JML – Joiners, movers and leavers
This is an often overlooked component of security, but it’s very important. As the name suggests, it comes in three parts.
This addresses issues such as staff vetting, which typically ensures that they:
- are who they say they are. Not checking up on this can lead to issues when you e.g. check to see if someone has a criminal record
- have no criminal record (or at least declared it: you probably wouldn’t want to employ someone with a history of financial fraud or bankruptcy to be in control of you company’s finances)
- are eligible to work in your country (checking things like visa stipulations, expiry etc)
- are able to pass security screening eg on government contracts so they can access classified systems. This sort of screening may involve background checks and interviews with family and friends.
Once in an organisation, people may change roles, move around. It is important when they do move that their access to systems and data is reviewed each time, otherwise there is a potential for people to accrue access to systems they don’t need, which is a risk to the organisation. For example, if they move from HR into Finance, their access to HR systems should be revoked and they should be granted access to Finance.
This is all about making sure that when someone leaves your organisation, their access to systems and data is revoked. It means checking and removing (or at least suspending) account access eg email, office details, HR, remote access etc
It’s also about making sure that you remove their physical access eg keys to the office, swipe cards etc. It also makes sense to change keypad codes where they’re used eg into secure areas, car parks etc.