So what exactly do you do when a staff member resigns unexpectedly? What do you do when that person had the keys to everything? Here are some things to help you cover all of your bases when trying to secure your network and other access points. It’s by no means a definitive list, but it covers a lot of areas that can be easily overlooked.
1. Network Logins – This is probably the easiest area to secure. At the very least, you should start by changing the account password. Ideally you can completely disable the account, but you may need to grant access to someone else to look through files and e-mails or to handle job duties that are tied specifically to the user’s login.
2. E-mail – If you’re running an internal e-mail service, this may be taken care of with the above step. If you are using something like Google Apps or a hosted Exchange service, you’ll need to use your administrator access to close down this account and perhaps add an auto-responder to indicate that this person no longer works for your organization or a forwarding rule to pass on e-mails to someone else who is taking over those duties.
3. Online Banking Accounts – if the person who left had any sort of access to your online financial information, you’ll want to change passwords, disable accounts, and notify your banking institutions. While the majority of people who are leaving have no desire to cause any harm, this is an area where no chances should be taken!
4. VPN, Remote Access, Blog, or Website accounts – This is most often handled by the person’s network login, but could very well be set up in some other way. Disable or modify any accounts that would give this user remote access or control over systems in your organization. This may include Routers, DNS Accounts, Web Hosting accounts, Blogging accounts, etc. If you’ve been using Twitter, Facebook, MySpace, MyChurch, or similar sites, don’t forget to remove this person as a manager or administrator. For Twitter, consider changing the password of the account used to post updates.
5. Keys and Key cards – This is usually a given, but if you suspect that the person may have made copies, it could mean that you’ll be changing locks.
6. Security Codes and Combination Locks – Any alarm codes or access codes that could be manually entered should probably be changed. Don’t forget combination locks that may be in use or even the safe combination if things could be really bad.
7. ChMS Access Rights – This may not matter much if you’re using a local service only, but it could be a big deal if you’re using something that’s web-enabled such as FellowshipOne, Arena, CCB, Access ACS, or similar services. At the very least, change their password. In fact, I’d recommend changing their password first, then delegating whatever rights they had before disabling or deleting the account. You’d be amazed at how much some of these people may have used that was only accessible to their particular login. Sometimes they’re the only admin. Sometimes they’re the only person with access to pre-defined sets of people or reports. Regardless, change the password and login as them to see what they used to do and what they could see.
8. Check Time-controlled Access points – We found that sometimes we had doors locking or unlocking when nobody was using the building. Ideally you should check this periodically and definitely when you change service times, but you should double-check the schedules just in case the building is opening at times when nobody should be there.
9. Local Computer Accounts – If you have physical security, this should be a minimal problem, but perhaps some folders or files were locked down to their specific account. If so, you’ll want to transfer those access rights to someone else or perhaps a group of users.
10. Social Engineering – Social engineering (getting access through people still at the church) is the trickiest problem to handle. Often people leave unexpectedly for reasons that cannot be disclosed to the rest of the church or staff. People need to be aware when some of these cases need to be handled in an even more secure manner than normal. They still don’t necessarily need to know specifics, but should know that they are not to be allowed access to systems, information, etc that they would have had as a staff member. This can be a tricky area to handle, but should be considered if they’re likely to have influence with current staff or members.
11. Backups – You’re checking your backups, right? Are they secure? Are they going off-site or to an online backup site? Who can access those backups? If this staff person was one of those people, they should be removed from that group of people handling backups. This is especially true if you’re backing up your files online. Change the account and/or password so they can’t take information they shouldn’t have.
12. Scheduled Jobs – Scheduled jobs are easy to overlook, but if your person was a technical person, it wouldn’t be hard to write something that could cause problems if it finds that an expected account is disabled or missing. Jobs can even be set up to send regular reports to an external address. Malicious scheduled jobs are unlikely, but it’s worth checking for jobs that have no purpose or even a destructive purpose. If you come across a job that is unfamiliar, check it out or ask someone to take a look at it.
13. E-mail again – If you don’t want to completely delete this e-mail account or have e-mails set to forward to some catch-all address, don’t forget to unsubscribe the person from mailing lists. We had a lot of catch-all addresses or orphaned e-mail accounts from people who used to work for our church that were not set up when we moved our mail service. Those were forwarded to the administrator’s account and we spent a lot of time unsubscribing people from various mailing lists for a while. We still get the occasional message, but less frequently now.
14. Credit Cards, Merchant Accounts, Vendor Accounts – Anything that involves the person being able to spend money on behalf of the church. If they had a church credit card, that needs to be cancelled. If they could spend the church’s money, that account or relationship should also be terminated or transferred.
15. Voicemail – Change their voicemail password or delete/disable their account. Perhaps setting up forwarding to a different phone number or mailbox would also work. Make sure someone’s checking it if you do that.
16. Common or Shared Passwords – By far, the most common password for church workers seems to be John3:16 in one form or another. First – stop using this as your password! Now! Change it if this is your password! Now that I’ve said that, if you have shared accounts that people use or perhaps passwords that are common knowledge, change them and let those who use the account know the new password. Make sure that they don’t pass it on or leave it lying around.
17. Collect the church’s equipment – Not all churches issue equipment for people to take off-site, but if your staff member had equipment that belongs to the church, make sure you collect it from the staff member. If you’re not maintaining an inventory, this may be a good time to start one.
18. Cell Phones or other recurring expenses – Some staff members have cell phone bills regularly paid by the church. Maybe they liked to read certain magazines that nobody else uses. Look for any recurring expenses that are paid by the church and cancel or transfer them.
19. Remove printed or online references – Remove the staff member’s name and contact information from your website and any printed materials. Replace it with someone else as appropriate, but stop printing materials with their name.
20. Back up their personal files and/or e-mail – Finally, back up their personal files and their e-mail for future reference. If there’s a supervisor, you can give the files to that person. If you have a good relationship with the staff member who’s leaving, you may be able to give them the files that are definitely personal. Regardless, keeping an archive of their files and e-mail may prove invaluable down the road if something comes up that only your departed staff member knew about.
If I’ve missed anything obvious, let me know in the comments or discuss further in the forums.