Q&A on IT/HR collaboration with Volodymyr Styran

VPN Haus spoke with Volodymyr Styran, a security expert, about ways IT professionals can work more closely with HR on issues like provisioning. VPN Haus has long advocated for IT departments to make user provisioning a higher priority and Stryan has some ideas on how this collaboration can be turned into reality.

VPN Haus:  Let’s start with basic tampering. How can IT administrators prevent users, especially ones who are tech-savvy themselves, from tampering with settings?

Styran:  I’d suggest application of strong organizational policies and thorough logging of user actions. Changes to local policies are usually reflected in [programs like] Eventlog. Collect it centrally in a separate log management facility, review the logs regularly, and follow up the findings via disciplinary action. This may sound a bit aggressive, and is rather reactive than preventive, but in my opinion this is the most effective approach.

VPN Haus:  What’s the greatest enforcement challenge?

Stryan: The greatest enforcement challenge is making HR execute disciplinary action. Punishing is not their favorite part of the job, because it affects image…So, when it comes to HR, one has to present and explain every bit of risk and harm introduced by a violation. And all this definitely makes little sense unless strong administrative policies are established beforehand.

VPN Haus:  Can you provide 3 – 5 tips on how IT departments could work more closely with HR to foster better communication between the departments?

Stryan:  Sure.

– Be friendly, while being firm when needed.
– Make it formal, while maintaining good relationships. Write your policies firm and strict, but socialize with HR in a positive manner.
– Pay more attention to HR’s needs and concerns; this is relevant to relationships with any other non-IT function as well.
– Always explain. [In most cases,] they know next to nothing about [IT]. “We know better” doesn’t work. Although, the more you explain in the beginning, the less explanations they will need later on. This is how trust is developed with time.

Volodymyr Styran is based in Ukraine.

[tweetmeme source=”vpnhaus” only_single=false]

No hard and fast rule for provisioning

VPN Haus contributor Ben Ruset posted some food for thought on his blog about employee provisioning. Some people assume the best course of action is to immediately provision departing employees off the network. But Ruset brings up some good reasons why this approach isn’t always best.

This presents a problem because if IT takes it upon itself to delete a user that it thinks should be deleted there’s a risk that important data could be lost, or that the user has a legitimate need to retain access for one reason or another. On the other hand, if IT decides to do nothing, there’s a vector for attack where, depending on the circumstances of the employees departure, they might have a motive to use the enterprises resources maliciously.

We agree with Ruset’s solution – “have strong policies in place that dictate the workflow of a user request. This is a policy that both HR and IT need to agree to, and it needs to be efficient, effective, and enforceable.” But he points out, this policy is often not created or simply not enforced. We understand that provisioning isn’t the sexiest part of an IT person’s job, but that’s not a good enough reason to let provisioning fall to the wayside. Ruset points out:

HR should notify IT that there’s a departure and fill out a request to have the account disabled. Depending on the circumstances of the departure it might be necessary to escalate that to a higher priority level, or let IT know about any special requests (ie: do not delete but disable the account, forward email somewhere, etc.) IT then should expediently handle the request and again confirm with HR that the request has been completed.

He acknowledges that provisioning “is one of the most crucial but utterly boring parts of IT.” Is this the reason that developing – and enforcing — a solid provisioning policy is such a challenge for organizations? Chime in with your thoughts.

Related Links:

Provisioning: Q&A with Ben Ruset, Princeton University PART 2

Provisioning: Q&A with Ben Ruset, Princeton University

De-provisioning is Just for Former Employees, Right? Wrong!

[tweetmeme source=”vpnhaus” only_single=false]

Provisioning: Q&A with Ben Ruset, Princeton University

Ben Ruset is systems administrator at Princeton University. He speaks to VPN Haus about pressing provisioning issues all organizations – academic or corporate – should consider. 

VPN Haus: When dealing with employee terminations, who should own network provisioning – HR or IT?

Ben Ruset: Typically HR should notify IT and request that an account needs to be disabled/deleted. Neither department should make a unilateral decision that an account be modified without clearing it with the other. It’s all a matter of having well defined processes for business functions like this. Unfortunately many organizations forget to create or enforce them until it’s too late.

VPN Haus: Is this a process that you recommend automating?

Ruset: Well, this really is more of a human issue than a technological one. If there’s a policy in place, HR should notify IT to kill the account. Since they will manage to tell finance or the payroll company that the employee is terminated, as well as the health insurance company, they should be able to notify IT. Alternately if there’s a system like Peopleworks, or some such, there could be an automatic notice sent to IT as part of the termination workflow.

VPN Haus: Do the provisioning issues you raised also relate to student email address / account, especially with graduation and new school seasons?

Ruset: So, let me preface by saying that I’m not directly involved with provisioning accounts for students, faculty, and staff. IT at Princeton tends to be pretty compartmentalized. The most that I do is, request accounts for things like the occasional contractor or temp worker who’s setting up an application or whatnot. But I do try to keep my ears open and I do have a rough familiarity with the process at Princeton, so I can try to answer as best as I can.

The process for new students has a pretty well thought-out workflow. The OIT (Office of Information Technology) gets a list of incoming students for each year from the registrar’s office, and creates the accounts prior to the students arriving on campus. The students then go to an online form and create their passwords.

VPN Haus: What about when students graduate?

Ruset: When the student graduates, if they’re undergrads, their accounts are kept active until the following October or so. Then it’s deleted. I’m not sure if this is a process that happens automatically, or if someone at OIT has to launch a script or something that closes accounts in mass. Actually, there’s a good page in the Princeton KB about what happens to accounts upon graduation, retirement, etc: http://helpdesk.princeton.edu/kb/display.plx?ID=5855

Stay tuned, next week Ruset talks with VPN Haus about university connectivity issues.

Related Reading:

De-provisioning is Just for Former Employees, Right? Wrong!

IT departments should make the case for corporate resources

Combating Data Breaches with Provisioning

[tweetmeme source=”vpnhaus” only_single=false]