An IT Checklist to Protect Your Association or Nonprofit’s Security When an Employee Leaves
- DelCor Staff
- May 22, 2018
Your IT team plays a critical role in onboarding and offboarding association and nonprofit staff. Overlooking important steps is simply not an option, especially when HR has to move quickly on an employee’s termination, while your organization and member data hangs in the balance.
What’s at risk when an employee leaves?
In an ideal world, an association would have policies and procedures in place to monitor their intellectual and physical property. And a crystal ball would tell us when employees are going to leave, along with where we can find information about all their work-related contacts, relationships, application access, and data. And we'd have defined employee termination security procedures that we follow faithfully.
However, in the real world, these predictions do not exist. Worse, employee termination policies are not rigorously enforced. During time-sensitive or jarring situations, policy enforcement may not be top of mind, but it’s critical to the security of your organization’s data and systems—as evidenced by the increased prevalence of cybersecurity incidents, some of which can be traced back to careless or dishonest staff.
While we’re on the topic, let’s underscore the importance of cybersecurity—including as it pertains to your staff and vendors. Effective technical offboarding of staff is a critical step in maintaining data security, but it’s only one of many. Your systems, staff, MSP, and vendors all play roles in protecting your organization. A cybersecurity assessment will show you how well you’re protecting your organization and its data, and where you need to fill gaps, including everyday policies and procedures.
Let your MSP handle employee offboarding
In our role as a managed services provider (MSP) to many associations and nonprofits, our clients’ HR department and organizational leaders typically turn to us for guidance in these situations. An MSP like DelCor handles the securing of hardware, software, and data during these staff transitions, so staff can focus elsewhere.
To ensure we leave no stone unturned, our consultants follow a methodical IT termination checklist to offboard employees who leave, for any reason. Even the smallest deviation from these procedures can’t be tolerated, lest you create cracks in your most basic security protocols. When staff departures occur in haste or unexpectedly, you can rely on your MSP to adhere to these offboarding procedures while working closely with your HR and other staff.
Offboarding an association IT staff person
Adherence is particularly important when a member of the IT team is terminated. Because IT staff have a different level of access to user data, they require special attention. For example, it’s not good practice for IT team members to share administrative credentials, yet staff often take that shortcut instead of having separate logins for each administrative user. The checklist for terminating technology personnel is therefore more extensive and time-consuming, but it’s critical for protecting your organization, staff, members, and reputation.
Sample IT Checklist for Offboarding Association or Nonprofit Staff
Based on our experience offboarding staff for our MSP Partners, we created a sample termination checklist your IT staff can follow when an employee is terminated. Amend it to account for your special circumstances and add it to your staff exit plan.
Note: This checklist for terminating employees is focused specifically on the technical and cybersecurity offboarding procedures relevant to associations and nonprofits.
Step 1: Initiation of Termination
- HR determines the need, timing, and terms of separation, then notifies IT to conduct the following tasks.
- Working with HR or security staff, determine the risk level, which dictates IT’s approach and timing.
Step 2: Termination/Exit Interview (immediate steps for high-risk employees)
- Turn their computer off.
- Immediately disable the employee’s access to all systems, such as Active Directory. Don’t delete it yet, in case you need to re-enable it later.
- Remove all organizational data from employee-owned devices following one of these options:
- HR observes the user deleting email accounts from their phone.
- IT does it via remote wipe, which can potentially delete personal data, so exercise caution.
- Ensure the terminated employee returns any company-owned equipment: laptops, tablets, USB drives, etc.
- Compile a list of all locations where the employee stored data including cloud storage platforms—you may have to perform some detective work to uncover shadow IT.
Step 3: Phone
- Ensure the employee’s telephone is not forwarded to any external numbers, such as their cell phone.
- Change their voicemail password.
- Change outgoing voicemail message in accordance with your organization’s communication guidelines.
- Assign someone to monitor the voicemail until that phone number can be deleted or reassigned.
Step 4: Email Access
- Change their password in your email system or Active Directory. Review Step 5: Network and Cloud Access below before re-enabling the account, if you need to do so.
- If the employee used a personal cell phone or tablet to access work email, wipe or remove the email account if not already done during Step 2.
- Create an out-of-office message for email in accordance with your organization’s communication guidelines.
- Remove terminated employee from generic email distribution lists, such as “all staff.”
- Remove them from specialized email distribution lists or aliases. Make sure someone else is a member, so messages are not missed.
- Assign and provide access to someone to monitor the terminated employee’s email. Determine how long the email box will be available—we recommend 30 days—after which the mailbox is deleted. Make sure you follow up after the established period has lapsed.
Step 5: Network and Cloud Access
- Remove the employee from all access control security groups, which typically control access for logging in to domain, VPN, remote desktop, AMS, and other systems.
- Move any association files that may have been stored outside your primary file repositories to a central location.
- Revoke access to your corporate Dropbox account or similar platforms.
- Remove association files from any personal cloud storage accounts.
- Determine and grant access to whomever will need access to the terminated employee’s local and network files. Warning: do not fall into the trap of “just giving their supervisor access to their old H drive.” You’ll end up with legacy H drive folders that never get touched, and people will for years say “just go look in Tom’s old folder.” Instead, follow good information management practice—consult with the relevant department and move content to a place that makes sense organizationally.
- Review firewall access rules to confirm the user does not have any other access, such as direct site-to-site VPN from their personal firewall at home.
- Confirm that no remote access software is installed on their workstation, such as TeamViewer or LogMeIn, which they might use to access the computer or your network.
Step 6: Property
- If not done during termination, recover association property from the terminated employee—laptop, cell phone, security key, home printer, software, etc.
- Require terminated employee to sign a document confirming that all property has been returned to the association.
Step 7: Personnel
- Review your password database logs to determine which passwords were accessed by the employee. If you don’t have a log, get one.
- Require related staff to change their passwords if there is any risk of shared passwords.
- Contact vendors the terminated employee managed or worked with to alert them of the employee’s departure and provide a new contact. These include, but are not limited to:
- Enterprise systems (AMS, HRIS, etc.)
- Website vendors and platforms (CMS)
- Managed services provider
- Remove terminated employee from authorized list of contacts.
- Remove or change credentials (usernames/passwords).
- Add replacement staff as necessary.
Additional Steps for Offboarding IT Staff
- Change shared/standard passwords and disable the terminated employee’s access. Take this opportunity to create dedicated usernames and passwords for each admin so you never have to do this again.
- Recover any company software, manuals, keys, backups, etc.
- Recover, remove, and/or destroy any personnel information, contact lists, etc.
- Update records for external providers and services (e.g., website hosts, MSP, data center).
- Ensure vendors are following accepted security protocols.