What are Steps to Take for Employee Offboarding?
Establishing and following an IT protocol for offboarding employees is a critical, but often overlooked, cybersecurity protection activity. More often than not, an organization cannot predict how/why/when an employee will exit the organization, so having a plan in place that can be applied in any kind of circumstance ensures that each departure is handled in a clean and consistent manner. In the event that the departure is the result of a termination, the following are steps that an organization can take to swiftly handle employee offboarding from an IT perspective:
Termination initiation. HR establishes when they intend to inform the employee of their termination and notifies security staff and IT. IT’s activities will be determined by HR/security staff’s assessment of risk level.
Termination for high risk level. Turn off their computer, disable their access to all systems, remove organizational data from employee-owned devices (via observed deletion or remote wipe), collect employer-owned equipment, and inventory all physical and cloud locations where the employee stored data.
Phone activities. Change the voicemail password, change the outgoing voicemail message, assign someone to monitor the voicemail until the number is deleted or reassigned, and disable any external call forwarding or forwarded alerts.
Email activities. Change the email password from within the email system, remove email account from employee-owned devices (via observed deletion or remote wipe), create out-of-office message, remove employee from group email lists, and assign someone to monitor the email until the account is deleted or reassigned.
Cloud and network access. Revoke employee access from access control security groups that control domain, VPN, AMS, and remote desktop log-ins, revoke access to file-sharing platforms such as Dropbox, remove association files stored outside of primary repositories, distribute employee’s files to appropriate employees/departments, revoke direct site-to-site VPN from their personal home firewall, remove remote access software from their computer.
Employer-owned equipment. If there are items left unrecovered during the termination because they were off-site, such as printers, keys, software, etc., make a plan for the employee to return the items and have them sign a document attesting that all equipment has been returned.
Accounts. Review database logs to determine which passwords had been used by the terminated employee, have staff change their passwords if there are shared password risks, remove employee from lists of authorized contacts by removing or changing credentials and adding replacement staff, provide new contacts to vendors from enterprise systems, website vendors and platforms, managed service providers, building staff, parking staff, payroll, and banking.