In these tough economic times, more and more businesses are turning to layoffs and using temporary workers to improve their bottom lines. The transition of workers both out of and into the workplace raises a number of security risks that should not be overlooked. One means of mitigating those risks is to create ingress and egress checklists. That is, checklists of specific steps that must be completed during the process of transitioning an employee out of the business and transitioning a temporary or new employee into the business. While most companies have these “steps” identified in various forms in various places, taking the time to bring them together into one omnibus checklist is well worth the effort. Doing so will greatly reduce the possibility of overlooking a key step.
The content of these checklists should not be unfamiliar to most readers. With regard to information security, relevant outgoing personnel must have executed an appropriate non-disclosure and intellectual property ownership agreement, including the protection of trade secrets. Those personnel must be counseled as part of the exit process about their ongoing obligations to protect and not use company confidential information and intellectual property. In certain instances, if the employee will be joining a competitor, it may be appropriate to send a letter to the competitor advising them of the former employee’s confidentiality and intellectual property obligations. Transitioning employees should also be required to return all company materials in their possession, including electronically stored materials on the employee’s home computer, smart phone, etc. Of course, any exit checklist must include the prompt revocation of the former employee’s physical and logical access rights. Unfortunately, this last item continues to be overlooked on a regular basis by even the most sophisticated companies.
For temporary and other workers being transitioned into the business, those workers must receive basic information security training, execute appropriate confidentiality and intellectual property ownership agreements, ensure their access to corporate data follows the principle of least privilege, etc. The challenge is that temporary workers are just that: temporary. For short duration workers, there may be a tendency to skip over normal intake procedures and training or only address them in a cursory manner. This may be an acceptable business risk if the worker’s access to company information and operations will be strictly limited. That decision, however, must be made on case-by-case basis. Nonetheless, the end result should be that all workers have been duly educated about their security and other obligations to the company and that other measures have been implemented to ensure those workers, because of their transitory nature, do not create undue risk to the company.
