Employees who stop working before their termination date or take vacation days prior to their separation date can bring risk to an agency if their access to agency systems isn’t removed in a timely manner, according to a report from the Tennessee Valley Authority’s (TVA’s) inspector general, released September 11.
The report found that TVA did not remove access to IT systems in a timely manner because the agency did not have a way to communicate that employees are no longer working for the agency, even if they remain on the payroll and have not yet formally left the agency.
“We found … over 44 percent of the 153 TVA employees who ceased active work prior to retirement or other separation during calendar year 2018 did not have logical and/or physical access to TVA assets removed on a timely basis,” the report states.
Guidance from the National Institute of Standards and Technology (NIST) states that organizations should terminate access as quickly as possible for any separations that are less than friendly, and the report highlights the “principle of least privilege” that NIST includes in its SP 800-14 guidance. The inspector general found that six people left on “less than friendly” terms, and 33 left due to a reduction in force.
“If management could reasonably expect these terms to be unfriendly, then access should have been removed immediately,” the report notes.
The inspector general recommended that TVA create a process to notify cybersecurity and physical security personnel when an employee ceases work prior to separation, which the agency agreed to.