6.5 Responsibilities after Termination or change of Employment

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, enforced and communicated to relevant personnel and other interested parties.

To protect the organisation’s interests as part of the process of changing or terminating employment or contracts.

When an employee is terminated or their employment changes, there are several responsibilities that the organization should be aware of to ensure the continued protection of their information security:

• Revoking access: The organization should immediately revoke the employee's access to all company systems, networks, and data to prevent unauthorised access. This includes disabling user accounts, email access, and company applications and cloud services.
• Collecting company property: The organisation should collect any company-owned devices, such as laptops, smartphones, and security tokens, from the employee to prevent any misuse of company information.
• Conducting exit interviews: Organizations should conduct exit interviews with the departing employee to discuss any issues or concerns related to the employee's access to company information and to ensure that the employee understands their obligations under the company's information security policies.
• Reviewing audit logs: Organizations should review audit logs for any suspicious activity or data breaches that may have occurred during the employee's tenure.
• Changing passwords and keys: Organisations should change all passwords and encryption keys that were shared with the employee to prevent unauthorised access to company information.
• Reviewing third-party access: Organisations should also review and revoke any third-party access to company information that was granted through the former employee's account, such as social media, cloud storage and other platforms.
• Legal obligation: Organisations should be aware of their legal obligations regarding the protection of personal data and should consider consulting with legal counsel regarding the retention and destruction of employee data following termination or change of employment.