Proper guidelines for onboarding and offboarding employees are essential for keeping confidentiality and integrity of internal data and resources in check. While such scenarios may not immediately come to mind, there are a variety of security crises that can erupt from improper handling of employees in the onboarding and offboarding processes. A disgruntled employee could lock shared accounts and sabotage data files on their way out. A new hire could be given too much access to company resources before they are trained in how to use them. To mitigate the risk of such incidents, ensure that you compile checklists for secure onboarding and offboarding of employees.

Onboarding

  • Clearly define the role’s hardware, software, and data needs before a candidate is even hired. By doing this, employees can have a smooth transition into their environment, with their digital requirements already defined. Their access can be automatically turned on, with no requirements for the IT department to scramble to prepare technology.
  • Create and enable employee accounts as soon as they are hired. This usually involves adding an email account to the central IAM dashboard, and/or creating a new account on device operating systems. The best practice is to configure all new accounts with a basic default password like password12345 and check the option to have the account owner set their own password at next logon.
  • Ensure access and licensing to productivity tools is granted. Piggybacking off the last point, access should be provided for all productivity tools, such as Zoom and Microsoft Office. In an environment that utilizes identity federation, this is no problem as the new employee must simply sign in with their central identity. However, if you have a less centralized environment, you may need to assist the employee with creating accounts on the software. It is also important that you ensure all software on the employee’s devices is properly licensed.
  • Ensure that new employees agree to organizational policies before any access is granted. It is imperative that employees agree to any and all applicable policies before they are allowed access to digital resources.
  • Implement employee training procedures. With so many business processes being digitized, it is crucial that new hires are trained on how exactly to use the required technology. This could be done in the form of manual training or job shadowing with an experienced employee. It could also be done through digital training modules made using a special tool.

Offboarding

  • Immediately deactivate accounts. As soon as the departure of the employee is finalized, all accounts should be disabled. This includes online and offline accounts. This process is made significantly easier by using a centralized IAM platform.
  • Change logins for shared accounts. Many businesses utilize shared accounts for tasks like social media management or project management. This is usually done out of convenience for job rotations. When an employee departs, it is important to change the passwords for all shared accounts the employee was a member of.
  • Collect all physical assets before the employee departs. Every departing employee should be expected to turn in company assets like computers, printers, docking stations, and mobile phones. They should be turned in in perfect condition and with integrity intact. These expectations make up what is known as an Asset Return Policy.
  • Retain employee data. Even though the employee is departing your organization, it is important to retain their data for regulatory purposes. In the case of a disgruntled employee or a criminal incident, said data may also be needed for forensic purposes. A good policy is to keep all employee data for one year after their departure. This data should be stored in a secure location, such as an offline encrypted drive.