Document and follow a detailed process to create as well as shut down accounts, and take regular inventories of accounts and credentials on at least a quarterly basis. Be sure to include clean-slate resets of credentials during job changes, Reich recommends.
Treat every job change as a departure and new hire, even if an employee is just moving up the ranks. Nothing should be treated as an accumulation.
Keep IT and HR systems in sync. Automation plays a particularly valuable role here: Automate connectivity between HR tools and account provisioning tools, which requires more than simply checking lines on a spreadsheet. Connectivity should include flagging employee exits initiated for nonperformance or other cause; such departures bring higher odds of agencies missing a step due to their unexpected nature. Disable those accounts as soon as possible.
How to Automate Offboarding
An enterprise automation platform helps teams establish and listen to connected applications for events or triggers. To automate offboarding, teams can specify the triggers or workflows they wish to automate, such as syncing HR-specific applications in the previous example. Offboarding processes that teams typically automate include deprovisioning, or removing access to applications, platforms and hardware or other equipment; and alert routing, which notifies stakeholders whenever concerning behaviors take place.
DISCOVER: Automation is helping agencies cut costs.
After identifying and prioritizing the workflows or events to be automated, use the automation platform to connect all relevant applications and tools, then build out triggers and corresponding sets of actions. When an employee is marked for offboarding in an HR tool, a workflow can be triggered, and the IT ticketing application can create and assign all tickets related to offboarding duties. Secure access tools can be triggered to shut off laptop access based on an employee’s date of departure.
A Good Offboarding Checklist Adheres to Zero Trust
The zero-trust to-do list issued by the Office of Management and Budget under President Biden includes additional guidance for offboarding: “Agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms,” per January 2022 guidance from then-acting Director Shalanda Young.
Other automation opportunities include routine scans for accounts without recent logins. Doing so won’t stop takeover attempts immediately following an employee’s departure, but at least it prevents unused accounts from piling up.
A departure checklist should also include hardware collection, starting with an employee’s Common Access Card. Back up employee data as required by retention policies before wiping it from all devices, and close out software licenses as necessary to avoid so-called shelfware problems, or wasted funds for licenses and product seats that go unused.
EXPLORE: Agencies must tackle cybersecurity concerns en route to the cloud.
Study the National Institute of Standards and Technology’s Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations” (last revised in late 2020), for specific guidance on what must be collected, wiped and shut off. Add each of those details to the offboarding checklist, and update this list as new software or tools are issued to employees or specific teams.
Remember that cloud storage can simplify some of the hassle of such management, while employees taking documents to work from home on personal devices will complicate it greatly.
Do This Every Four Years
The massive turnover at the end of a presidential term, even if there’s no change of administration, makes having a current inventory of accounts that much more important.
The Executive Office of the President sees enough staff changes that management must stagger their departures, typically phasing them out about two weeks before inauguration. Records management proves trickier at the EOP, because some employees there work under the Presidential Records Act while others operate under the Federal Records Act.
LEARN MORE: This is how agencies should digitize their records.
Although the scale of staff exits varies within other federal agencies, setting aside the work or responsibility of disabling the departing staffers’ accounts can happen all too easily as IT teams focus exclusively on processing all of the new people coming in.
Assign one or two team members to focus solely on monitoring offboarding processes, deadlines and benchmarks, and ensuring accounts are in fact disabled. Such assignments can also ensure that managers remain on guard for automated systems glitches and avoid unfortunate offboarding debacles, such as allowing a clearance-monitoring system to disable the wrong people’s access to classified data.