Employee offboarding is difficulty time. Along with the implications to emotions and morale, you’ll need to ensure that your IT team properly revokes all access to maintain security policies. In this article, Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why revoking your departing employees’ access is important and how you can implement it for your audits and IT security policy.
Why Is Revoking Access During Employee Offboarding Important
“AC3.2 – Revoke Access on Termination – Management utilizes an employee termination checklist to ensure that the termination process is consistently executed and access is revoked for terminated employees in a timely manner.“
Revoking former employees’ access to your systems and data in a timely manner is one of the most common mistakes that lead to auditors finding you non-compliant. Auditors will check whether you terminated access and when you did so (like everything in life, timing is key).
Short-term, you need to implement this control to pass your audit. Long-term, you need this control in order to “protect ya neck” to quote the lyrical masters from Shaolin aka the Wu-Tang Clan. Think about it: employees who part with any organization (regardless of choice) could have malicious intent and steal truckloads of data. Or worse, they could sabotage your systems and lock their former co-workers out!
As your org grows, more users are going to have access to your data, which makes it difficult to manage who should and should not have access. Ideally, these users would be managed with an on/offboarding process, but organizations sometimes overlook that documentation process.
How to Implement Employee Offboarding Controls for Your Audits
Like other access controls (e.g. Control of the Week #4 on reviewing user access), having a list of employees in each role and the types of access they have helps to ensure compliance during offboarding. Also, make sure an offboarding checklist exists, is being followed to a “T”, and that access termination is a part of it. Designate people to own these tasks and then have them execute those tasks whenever people leave your org.
Employee Offboarding Tasks You Need to Think About
- The type of access that needs to be revoked (e.g. physical access to the building or administrator access to a software tool).
- Physical assets that need to be returned (e.g. ID cards or laptops).
- Network and system access – ensure access is terminated on the same day. Also, to any applications or system components that the terminated user had access to.
- Passwords for shared accounts – ensure passwords to shared accounts are either changed or disabled (as required). This also includes email and remote access.
Sample IT Employee Offboarding Checklist
Revoke employee access to IdP and SSO
Revoke, close, and /or reassign SaaS accounts to a different employee
Terminate VPN or other remote access networks and systems
Change any access to shared account passwords
Change employee email address password and forward to assigned employee
Recover equipment such as laptops, microphones, etc
- Update and change credit card information that the employee had access to
Other Things to Keep in Mind for Employee Offboarding
- While creating or defining an offboarding checklist, leverage the checklist you used for onboarding to determine what kind of access was originally provided.
- Think of the on/offboarding process as two different processes: access / assets provided during onboarding can be leveraged during offboarding for return / removal. The key is to determine what kind of access users had during termination, and then revoke all access accordingly.
- Have the departing employee sign a “Termination Agreement” that contains responsibilities and their associated consequences of ensuring confidentiality of company data post-employment.
As always, give us a shout if you have any questions about the controls and how to implement them.
PS: Launch a security program that protects your business, builds trust with customers, and impresses your board by downloading Security Best Practices for Startups