Establish and document procedures for the return of organization-owned assets by terminated employees.
The organization should establish and communicate a policy and procedure for the return of assets owned or controlled by the organization upon the termination of a personnel contract. The organization should identify and document all information and other associated assets to be returned or disabled. Information and assets can include:
- User endpoint devices
- Portable storage devices
- Specialist equipment
- Authentication hardware (e.g., mechanical keys, physical tokens, and smartcards) for information systems, sites, and physical archives
- Physical copies of information
The organization should prevent the unauthorized copying of information (e.g., intellectual property) by personnel under a notice of termination.
- Examine policy for adequacy, currency, communication, and effectiveness.
- Verify that a definition of organizationally-owned assets exists, and is implemented.
- Verify that a definition of terminated employees exists, and is implemented.
- Examine policy and procedures for evidence of review at least annually.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.