Both workers and external stakeholders must return all of the organizational assets in their possession upon termination of their job, contract or agreement. This control states that personnel and other interested parties as appropriate should return all the organisation’s assets in their possession upon change or termination of their employment, contract or agreement. An information asset is any kind of data or information that has value to an organisation. Information assets can include physical documents, digital files and databases, software programs, and even intangible items like trade secrets and intellectual property. Information assets can have value in a variety of ways. They may contain personally identifying information (PII) about customers, employees or other stakeholders that could be used by bad actors for financial gain or identity theft. They could contain sensitive information about your organisation’s finances, research or operations that would provide a competitive advantage to your competitors if they were able to get their hands on it.This is why it is important that staff and contractors whose business are terminated with an organisation are compelled to return all such assets in their possession.
The termination process must be legally concluded with the return of all tangible and electronic assets previously assigned owned or entrusted to the organization.This means that the organisation must have a written policy that defines clear rules for returning assets upon termination. Organisations must also have personnel that will confirm receipt of returned assets, and ensure that assets are properly inventoried and accounted for. When an employee or external user buys the equipment of the company or uses his / her own personal equipment, it is important to follow protocols to ensure that all relevant information is transmitted to the company and safely removed from the equipment. In situations where an employee or external user is aware that this information is necessary for ongoing operations, it should be reported and transmitted to the organization. During the notice period of termination, unauthorized copying of sensitive information ( e.g. intellectual property) by terminated workers and contractors should be monitored by the company.
Control
Personnel and other interested parties as appropriate should return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
Purpose
To protect the organization’s assets as part of the process of changing or terminating employment, contract or agreement.
ISO 27002 Implementation Guidance
The change or termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organization. In cases where personnel and other interested parties purchase the organization’s equipment or use their own personal equipment, procedures should be followed to ensure that all relevant information is traced and transferred to the organization and securely deleted from the equipment. In cases where personnel and other interested parties have knowledge that is important to ongoing operations, that information should be documented and transferred to the organization. During the notice period and thereafter, the organization should prevent unauthorized copying of relevant information (e.g. intellectual property) by personnel under notice of termination. The organization should clearly identify and document all information and other associated assets to be returned which can include:
- user endpoint devices
- portable storage devices
- specialist equipment
- authentication hardware (e.g. mechanical keys, physical tokens and smart cards) for information systems, sites and physical archives
- physical copies of information.
Other information
It can be difficult to return information held on assets which are not owned by the organization. In such cases, it is necessary to restrict the use of information using other information security controls such as access rights management or use of cryptography.
This is designed to protect the organisation’s assets as part of the process of changing or terminating employment, contract or agreement. The intent of this control is to prevent authorized individuals from retaining assets (e.g., equipment, information, software, etc.) that belong to the organisation. When employees and contractors leave your organisation, you have to make sure that they don’t take any sensitive data with them. You do that by identifying any potential threats and monitoring the user’s activities before their departure. This control is to ensure that the individual does not have access to the IT systems and networks when they are terminated. Organisations should establish a formal termination process which ensures that individuals are not able to gain access to any IT systems after their departure from the organisation. This can be done by revoking all permissions, disabling accounts and removing access from building premises. Procedures should be in place to ensure that employees, contractors, and other relevant parties return all organisational assets that are no longer required for business purposes or are due for replacement. Organisations may also want to perform a final check of the individual’s work area to ensure that all sensitive information has been returned.
For example:
- Upon separation, organisation-owned equipment is collected (e.g., removable media, laptops).
- Contractors return equipment and information at the end of their contract.
All employees and external party users are expected to return any organisational and information assets upon termination of their employment, contract or agreement. As such it must be an obligation for employees and external users to return all the assets and these obligations would be expected in the relevant agreements with staff, contractors and others. A solid, documented process is also required to ensure that the return of assets is appropriately managed and can be evidenced for each person or supplier that goes through it. Where assets are not returned according to the process, unless otherwise agreed and documented as part of the exit process, the non-return should be logged as a security incident and followed-up. The return of assets procedure is never fool proof and this also underlines the need for periodic audit of assets to ensure their continued protection. In order to meet the requirements, the change or termination process should be formalized to include the return of all previously issued physical and electronic assets owned by or entrusted to the organisation. The process should also ensure that any and all access rights, accounts, digital certificates and passwords are removed. This formalization is especially important in cases where a change or termination occurs unexpectedly, such as death or resignation, in order to prevent unauthorized access to organisation assets which could lead to a data breach. The process should ensure that all assets are accounted for, and that they have all been returned/disposed of in a secure manner. The organisation should clearly identify and document all information and other associated assets to be returned which can include:
- user endpoint devices;
- portable storage devices;
- specialist equipment;
- authentication hardware (e.g. mechanical keys, physical tokens and smart cards) for information systems, sites and physical archives;
- physical copies of information.
This can be achieved through a formal checklist containing all necessary items to be returned/disposed of and completed by the user upon termination, along with any necessary signatures confirming that the assets have been returned/disposed of successfully.It is critical that organizations protect their information on the equipment of employees when their employment is terminated. Make sure all relevant information that will be needed by the institution is preserved, but all information on the asset is erased. Develop an employee exit checklist that addresses the return of all institutional assets, physical or information, before the employee’s last day. There are, of course, emergency situations dealing with immediate termination that may not lend themselves to a measured checklist. Create a simple checklist for those instances as well. Get to know a resource in your HR area and work with that resource to incorporate physical and electronic assets at termination. As stated before, assets can be a variety of items. Employee knowledge is also an information asset to the organization. Preserve their relevant knowledge, document, before the individual leaves the institution, and ensure that knowledge is in the organization’s possession. Once again, use the checklist to incorporate this aspect of asset return. A sample may include:
- The employee has returned all computing equipment to IT.
- IT will preserve the information on the equipment by copying to an external drive or employee group shared file server. Preserved information will be given to the employee’s supervisor.
- The employee has transferred all institutional information from his/her personal equipment and given that to their supervisor.
- Employee rights to information assets have been terminated as of this date.
- Employee knowledge transfer has occurred.
Don’t forget about the contractors, consultants, or any other external third party upon termination of contract or agreement. The same rules apply. You may wish to have a separate asset security checklist for all external agents and ensure this information is part of their contract or agreement.