What are finance organizations doing when employees change or leave jobs?
As an employee’s responsibilities shift when moving to a new position within a company, so to should their user rights to maintain a relevant and safe level of access. And when an employee leaves altogether, organizations must ensure that they sever access completely.
What the compliance requirements are
PCI DSS leaves no room for interpretation when it comes to different employee roles within an organization. Requirement 7.1 states “Limit access to system components and cardholder data to only those individuals whose job requires such access.” So when employees move roles, organizations must adjust access rights accordingly. And for exiting employees, Requirement 8.3.1 states that administrators must “revoke access for any terminated users” and ensure that “all physical authentication methods — such as, smart cards, tokens, etc. — have been returned or deactivated.”
The FSA’s factsheet is equally clear on employees who move roles: “It is good practice to consider whether staff who change roles retain access rights that they no longer need and to conduct regular reviews of individuals’ IT access rights.”
Brits fall behind US companies again
Despite the compliance requirements on moving employees being clearer in the UK, many British organizations are failing way short of American companies to address roles and privileges. Just 34% of UK and 61% of US organizations have the ability to set and manage temporary access rights. And when employees move within a company, just 27% of UK organizations review and adapt access rights, compared with 52% of US organizations.
The most worrying finding of all though is that 48% of UK organizations do not immediately revoke access rights when employees leave, compared with 32% in the US — leaving a massive window of opportunity for an ex-employee to steal sensitive information.
Indeed, those we surveyed were honest in their answers when we asked if they had access to their previous employer’s networks post employment. 35% of US employees and 9% of UK employees said yes. Just 40% of US and 67% of UK employees underwent a formal de-registration process before leaving.