Access reviews
      Back to home
      1. AssuranceLab - Knowledgebase
      2. Access reviews

      Streamlining access termination: protecting your data when employees and contractors exit

      When employees or contractors leave your company, one of the most critical tasks is ensuring their access to systems and sensitive data is promptly and thoroughly revoked. Failing to do this can leave your business vulnerable to unauthorized access, data leaks, or other security incidents. Here’s how to manage access termination effectively and ensure your company remains secure.

      The essentials of an effective off-boarding process

      1. Off-boarding checklist: the backbone of a successful access termination process is a comprehensive off-boarding checklist. This checklist should include all the necessary tasks to ensure the departing individual no longer has access to your systems or data. Key items typically include:
        • Revoking access to all critical systems
        • Retrieving company-issued devices (laptops, phones, etc.)
        • Ensuring all company data on personal devices is deleted or returned
        • Updating licensing to avoid unnecessary costs
      2. Centralized access management: if your company uses an Identity Provider (IDP) like Okta, managing access termination becomes much simpler. With centralized access management, you can revoke access to all systems from a single platform, reducing the number of checklist items and the risk of missing something important.
      3. Documenting the process: from an audit perspective, the key is to have clear documentation showing the off-boarding process was followed. This doesn’t need to be overly detailed—typically, a completed checklist is sufficient. Each checklist should indicate:
        • Who completed the tasks
        • The date the tasks were completed
        • Confirmation that access was revoked and devices/data were returned
      4. Employee acknowledgment: a best practice is to have the departing employee or contractor sign off on the checklist. This acknowledgment confirms they’ve returned all company property, including data, and they understand their ongoing responsibilities regarding confidentiality and data security. Even after leaving the company, the confidentiality agreement remains in effect, ensuring any company data in their possession is either destroyed or properly returned.

      Managing licenses
      Another important aspect of access termination is managing software licenses. Many licenses are tied to individual users, so failing to remove a user’s access can lead to unnecessary costs. Ensuring licenses are promptly reassigned or terminated as part of the off-boarding process can save your company money and avoid compliance issues.


      Implementing 'just enough'
      Satisfying the minimum of this control is demonstrating a template (Type 1) or live process that removes access upon termination. That could be a short checklist that includes confirmation of access removal, or a workflow ticket (eg. JIRA) that requests and confirms access removal.


      Better practices
      A termination or offboarding checklist is best practice to cover various offboarding tasks that often involve cross-departmental efforts. These include revoking system access and any physical access, devices, documents and data. It may also require notifying customers or partners, adjusting the organizational chart and other practical considerations. One of the key better practices from a security standpoint, is to require terminated employees to sign off saying they have returned or destroyed any sensitive data and reaffirming their ongoing confidentiality commitments post-termination.


      ➡️ Doing less tip #1: simplify the checklist with a critical focus
      Break your off-boarding checklist into two parts: critical actions that must be completed immediately and secondary tasks that can be handled later. By focusing on the most important items first—like access revocation and device retrieval—you ensure the key security risks are addressed right away. This also reduces the risk of the checklist becoming too cumbersome, which could lead to delays or overlooked tasks.

      • critical items (day of offboarding):
        • Revoke access to all key systems
        • Retrieve company devices
        • Confirm data return or destruction
      • secondary items (post-offboarding):
        • Review and adjust software licenses to avoid unnecessary costs
        • Update internal directories and contact lists
        • Conduct a final audit of the employee’s access history

      ➡️ Doing less tip #2: manage licensing and cost efficiency
      Managing software licenses is an important consideration, but it doesn’t necessarily need to be done on the day of offboarding. Ensuring licenses are updated and you’re not paying for unused accounts is essential for cost management. This can be done as part of a regular follow-up process rather than during the initial offboarding. It is a good task to delegate to a specific team member to handle within a set time frame after the offboarding is complete.


      ➡️ Doing less tip #3: maintain flexibility
      Your off-boarding process should be adaptable to different roles and levels within the company. For example, the process for a senior executive might require more thorough steps than for a temporary contractor. By keeping the critical checklist short and focused, you ensure the most important actions are always completed, regardless of the individual’s role.


      In a nutshell
      Access termination is a vital part of your company’s security posture. By implementing a robust off-boarding process with a clear checklist, centralized access management, and proper documentation, you can minimize risks and protect your sensitive data. Remember, simplicity is key—focus on what matters most, and ensure every access point is securely closed when someone exits your company.