…from the Information Security Perspective
Hiring new employees and promotions within organizations can be promising for organizational growth — but challenging for Information Technology (IT) teams. The job market is hot, filled with millions of openings and new hires. For the Human Resource (HR) and IT departments, it leads to the Joiner-Mover-Leaver (JML) identity process landscape and creates some challenges.
Organisations are increasingly turning to automation to manage their JML process in an effort to: reduce human error, increase control over access, and to set the foundations of a successful identity and access management strategy.
The JML process is an essential part of an organisation’s HR procedures. However, it can represent a huge headache for organisations. With remote working, the adoption of new technologies, and organisations often operating hybrid or multi-cloud IT estates, the process grows ever more complicated.
In today’s rapidly evolving digital landscape, effective information security management is crucial to safeguard sensitive data and protect organizations from cyber threats. One critical aspect of this management is the handling of employee lifecycle events, commonly known as Joiners, Movers, and Leavers (JML). JML refers to the processes involved when employees join an organization, change their roles or responsibilities within it, or leave the organization. These events present unique challenges and vulnerabilities that need to be addressed to ensure robust information security practices.
The Impact of JML on Information Security:
Each JML event has its own set of risks and implications for an organization’s information security. Let’s delve into each phase to understand its significance:
A joiner is a new user that has been granted access to company data, typically someone who is hired by a company for the first time. When new employees join organizations, they bring new access requirements and introduce potential security vulnerabilities. It is essential to implement a well-defined onboarding process that includes comprehensive security awareness training, user access provisioning, and adherence to security policies and procedures. Failure to do so can result in unauthorized access, data breaches, or misuse of privileges.
A mover is a user who has changed their access, say in a promotion (which requires heightened permissions to systems and data) or a shift to a new department (requiring old permissions to be removed and new ones to be granted for separate systems and data). As employees change their roles or responsibilities within an organization, their access requirements also change. This presents an opportunity for potential security gaps, as existing access privileges might not align with their new responsibilities. Proper role-based access control mechanisms must be in place to ensure that employees have the necessary permissions required for their new roles while revoking any unnecessary privileges. Failure to manage these transitions effectively can lead to unauthorized access, data exposure, or internal threats.
As the name suggests, a leaver is a user who has left the company and their access should be revoked. When employees leave organizations, their departure can pose significant information security risks. It is crucial to have a well-defined offboarding process to ensure the timely termination of user accounts, revocation of access privileges, and the return of company-owned devices. Failure to address these issues promptly can result in data leakage, unauthorized system access, or misuse of resources.
Best Practices for JML and Information Security Management
To strengthen information security management during JML events, organizations should adopt the following best practices:
1. Comprehensive Policies and Procedures:
Establish clear and well-documented policies and procedures that outline the information security requirements and processes for each JML phase. These guidelines should cover employee onboarding, role changes, and offboarding, emphasizing the importance of data protection, access controls, and compliance.
2. Role-based Access Control (RBAC):
Implement RBAC frameworks that assign access privileges based on job roles, responsibilities, and organizational hierarchies. Regular reviews and updates should be conducted to ensure that access privileges are aligned with employees’ current roles and responsibilities.
3. Robust User Provisioning and Deprovisioning:
Automate user provisioning and deprovisioning processes to ensure consistency and reduce the risk of errors or oversight. Implementing centralized identity and access management solutions can streamline these processes and minimize the possibility of human error.
4. Security Awareness Training:
Provide comprehensive security awareness training to all employees during the onboarding process and periodically thereafter. This training should emphasize the importance of information security, safe computing practices, and the risks associated with unauthorized access or data breaches.
5. Timely Offboarding Procedures:
Establish a well-defined offboarding process to promptly revoke access privileges, collect company-owned devices, and ensure the return of any confidential information or intellectual property. This process should involve coordination between human resources, IT departments, and other relevant stakeholders.
6. Regular Audits and Monitoring:
Implement regular audits and monitoring of user access rights, system logs, and network activity to detect any anomalies or unauthorized activities. Utilize security information and event management (SIEM) solutions to centralize and analyse log data for potential security incidents.
Implementing JML Processes
It is one thing to understand what your JML processes should be and quite another to implement them successfully. Implementing a successful JML process requires executive sponsorship, buy in from the business and most importantly, support and partnership with your identity providers, and HR.
The following stakeholders are required to ensure the successful implementation of a JML process
- Chief Information Officer/Chief Technology Officer
C level sponsorship is essential to the success of the project. Changes to the JML process can be disruptive in the initial stages and changes in business process have to be sponsored otherwise pushback from the people impacted means that the most important improvements may never happen.
- Chief Information Security Officer
The CISO or possibly the head of Identity Management must be the lead project sponsor. This is again to ensure the project has the executive power needed to push changes through.
- HR Executive
To ensure that any changes required to HR data and processes are supported and delivered, the Head of HR or a Senior Executive must be involved and sponsor the project. Without this, the project will almost certainly fail to be completely successful.
- Line of Business Manager
As the business is the area that will be most impacted by changes in the JML Process, sponsorship, and inclusion of key executives in the business is important. They can provide feedback of the approach, changes to processes, areas of concern, while also giving you a vital communication channel to your end users.
- IT Manager
Inclusion and sponsorship from IT is important to understand how the access management elements of the process can be completed. They can also play a major role in implementing the technical components of the project.
Joiners, Movers, and Leavers represent critical phases in an employee’s lifecycle that significantly impact an organization’s information security. By implementing robust practices during these events, organizations can strengthen their overall security posture, minimize the risk of data breaches, and ensure compliance with regulatory and standard requirements. Emphasizing comprehensive policies, role-based access control, and timely offboarding procedures, combined with ongoing security awareness training and regular monitoring, will enable organizations to effectively manage information security risks associated with JML events.
Author: Emmanuel K. Gadasu
(CEH, CDPS, CIPM, BSc IT, MSc IT and Law*)
(Data Protection Officer, IIPGH and Data Privacy Consultant and Practitioner, Information Governance Solutions)
For comments, contact author via firstname.lastname@example.org or Mobile: +233-243913077