Control 6.5 : Responsibilities After Termination or Change of Employment

Summary

Information security responsibilities and duties that remain valid after termination or change of employment should be defined, communicated, and enforced. This protects the organization's assets and intellectual property even after the professional relationship ends.

Applicability

In-Scope: Mandatory for preventing data leakage from former employees. It is essential for protecting trade secrets and maintaining the confidentiality of client data.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Exit Interview: Conduct a formal exit interview (potentially via Microsoft Forms) where the individual's ongoing confidentiality obligations are reaffirmed.
Data Protection: Use Microsoft Purview Information Protection labels to ensure that even if a file was downloaded, it cannot be opened by the user once their Entra ID account is disabled.
Account Governance: Implement Entra ID Access Reviews to ensure that users who have changed departments have their previous access revoked immediately.

Evidence Checklist

Offboarding Procedure: A documented checklist for termination that includes the reminder of ongoing security duties.
Signed Exit Statements: Records of former employees acknowledging their post-employment obligations.
Role Change Logs: Audit trails showing the modification of access rights when an employee moves to a new role within the company.

Practical Audit Advice

Here are some questions the auditor might ask:

How does the organization remind a departing employee of their legal obligation to protect company secrets?
What technical controls prevent a departing employee from performing a mass download of sensitive data in their final days?
How are post-employment obligations communicated to contractors or third-party service providers?
Can you provide a recent offboarding file that shows the specific step where security responsibilities were reaffirmed?