A secure employee departure checklist

What steps should a business take when an employee is leaving the company in order to minimize threats to your data? Here's a checklist to securely see departing employees out the door

Employee exit
Thinkstock

Employee exit

A certain amount of employee turnover is a natural part of any organization’s life cycle. With each departure, whether the employee was entry-level or an executive, every organization should have a comprehensive process in place to facilitate the employee’s exit, while protecting the company’s information and securing the network and computer system accounts. Laura Iwan, Senior Vice President of Programs at the Center for Internet Security, has compiled these tips to help avoid any issues when an employee leaves the company.

Conduct an exit interview with the employee
Thinkstock

Conduct an exit interview with the employee

Once the employee submits their resignation, schedule time for them to sit down with their supervisor and the IT team. During this meeting, review document retention requirements including the process for saving electronic and print documents, discuss any company devices that need to be returned, review any company related accounts they access, credit cards including related online reconciliation accounts, and identify how they can be reached if the company needs to get in contact after their last day.

Retrieve company mobile devices and backup discs, USBs, etc.
Thinkstock

Retrieve company mobile devices and backup discs, USBs, etc.

Your IT team should be maintaining an inventory of all equipment and devices that have been distributed to employees. This can include any laptops, phones, tablets, navigation systems, cameras, etc. In addition, request that the employee return any backup devices like flash drives, CDs, external hard drives, etc.

Numerous data breaches are the result of a stolen or a lost device. Mitigate this risk by identifying and collecting all devices from your departing employee.

Deactivate company email addresses and remote access accounts
Thinkstock

Deactivate company email addresses and remote access accounts

Have your IT team implement a process for former employee emails to be forwarded to their supervisor to ensure continued communications with external customers. The email account and all computer network accounts should be deactivated on the day of departure to discontinue employee access to company information after separation from employment.

04 passwords
Thinkstock

Change passwords

In the exit interview, you should have reviewed the accounts that are linked to the employee. For example, if they’re your social media manager - is the company Twitter account in their name? If that’s the case, request that they switch over these important accounts to their replacement or supervisor.

After the employee has left, you will want to update any of the passwords to accounts they had access to.

Collect all company-related keys, pass-cards, and ID cards
Thinkstock

Collect all company-related keys, pass-cards, and ID cards

On the employee’s last day, make sure they turn in any items they use to enter the building, like keys, identification cards or pass-cards. Also, be sure to inform the security team that it’s the employee’s last day at the company. This will ensure that they’re aware that the individual is separating from employment with the company.

In addition, if the employee has any access codes to computer-based building security systems, make sure these are changed upon their departure and new codes are distributed to necessary staff.

Change PINs or passwords to any corporate credit cards or financial accounts
Thinkstock

Change PINs or passwords to any corporate credit cards or financial accounts

If you offer your employees corporate credit cards or access to financial accounts, make sure that they turn in the cards, any corresponding bank statements, relinquish access to related bank accounts, and any other material that could contain financial information.

If the corporate card was issued in the employee’s name, be sure to take the necessary steps to deactivate the card. If you plan to re-issue it for their supervisor or replacement, make sure you update the PIN number and corresponding passwords.

Prepare for challenges
Thinkstock

Prepare for challenges

In the event that you need to terminate an employee, you should be prepared for a potentially negative reaction. In these instances, be sure to forewarn your IT and security teams, so that they can immediately implement the exit process.  

For more resources visit CIS at www.cisecurity.org and for cyber hygiene resources, visit: https://www.cisecurity.org/about/CHToolkits.cfm