Neither information technology nor security managers fire people in most organizations. That plain reality seems to escape some in the industry, where offended security administrators declare that disabling the anti-virus program is grounds for demotion or an IT manager finding unlicensed media makes arrangements for someone to make the cardboard box commute.
Too often, security folk are surprised and disappointed when the perpetrator is slapped on the wrist, or the incident quietly tabled without reprimand. Why the disjoint? Because they didn't coordinate with human resources, and because there's no clarity about the severity or risk from the behavior, even incidents that ought to garner serious attention don't.
The solution is to get right with Human Resources long before the incident. I know -- like dogs and cats living together, the notion of touchy-feely human resources personnel working together with hard and graceless IT security geeks may portend the coming of the End Times. But there are a handful of topics that require collaboration. By addressing them before there's an incident, a lot of pain and frustration can be avoided.
Identity and authentication
The initial establishment of identity for a new hire -- acquiring driver's licenses and associated documents -- is a management task specific to HR. When identity is established, and the person who showed up is sufficiently authenticated as that person, we say that initial identification and authentication or "initial I&A" is complete.
This is never an automated task. This is also never an IT task. If someone shows up at the IT helpdesk asking for an account, and there's no HR record of initial I&A, all sorts of alarm bells ought to go off. Unless there's a specific exception -- perhaps the granting of temporary IDs to vendors when a business unit's contract serves as initial I&A -- IT should never, ever be in the business of determining if a person exists or not.
It's one of the most common errors I see, but initial I&A ought not be confused with the implementation of roles and rights. Only after the management decision to hire someone is processed by HR, can a person's online persona be connected to a set of tasks, specific role, salary, and the other trappings of a job. Confusing these different steps means stepping on HR's toes, after which conflict, confusion and weakened security are inevitable.