No hard and fast rule for provisioning
by VPNHaus | 07/01/2010 |Industry Commentary
VPN Haus contributor Ben Ruset posted some food for thought on his blog about employee provisioning. Some people assume the best course of action is to immediately provision departing employees off the network. But Ruset brings up some good reasons why this approach isn’t always best.
This presents a problem because if IT takes it upon itself to delete a user that it thinks should be deleted there's a risk that important data could be lost, or that the user has a legitimate need to retain access for one reason or another. On the other hand, if IT decides to do nothing, there's a vector for attack where, depending on the circumstances of the employees departure, they might have a motive to use the enterprises resources maliciously.
We agree with Ruset’s solution – “have strong policies in place that dictate the workflow of a user request. This is a policy that both HR and IT need to agree to, and it needs to be efficient, effective, and enforceable.” But he points out, this policy is often not created or simply not enforced. We understand that provisioning isn’t the sexiest part of an IT person’s job, but that’s not a good enough reason to let provisioning fall to the wayside. Ruset points out:
HR should notify IT that there's a departure and fill out a request to have the account disabled. Depending on the circumstances of the departure it might be necessary to escalate that to a higher priority level, or let IT know about any special requests (ie: do not delete but disable the account, forward email somewhere, etc.) IT then should expediently handle the request and again confirm with HR that the request has been completed.
He acknowledges that provisioning “is one of the most crucial but utterly boring parts of IT.” Is this the reason that developing – and enforcing -- a solid provisioning policy is such a challenge for organizations? Chime in with your thoughts.
[tweetmeme source=”vpnhaus” only_single=false]