Identity Management Series – HR as a Source of Record Part 4: Terminations – Security Catalyst

Identity Management Series – HR as a Source of Record Part 4: Terminations

In the last article, we discussed how to identify access transfers from HR data. Now we’re in the home stretch: terminations.

Compared to transfers, terminations are pretty easy, but there are a couple of gotchas, as mentioned in this month’s introduction. A termination in the HR system means the employee is no longer getting paid. However, the termination date for getting paid may or may not coincide with the date the employee should stop having access to the company’s systems.

As with transfers, removing terminated users’ access in a timely fashion is a key control for a variety of audit regulations, including SOX and PCI. On the other hand, it’s also a customer service issue – remove the user’s access too soon and it’s disruptive to the business (and can cause significant turmoil if the employee has not yet been notified of their termination).

Here are the key considerations for how HR data can be manipulated to feed identity management the right information to handle terminations.

“Last Day Worked”

If your HR system has a Last Day Worked field and it is actively populated and used, you’re home free – 99.9% of the time last day worked = last day access is needed. In this case, there is one possible gotcha: if the employee stays on in their current job function, but as a contactor.

Remember, the HR system focuses on payroll. Because of this, if an employee changes status from “employee” to “contractor” they may still be terminated from an HR perspective – especially if non-employees are stored in a different HR system. From an access perspective, it’s business as usual, although such individuals might need to be run through the transfer process to re-approve their access.

There are three ways to handle an employee becoming a contractor in the same job function; by handle I mean ensuring that the user does not experience an access interruption:

  1. Find out if this is even a possibility at your company. If it isn’t, you’re done.
  2. Find out if the HR system has some sort of flag (e.g., a termination reason – see below) that will identify this situation. If they don’t, see if this can be added to the system – that would be ideal.
  3. Accept that this is a rare occurrence and not worth handling with technology. In this case, consider launching an awareness campaign with hiring managers and HR so that they remember to notify your access services team when this situation arises.

Analyzing termination reasons

If Last Day Worked is not a field that is reliable, an analysis must be done on termination reasons. Typically, the HR system will provide some sort of drop-down menu where the reason for termination is specified – things like “got another job,” “retired,” “reduction in force” (i.e., laid off) – although these are typically represented as codes, not text.

There is usually an indication if the termination was voluntary or involuntary. The list of reasons isn’t trivial – there can be a couple dozen reasons including things you might not expect like “deceased,” “going to active military duty,” and “didn’t like the dress code.” As an aside, I was amused to see one HR system in which military duty was considered an involuntary termination, while deceased was considered a voluntary termination. 🙂

It is important to analyze all of the termination reasons and determine (with the help of the HR experts) which termination reasons would normally correspond with the last day of work, and which might not.

The terminations reasons that most likely need to be flagged are listed here, but there may well be others – make sure that the HR team clearly explains any of the more ambiguous reasons:

  • Reduction in force
  • Retirement
  • Leave of absence (this is one that might need to be looked at even when there isn’t a termination associated with it, but that’s outside of our current scope)
  • Becoming a contractor (if that’s an option)

You may also want to discuss executive termination with the HR team. Although this may not be flagged specifically in the termination reasons, executives are the most likely to keep getting paid for a long time even when they’ve stopped needing access. Additional workflows may be needed to handle this situation, or simply an awareness campaign with the HR department so that they remember to notify the access services team when an executive gives notice.

“Termination Date” and “Action Date”

In the identity management world, we typically consider the termination date to be the last day that someone works. In the HR world, termination date is usually the first day that the user doesn’t get paid – in most cases this would be the day after the last day worked. This is an important distinction, and one that should be confirmed for your HR system, because you don’t want to cut off someone’s access on the last day they work – this is the day when they’re trying to wrap things up and get going. There’s no telling if they’ll be done by 10am or 10pm, and it can have a pretty negative business impact if a premature loss of access keeps them from finishing their work.

If HR termination date = last day the person works, make a note to configure identity management to begin the auto-deprovisioning processes on HR termination date + 1. If HR termination date = first day the person isn’t getting paid anymore, it can safely be used as the date to start auto-deprovisioning.

For those termination reasons where the access termination date is before the HR termination date, the action date might be useful. The action date is the date on which the information is entered into the system. For example, it’s common practice to enter a termination into the system for someone being laid off after they’ve been notified of the layoff. If laid off = escorted out right away, identity management could use the action date (or action date + 1) to trigger auto-deprovisioning. In this case, action date would be before termination date.

In the case of a vacation or leave of absence before termination, there may not be usable data in the system. These scenarios should be discussed with the HR team, and a workflow or awareness campaign might be warranted.

In the next article, we’ll wrap up this month’s activities with a general discussion of HR data cleanliness, and how identity manager can find the HR data it needs and pull it.

Sharing is caring...
Ioana Bazavan Justus