CSA CCM HRS-05
Asset Returns

Asset Returns

It's never a fun conversation, but sometimes employees leave an organization. Whether it's voluntary or involuntary, there are important steps that need to happen to ensure a smooth offboarding process. One critical piece is making sure all company-owned assets get returned promptly and completely. Let's dive into the details.

Where did this come from?

The Cloud Security Alliance (CSA) published the Cloud Controls Matrix (CCM) v4.0.10 on 2023-09-26. You can download the full document here. The CCM provides a controls framework for cloud computing and is considered a de-facto standard for cloud security assurance and compliance.

This article focuses on control HRS-05 which falls under the Human Resources domain. The goal is to establish and document clear procedures for terminated employees to return any company-owned assets they have in their possession.

Who should care?

A few key personas that need to be aware of and involved in the asset return process:

  • HR managers responsible for overall employee lifecycle
  • IT staff that provision and manage company devices and access
  • Information security personnel concerned with data protection
  • Managers offboarding team members
  • Employees leaving the organization

What is the risk?

When the employment relationship ends, you need to make sure the individual no longer has access to company systems, data, and assets. Failing to fully deprovision access and collect assets opens up risks like:

  • Unauthorized access to sensitive information
  • Data theft or leakage
  • Misuse of company resources
  • Compliance violations
  • Reputational damage
  • Financial losses

Having a standardized, comprehensive offboarding workflow that includes asset recovery is essential to mitigate these threats. While it may not completely eliminate risk, it significantly reduces the likelihood and potential impact.

What's the care factor?

Asset return policies and procedures should be a high priority, especially for organizations dealing with sensitive data, regulated industries, and anywhere that issued devices to personnel. You need to be able to trust that when someone leaves, they don't walk out the door with the keys to the kingdom.

Offboarding is something that unfortunately happens regularly. Having a smooth process in place makes it much less disruptive and limits your risk exposure. It's not the most glamorous task, but definitely pays off to invest the time to get it right.

When is it relevant?

Asset return procedures kick in anytime an employee leaves the company permanently, whether it's voluntary or involuntary. Some key situations:

  • Resignations
  • Terminations
  • Retirements
  • End of contracts for temporary staff

The process could also apply to role changes like internal transfers or leaves of absence depending on the assets involved.

It's less relevant for employees who were never issued any equipment. Although even then, it's worth double checking that no assets have gone unreported.

What are the trade offs?

Implementing asset return controls does require some investment:

  • Time spent developing policies and procedures
  • Ongoing HR and IT labor for offboarding tasks
  • Potentially slowing down productivity during knowledge transfer
  • Dealing with uncooperative individuals
  • Budgeting for spares/replacements if assets aren't returned

However, these costs tend to be minor compared to the long-term value of protecting company property and data. It's really more of a necessity than a trade off for most.

How to make it happen?

Here's a basic rundown of steps to implement HRS-05:

  1. Develop an offboarding policy that includes mandatory return of all company assets. Get input and alignment from HR, IT, security, and legal as needed.
  2. Define and document the specific assets in scope. This could include:
    • Laptops, phones, tablets
    • Access badges, keys
    • USB drives, external hard drives
    • Company credit cards
    • Uniforms, equipment
    • Files, documents
    • Anything else company owned that the employee may have
  3. Integrate asset return procedures into the standard offboarding workflow. Assign clear ownership.
  4. Maintain up-to-date inventory of what assets are assigned to each individual. Ideally tie this into the identity management system.
  5. Upon notice of termination, notify the employee of the requirement to return all company property. Provide specific instructions.
  6. Schedule an exit interview to review the offboarding checklist and collect assets.
  7. Have the employee sign an acknowledgment confirming they have returned everything.
  8. If assets aren't received, follow up with the individual. Escalate to legal if necessary.
  9. Once everything is collected, transfer assets to IT to wipe data, re-image, and prepare for re-use or disposal per data sanitization and asset management policies.
  10. Close out the ticket and archive records of the offboarding event.

What are some gotchas?

A few things to watch out for when implementing asset returns:

  • Remote workers may require shipping equipment back. Provide detailed instructions, cover costs, and allow enough lead time. Consider using tracked delivery services.
  • Shared workstations can cause confusion over who is responsible. Clearly assign ownership.
  • Assets may get missed if inventory records are out of date. Put processes in place to keep asset databases current as things change.
  • Managers sometimes let employees keep devices as informal severance perks. Make it clear that this requires proper authorization.
  • Don't forget about non-tangible assets like cloud accounts, software subscriptions, licenses, etc. Include them in the offboarding checklist.

The main thing is to be thorough and consistent in tracking both the assignment and return of assets throughout the employee lifecycle.

What are the alternatives?

Some options to supplement the asset return process:

  • Use remote mobile device management to lock and wipe lost devices
  • Implement data loss prevention tools to restrict transfer of sensitive info
  • Provide secure file sharing services to limit use of removable media
  • Employ zero trust access controls and just-in-time provisioning to reduce standing privileges

However, these solutions don't eliminate the need for HRS-05 compliance. They are complementary controls to have in a layered defense strategy.

Explore further

Here are some additional resources to learn more:

  • NIST SP 800-53 Rev. 5 - AC-2(4) includes access termination requirements
  • ISO/IEC 27001:2013 - A.8.3.1 and A.8.3.3 cover asset return and removal of access rights
  • CIS Top 20 Controls - CSC 16 recommends instituting off-boarding checklists that include recovered assets
  • Many cloud providers like AWS offer employee offboarding tools

It's also a good idea to stay current on data protection regulations that may impact offboarding requirements, such as GDPR or CCPA.

Hopefully this gives you a solid foundation to implement asset return procedures and avoid any unpleasant offboarding surprises. The key is to make it a standard, well-understood part of the employee transition process so nothing falls through the cracks.

Blog

Learn cloud security with our research blog