For an example of a common, yet inadvisable procedure, McCausland says look no further than the practice of ushering departing employees off the premises. Far from preventing people from stealing data or lashing out in some other manner at their former employers, this process might actually be encouraging them. "Employers sometimes ask me, 'Should we escort people out?' And I say to them: 'Why? Are they going to damage something on the way out? Or steal something? No. Treating people like a suspect is more likely to cause them to retaliate."

"Treating a terminated employee as a serious security risk -by escorting them out of the building under guard, for example - increases the likelihood that they will be a danger," agrees David Creelman, chief of content and research at human resources management portal HR.com. "Terminated employees don't have guns to pull at the termination interview. But if they feel betrayed and humiliated then they may go home, get a gun and come back. Most companies overreact on security. They march good people out the door under security escort, which simply damages morale in the company and greatly enhances the likelihood of a wrongful termination suit or other retaliatory action."

Top CSOs chime in as well on this point. "You probably are asking people to retaliate," says Grant Crabtree, vice president of corporate security at Alltel, an $8 billion telecom service company. "Under some circumstances it might be warranted, but it would have to be exceptional for us to do that. I think many of my colleagues would agree."

McCausland says existing termination policies frequently focus on things that touch only peripherally on security issues, if at all. Instead, their focus is often on avoiding unfair dismissal suits and the like. "Companies have become accustomed to lawsuits and litigation when terminating people and now think ahead and say, 'Should I terminate this person? And if so, how do I terminate them?" she says. "But beyond that, they often don't think very far ahead at all."

Disabling information systems access is another area that a good policy should spell out clearly. "It's one of the great missed opportunities insecurity," says Giuseppe Cimmino, director of corporate systems architecture at Discovery Communications, the parent company of the Discovery Channel, Animal Planet and The Learning Channel. "SecuritySecurity consultants focus on the bits and bytes of firewalls and not on the accounts that remain provisioned for people who don't exist." Once again, hard evidence is scant, but what evidence there is certainly supports Cimmino's assertion. A survey into corporate identity management practices, published jointly by Novell worldwide services, Stanford University and Hong Kong University of Science and Technology in March 2003, found that 43 percent of companies surveyed took more than two days to revoke the access rights of departed employees - and that15 percent took more than two weeks. Incredibly, some businesses appeared never to revoke access rights at all. Alles zu Security auf CIO.de