<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Best Practices When Writing Your Access Onboarding & Termination Policy

It's easy to focus on cybersecurity threats like social engineering and phishing. However, internal threats, such as human error and disgruntled employees, can be just as dangerous - and are often overlooked. A mature onboarding and termination policy that leverages least privilege access is essential to preventing a data breach.

Employees and other internal users were the cause of 60% of data breaches - both intentional and accidental - in 2016.

In the world of SOC 2, these types of threats are addressed in the Access Onboarding and Termination policy. The policy’s purpose is to minimize the risk of data exposure by enforcing the principle of least privilege access. The scope of the policy is only technical infrastructure. Areas like payroll and benefits are not included in this policy. Are customers concerned about your support staff accessing their data? StrongDM provides you with an audit trail of who did what, when and where.

Here are best practices to consider when writing your company’s Access Onboarding and Termination Policy:

Implement least privilege access during onboarding

Hiring managers should inform HR upon the hiring of a new employee. HR communicates this to IT, who creates a checklist of access and permission levels appropriate to the role. This checklist should include systems internal to the company, as well as any necessary external portals (HR, payroll, etc.). The owner of each application will review and approve account creation and permission levels and then work with IT to complete user setup.

Automate manual steps during termination

Hiring managers should inform HR promptly when termination occurs. Every week, HR should send a list summarizing termination and instruct IT to suspend their access within five business days. As much as possible, these steps should be triggered by automation and should not require manual intervention. We're all human and forgetful. Things can easily slip through the cracks when you don't have enough coffee. In many companies, a centralized database (such as Active Directory) is the primary mechanism for provisioning user access, but don’t forget about any external or third-party systems that use other authentication systems. Often companies will leverage HR systems or ticketing/support portals from managed service providers, so terminated users should have their access revoked from those sites as well.

Removing access is especially important for any members of the IT and security staff. As mentioned in the previous section, these users often have network-wide access and could make quickly make significant changes in the environment very quickly. Revoking their access from all systems immediately upon termination is critical.

When does access change?

When an employee changes roles within the organization, their account access and permission levels should change accordingly. Too often, when users get promoted within the organization, they retain access rights from their previous position, which may be excessive or inappropriate for their new job. Similar to the onboarding process, hiring managers should inform HR of any role change. Then HR and IT will follow the same steps for onboarding and offboarding to provision new access.

📣 Download the 2022 Technical Staff Offboarding Checklist

When are permissions reviewed?

Your company should define a cadence to review existing accounts and permission levels. Newer companies should hold a monthly review, while mature companies that have more accounts to manage can host a quarterly review.

*If your company doesn’t have an HR role, hiring managers should work directly with IT to follow the outlined procedures.

We know writing policies can be difficult. But companies ranging from small startups to large enterprises have been breached by an insider. So whether you have 5 or 5,000 employees, you should include this policy in your toolkit. Check out our SOC 2 course for expert advice and more best practices to write an Access Onboarding and Termination Policy.

Looking for additional SOC 2 resources? Get Comply, a free and open-source resource center for SOC 2 certification.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2022 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.