One solution, suggests Bernie Cowens, vice president of security services at IT consulting and security solutions company Rainbow Technologies, is for companies to go through a process of figuring out which people in the organizational hierarchy have high levels of access and to then make sure that any termination actions involving those people are handled with kid gloves. "They tend not to be people with big titles - in fact, they can be quite low-level," he says. "Then bring together a standing or ad hoc committee of people from legal, human resources and the information security function to go through a step-by-step process of understanding what systems each individual has access to, how and when to turn off that access, and when to remove the passwords."

But what about the "average" employee - someone who might not have administrator rights to an IT system, but who could still damage or steal information if he so minded? One answer is to create access "profiles" associated with each job description in the organization, laying down the access rights that an individual in each position has, suggests Michelle Drolet, CEO of Conqwest, a Holliston, Mass.-based security and policy-assessment consultancy. Gathered together under a single profile, she says, it's easier to see when individuals have more access than they should, and it's much easier to switch that access off when they leave. "Firewalls just don't cut it anymore," she says. "It's all about access rights."

Discovery's Cimmino points out that regular housekeeping is required to keep the details of access rights current. At his company, for example, managers routinely receive e-mails from the administration function, in effect saying: "This is who we think you've got in your organization." Another smart tactic Cimmino offers is to provision contract and temporary workers with accounts that have automatic "stop dates," after which they cease to function, unless extended. In theory, of course, the account gets killed the day the employee leaves, but if for some reason that shouldn't happen, the stop date acts as a useful backstop.

Hence the attraction of so-called active directory approaches, where a dedicated system - often linked to the HR system - manages the provisioning and de-provisioning of user accounts. Especially for large and decentralized organizations, active directory management is seen as a way to securely provide, and remove, user rights at grassroots level without the costs of a hefty IT presence. "As soon as the notification comes from HR, an individual's account is disabled," says Siegfried Jagott, an IT consultant with Siemens Business Services. Jagott managed the implementation project of an active directory management solution from Aelita Software for Siemens Power Generation of Munich, Germany, which houses 22,000 employees. The disabling is for two or three months, after which the data is deleted - not permanently, as German law requires its retention for up to 10 years. "The disabling feature is useful as people occasionally return, and disabled accounts can be reinstated with the same user name and other details," Jagott says.

Man with the Plan

Helpful as they are, technical solutions are still only a step on the journey toward well-managed terminations. Happily, a few companies are further down that path. British Telecom (BT) is an example. Andy Hodgson, vice president of security at BT's global services division, explains that with just 100 staffers and a virtual security team to police the security of the 20,000-employee division (which operates in43 countries around the world), the company relies heavily on a detailed termination checklist that the manager of every departing employee must complete and sign. BT regularly audits compliance with the process.