[QUOTE=Shagnasty]
Part of my job is as a systems administrator for a secure system in a mega-corp. Because of that, I and all the other administrators in the company get a daily e-mail of who to terminate. It is a hassle for me because I have to terminate them from my system within a couple of hours..
[/QUOTE]
[bolding mine]
Slacker!
For some of our systems, we have a 15-minute SLA to disable terminated users. Pretty much anyone who had financial access (tellers, cash vault operators, wires clerks, etc) get run through the emergency termination protocol. Every bit of their access is to be e-termed - mainframe, LAN, building access, remote access, and so on. Ideally, it’s all gone while the former employee is still in their manager’s office, being told that their services are no longer required.
One time a few months ago I had been working from home for about 3 weeks straight, and a couple days after a reorg at our site that resulted in a few terminations, I came into the office becaus my VPN wasn’t working.
But my badge wouldn’t work either. So I start thinking “oh, crap” in the back of my head. Even though I have a super-cool boss who I’m sure would have mentioned something.
I call a couple coworkers, but no one answers, which is odd because they aren’t usually on he phone. So I go around to the front desk, and wait for a few minutes for our facilities guy to get back from running an errand, my whole career flashing before my eyes. I mention that my I couldnt badge in, and he looks at me, sighs deeply, and says, “So nobody called you?”. Then he waits a couple beats and gives me a big shit-eating grin and tells me he has no clue why my badge wouldn’t work, reactivates it, and I go on my merry way, after a brief pit stop to change my drawers.
I was hired as a contractor, for a 1-year contract. About 9 months into the contract, they told me they were extending it another year (as frequently happened). But somehow HR didn’t take note of that, so on the 1-year anniversary of my hiring date, HR ordered all my access cut off, and it was.
Contacted my boss, he checked & eventually found the problem. But they told him it would take up to 2 weeks to restore my access. He got very upset; said “it only took you an hour to cut him off this morning, you ought to be able to correct your mistake just as fast!” But they claimed it was not possible.
I was actually halfway across the country, installing a new processing system at a regional warehouse. Halfway done; the old system was down, but the new one not up yet, so all our grocery orders for 3 states could not be processed. Rather critical time! So the boss gave me his password, and told me to logon using his ID and get the work done.
Then we found that the systems people had been very ‘efficient’ – this person no longer works here, so we can delete all his files. Suddenly a lot of critical files related to the conversion that were under my UserID were gone! But at least we got those restored within a few hours – the recovery process for lost files was known.
The HR people did manage to get it fixed, only taking a week to fix what they had messed up. But a whole lot of trouble & delay caused to others.
P.S. My boss was so mad & upset about this that he charged all my time (& overtime) for the week they took to fix it to HR instead of our project. He expected this would cause a big fuss at the end of the accounting period, and he could complain more about HR’s screwup.
But that never happened. Apparently HR was so lackadaisical about expenses that they never checked the reports, and didn’t notice this. Ended up making the cost/benefit on this project come out real good!
That’s easy to fix. You cut off computer access first, then physical access, and only after that enter in the termination. And you do the first two during the off hours, so the employee can’t do a thing. As long as the last one goes out before payday, it’s fine, so you can take your time on it, even if you automate the other two (particularly with scheduling so it happens during the off hours.)
And, on top of all that, you don’t give everyone in HR the ability to execute any of this, and, when installing a new system, you don’t take it live until after you’ve worked out how to use it without accidentally firing someone. (And hopefully that software makes it hardert than just highlighting a bunch of people and clicking a Terminate button.) And when you do fire someone, you go back over the list and make sure the person you wanted to fire is scheduled to be fired, and that the number of employees who have been so scheduled is not greater than the intended amount.
If you can’t handle all that, why the hell are you allowed access in the first place?
Yorick, I suppose if you knew you were safe in that it was a misunderstanding, it would not have been so devestating. If it was for real, I would have been mortified.
Which is how you end up with these central systems. That and the central systems put HR in the mix who already has the term list - and takes out “Jerry over at the help desk” and “Teri the systems administrator.” One system isn’t doing it all, in our case, but it is providing the feed to the security card systems, the email systems, LDAP, VPN access, etc. etc.
Back in the dark ages, they moved us into cubes outside the HR office when they did a massive lay off. They would tell us who they were going to go get next (we had a list), when they walked into the office, we’d terminate access. Partly because the previous system was to have a list and times and if HR got behind, you’d get “told” when you couldn’t get back from the bathroom - not good. Partly because once the list got “out” - and so they moved us to somewhere they could watch us, brought in pizza, and isolated us for the day. (We also got the services of a corporate psychologist for that experience).
I had to fire someone once on the spot. Sent emails to have his access/phone login shut off (which normally took days to be processed) then went to tell HR they needed to start their paperwork and before I got back to his desk he was looking for me to ask why his phone didn’t work.
It was a great segue to the as a matter of fact I was looking for you conversation.
I hope you got a big-@ss apology and some sort of compensation (at least a free lunch). That sort of screw-up is inexcusable. And employers wonder why employees have no loyalty and hate HR.
Egad - what about tenure-based benefits such as 401(k) vesting, vacation accrual etc.?
Oh - and I agree with the principal that termination = “end of all access including door, computer etc.”. However, the process SHOULD require multiple people to approve the termination. One person shouldn’t have the ability to screw things up that badly.
That’s one of the reasons it takes a week or longer to reinstate - especially an employee.
Honestly, our biggest issues have been contractors though. Contractor conversions took a long time to get smooth (to the point where we’d warn them when we made the offer ‘your access might disappear as part of this process.’) Contracts with a term date where the manager extended that but it never made it into the systems (often the manager didn’t tell anyone but the contractor). And contractors don’t have a lot of loyalty to you and we don’t need to worry about 401ks, so we were willing to tolerate glitches for longer.
More people in our experience = more problems. Each human can now make an error. And the risks involved in not getting someone terminated through the system is greater than in terminating someone accidentally, where you offer a profuse apology and continue to pay them. If we have to choose, we want to err on the side of accidentally terminating - not accidentally keeping access.
Well, I got the big-@ss apology from someone in the main HR office, which was actually more than I was expecting. The company I work for has about 300,00 employees worldwide, so this was probably a tiny blip on their radar.
I was hoping PoorYorick would say that he drove home, and his key didn’t work in the front door, and when he rang the doorbell and his wife answered, she would say “Do I know you?”
And it was all an incredibly involved conspiracy, but the only thing They forgot was to de-activate his SDMB account.
You know, PoorYorick, someday when you go to apply for another job, or a security clearance, or something else official, you’re going to get asked on a form, “Have you ever been terminated from a job?”
“Well, it’s funny that you ask that, because this one time…”
Don’t. Hiring managers are no noted for their sense of humor.
Any access here, including remote access, involves company hardware which travels with you. When you show up for your termination meeting (meaning you’re called for a quick one-on-one with the boss), they take your access hardware, swipe card, and keys from you at that point. Actual systems termination process takes about a week (I have a small part in the work stream) as IS unwinds your layers of access and privilages. But your phone, remote connect, and swipe access are cut within a half hour, even though you don’t have the physical means to reach any of them anyway. No one is terminated in a batch process - every termination requires the reporting manager to fill out and file paperwork. Oh, and the manager walks you out - without going back to your office. If you left anything you need immediately, the manager will go get it.
Security lets you back in after hours, escorts you to your office, and watches as you clean out your desk.
