Access Control: Terminated Employee/Contractor Access Removal Business Impact Analysis (BIA) Workflow

Type of Security Control: Administrative | Compensatory

Purpose: The purpose of this procedure is to define the actions to be taken by a Compliance Engineer when performing a secondary review of the Parent/Child Tickets within Epicor processed for a DataBank terminated employee or contractor, after being assigned the Parent ticket from the Internal IT Team personnel who initially processed the employee or contractor termination, and discovering that one or more Critical System Access Removal Child Tickets - Active Directory (AD)/Duo Sync, VPN, and NetSuite (if the terminated individual had additional roles than "DBH Employee"), for logical access purposes; and Physical Security for Lenel and CCURE (whichever PACS the individual had physical badge access to, if applicable) for physical access purposes - was not processed within two (2) business days of the individual's scheduled termination/release date OR date the Internal IT Team receives notice of an immediate termination request for the individual from HR Department personnel. 

Impact: High

Applies to: Internal | Vendors/Contractors

Description: In addition to the "Purpose:" statement above, DataBank is required to perform a BIA for terminated employees or contractors that maintained logical and/or physical access to one or more Critical Systems for more than two (2) business days after the individual's scheduled termination/release date OR date the Internal IT Team received notice of the individual's immediate termination from HR Department personnel.

Applicable Compliance Statements:

• NIST SP800-53 R4
• AICPA SOC 2 Type 2 TSC for Security & Availability 

Prerequisites:

1. Epicor
2. Windows Active Directory (AD) PowerShell and/or ADAudit Plus
3. NetSuite Administrator assistance
   1. Note: Need to request NetSuite Admin to run "User Activity/Last Login" Report if terminated individual had additional roles than "DBH Employee".
4. Physical Security Team assistance
   1. Note: Need to request Physical Security Team member to run "User Activity/Last Login" Reports from CCURE/Lenel physical access control system (PACS) if the terminated individual had physical access to one or more sites.
5. Network Operations Team assistance
   1. Note: Need to request Network Operations Team member run a "User Activity/Last Login" Report from network monitoring tool(s) if the terminated individual had VPN access.

Procedure Service Level Agreements:

• ?????

Process: 

1. Assuming a terminated employee or contractor requires a logical and/or physical access BIA to be performed per the "Purpose:" and "Description:" requirements defined above, the Compliance Engineer responsible for performing an access removal BIA (i.e., Compliance Team member re-assigned the Parent Ticket within Epicor to perform Secondary Review) will then create a Child Ticket titled "Terminated User BIA". After creating the Child Ticket, the Compliance Engineer will then add Ticket Event details based on the example Template provided below for each Critical System - Active Directory (AD)/Duo Sync, VPN, and NetSuite for logical access purposes; and Physical Security for Lenel and CCURE for physical access purposes: 
   1. Active Directory (AD)/Duo Sync BIA: This is the only logical access BIA that is performed on every terminated employee or contractor. 
      1. From your Okta SSO Homepage, log in to the ADAudit Plus web application using your Windows AD Username/Password credentials.
      2. Once logged in, navigate to the "User's Last Logon" Module and enter in the terminated individual's username (i.e., xxxxx from xxxxx@databank.com) into the 'User Name/Search' field within the module AND change the 'Period' field within the module to the period of time necessary to cover the period between when the BIA was performed and the terminated individual's termination/release date (Note: Reminder to capture a screenshot of the parameters entered within the "User's Last Logon" Module used for the terminated individual for completeness and accuracy purposes). 
         1. If returned results show no logon activity during the defined period above, no further work required for this BIA. 
         2. If returned results show activity during the period, the Compliance Engineer performing the BIA will work with other team members and/or Internal IT to determine total impact assessment.
   2. VPN BIA: Only performed if terminated employee or contractor has a VPN access permission listed in their current access inventory Event Detail.
   3. NetSuite BIA: Only performed if terminated employee or contractor was assigned additional roles within NetSuite than the standard "DBH Employee" self-service role. 
      1. Instruct the NetSuite Administrator to log in to NetSuite web application via their "Administrator" Role. 
      2. Once logged in, navigate to: Reports → Saved Searches (All)
         1. Once the Saved Searches (All) list is pulled up, select the Saved Search titled: "SOX: 9-Administrator Activity Log (Adhoc)" and select Edit. 
      3.  After 
   4. Physical Security BIAs (CCURE/Lenel PACS - Badge Level): Only performed if terminated employee or contractor had physical badge access to their assigned data center location(s) within CCURE and/or Lenel physical access control systems (PACS).
      1. Instruct the Physical Security Team personnel to log into the terminated individual's CCURE and/or Lenel badge access account profile(s).