IT Security Reminder When Staff Changes Occur
Summary
For any areas on campus that have IT Systems Administrators, this is a reminder that passwords should
be changed as quickly as possible when an employee whom previously had access to administrator-type
privileges has moved on. In addition, users who trusted someone with their password would similarly
be urged to change it as soon as possible.
Background
Practically all multi-user-capable computing systems have at least two levels of user access – a general
user level and a super-user level. A typical user would be able to access their own files which they have
created and other user’s files only if they were shared with that purpose in mind. On the other hand, a
user with super-user level access will have access to all files in the system.
When someone is no longer associated with the computing systems they formerly managed, it is
important to change the super-user level passwords for two reasons. Systems Administrators are highly
trusted to perform the required systems management tasks in a secure, privileged environment and
must be highly ethical. Since access to servers should only be under the control of current employees, it
is a best practice to change these passwords as soon as possible after the person whom has left is no
longer associated with the respective area. The second reason to change the passwords is to indemnify
that the person whom has left cannot have made an undesired change to a system in the event that this
were to happen. If for some reason a system becomes compromised, possibly due to a security
vulnerability, a virus, etc., there would be assurance in this situation that the person who left could not
be involved with the change. So, changing the passwords protects the person who has left.
It is not usually a best practice for Systems Administrators to know other users passwords. Oftentimes,
a user can be helped without divulging this information and can be kept private. If a user knows that
they might have given their password to a Systems Administrator, the password should be changed as
soon as possible thereafter. If the password is not changed, the second user could conceivably log-in
and act on their behalf. Changing the user password would have the same benefits as mentioned above
– only the user should typically know their own password, and the other user would be absolved of any
suspicion should something untoward occur on the user’s account.
As a final reminder, it is also a best practice that passwords be recorded in a safe and secure location in
the event that access must be obtained by a designate while the Systems Administrator is temporarily
unavailable. System passwords and any passwords used to encrypt file-systems should be recorded.
Please keep this in mind as a best practice when Systems Administrators leave your area, even if they’ve
only gone as far as another department.