It is important for firms with associate and/or intern programs that are coming to a close to properly document the termination process around associates and/or interns. The SEC’s cybersecurity examinations, in particular, may ask for evidence of timely access revocation and system return.
Specifically, firms should validate:
- Associates/Intern Laptops - If the associate/intern will be allowed to keep their laptop, all firm-sensitive data and access must be fully removed. The machine should be completely wiped with either a new hard drive installed or a DoD-compliant wipe completed to protect against any data remnants residing on the device. Any software or operating systems installed after wiping the machine should not leverage firm licensing, such as Microsoft Volume Licenses and antivirus site licenses;
- Account Revocation - Accounts should be revoked in a timely fashion, ideally on the evening of the associate/intern's last day of employment;
- DLP Review - Review email archives and file audit logs for inappropriate access or data transmission prior to departure. Searches to personal email accounts and/or for emails with attachments should be performed to identify data theft;
Access Revocation - Ensure the following are revoked or collected, along with all items noted on your Termination Checklist, with documented completion of each:
- Any certificates used, such as for VPN connectivity;
- Physical badges;
- RSA/two-factor tokens (both hardware and software);
- Cloud service accounts, including news, media, or research providers; and
- Shared accounts into vendors/service providers should be rotated in a timely fashion.
- Email - Email access must be disabled, to the extent it is not Active Directory integrated. Consider setting up an auto-reply with details of alternate contacts. Validate no auto-forward rules are set up on the account.
For each associate/intern, be sure to document these steps, and any others, taken in connection with their departure.
How ACA Can Help
ACA’s team of professionals can assist with developing termination checklists and the policies and procedures as part of a firm’s WISP. We can also review email archives for DLP concerns. Our ACA Aponix team can conduct mock SEC cyber exams to validate the evidence you may need to provide in an actual examination. For more information, contact your ACA consultant, Raj Bakhru at (212) 951-1030 or Greg Mekanik at (804) 379-7800.