Episode 45 — A.6.5–6.6 — Responsibilities after termination/change; NDAs
A.6.5 ensures that information security responsibilities remain clear when employment terminates or roles change. For the exam, emphasize time-bound deprovisioning of access, recovery of assets, revocation of credentials, and updates to authorization lists and distribution groups, all coordinated across HR, IT, Security, and managers. The control also expects continuity of obligations such as confidentiality, IP protection, and restrictions on sensitive knowledge, which persist beyond departure if stipulated by contract. A.6.6 focuses specifically on confidentiality or non-disclosure agreements (NDAs) that protect information shared with employees, contractors, and external parties. NDAs should define what is confidential, permitted uses, duration, exclusions, and remedies, and they must align with classification policies and data handling rules.
Operational execution uses joiner–mover–leaver workflows with checkpoints for equipment return, token revocation, mailbox and file transfer handling, and attestation of ongoing obligations. Role changes trigger re-screening where necessary, revised terms, and access right adjustments verified via recertification. NDA management includes standardized templates vetted by legal, clause variations for research, M&A, or vendor engagements, and a registry that tracks counterparties and expiration dates. Pitfalls include partial deprovisioning that leaves lingering API keys or SaaS sessions, ambiguous NDA scopes that hinder enforcement, and lack of evidence that departing staff were reminded of continuing duties. Effective programs measure time-to-revoke, asset return completion, and residual access findings post-termination; they also conduct targeted exit briefings for high-risk roles and maintain defensible records of acknowledgments. Candidates should connect these controls to evidence packs—ticket trails, IdP logs, signed agreements—and to related controls like A.5.11 return of assets and A.5.18 access rights, demonstrating a clean, auditable handoff that protects information before, during, and after employment. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
