processes must be put in place – one to address an employee that is being involuntarily terminated, and another to address a voluntary termination (resignation) involving a notice period. It should be noted that this guide touches on steps normally taken by HR. However, this guide is strictly focusing on those steps that help to mitigate insider risk and, therefore, should not be misconstrued as presenting a comprehensive termination process.

While having very similar steps, they should be considered separate processes to ensure service levels are properly defined and met when put into action.

Involuntary Termination

This involves a situation where an employee is being laid off or discharged. Since in most cases this is not a pleasant separation, the assumption is that the employee’s loyalties will quickly diminish to zero, putting the responsibility of ensuring confidentiality and the security of organizational data and resources firmly on members of the Security team. The process should begin the moment the decision is made to terminate employment, and will include one or more of the following tasks (depending on your organization):

  • Notification of desire to terminate – This is the first step in the process where internal management notifies HR (or equivalent) of the need to terminate an employee. This needs to be done as soon as the decision is made.
  • Notify IT of termination and employee last day – IT needs to be informed that an employee’s access will need to be revoked, and when to revoke it. This also should initiate an audit around any organizational assets currently possessed by the employee.
  • Conduct a 30-day Activity Review – A review of the last 30 days of the employee’s online and communications activity must be conducted. In many cases, involuntary termination isn’t a surprise to the employee and loyalties may have shifted weeks prior, giving the employee ample time to exfiltrate data, etc. This 30-day period has been shown to be the time when a great deal of IP and other confidential information are taken. Completing a comprehensive review without the type of detailed information that UAM can provide in a single pane of glass can be difficult, but if you cannot convince your organization to provide you with purpose built tools, make best efforts using what you have – but be sure to let management know you are giving them a report based on what you had available to you
  • Notification of any inappropriate activity found – Should any questionable, or unquestionably inappropriate actions be found during the activity review, HR and Legal should be notified. The actions found may have consequences on how the termination itself will proceed.
  • Employee notification of termination – This begins the actual process of terminating employment.
  • Review of Signed CIPA with employee – One of the first steps in every termination, the CIPA should not just be presented to the employee, but reviewed, explaining the obligations this document lays out – that the employee has previously agreed to. At this point, it is also prudent to mention that the employee will be asked to sign a Certificate of Return and Destruction from the employee prior to leaving.
  • Terminate Access – While notifying the employee and reviewing the CIPA, access to all data, systems, applications, and resources should be terminated by IT.
  • Return or destruction of company property – All company property should be returned and all company data (in all possible forms – printed, in email, stored in files on a USB drive or cloud storage, etc.) should either be returned or destroyed.
  • Obtain signed Certificate of Return and Destruction – The employee is asked to sign the legally binding document, indicating they are taking, nor have access to, any company data – whether confidential or not – with them once they leave the organization.

Each task should have a responsible role or individual and a service level timeframe assigned. This way expectations are communicated to each person involved regarding expected response times. The timeframes will vary, based on risk scores and perceived immediacy, noting that exceptions to these will occur. Some tasks require another role or individual to be notified; this should also be documented with a given task, when appropriate.

When an employee leaves of their own volition, this process begins the moment notice is given (one of the differences between this and the involuntary termination process). Voluntary termination can also be initiated by an employee no longer showing up for work a designated number of days without providing any notice, in which case, the process begins based on HR’s definition of Job Abandonment.

The process for a voluntary termination is very much like that of the Involuntary Termination, with a few task exceptions:

  • Employee provides notice – There is an assumption (putting job abandonment aside) that the employee will provide notice, kicking off the termination process.
  • Notice period determination – The organization needs to decide whether they wish to accept the notice period, or modify it.
  • Conduct a +/- 30-day Activity Review – Should an employee’s notice period be accepted, their activity from the date of notice to the date of employment termination should be reviewed in addition to the 30 days prior to the date of given notice.

Another difference will be the timeframes for each task. For example, the review of the CIPA should happen on the day of notice given, rather than the day of termination – as in the case of the involuntary termination. Lastly, service levels may also differ – such as notification of termination to IT. In the voluntary termination scenario, IT should be notified the same day notice is given, but immediately during an involuntary termination.

See Guide Essentials: Risk-Lowering Termination Process – Use this document as the basis for defining termination process roles, actions to be performed, assignments of actions, and service levels to be met.

While the entire process has been simplified down to just 5 steps, determining where to begin can be pretty daunting. Do you need to start scoring every position within the organization? You already have a job to do, so it’s unlikely you could even if you needed to.

In reality, the most important part of where to start is simply starting. Begin with any open positions that are being filled by HR – these will be filled by people you know the least. Score those positions, along with a few positions you know should be of higher risk as a point of reference. Once you have those completed, you can begin to profile positions you know represent an insider risk (just not how much) – those that daily interact with confidential data, intellectual property, customer data, and the like - and begin to build out a comprehensive set of positional risk documents.

Even if you don’t have a UAM or UBA solution ready to implement, quantifying insider risk at least gives you some perspective on how big the problem is within your organization – which may help speed up the selection and purchase of a solution to help monitor user behavior and activity.


Insider threats represent one of the greatest challenges of organizations today. Not only are they capable of involving your organization’s most confidential and valuable data, but they are also the most difficult to identify. Insider risk begins the moment the employee steps foot in the door, and ends the moment the door permanently closes behind them. So, it’s important to follow this guide from beginning to end, to properly implement controls that protect the organization from insider risk at all stages of an employee’s tenure within the organization.

By taking the steps outlined in this guide, you will have a better understanding of just how much insider risk exists, and – more importantly – where it exists. The guide also provided enough direction to put preventative steps in place to be able to thwart, detect, and – if needed – document insider threat activity.