Employee Onboarding and Offboarding Security Procedure (OP-PROC-007)
1. Purpose
To provide a formal checklist and process to ensure all security-related tasks are consistently and verifiably completed during employee onboarding and termination.
2. Scope
This procedure applies to all new and departing employees, contractors, and temporary staff. It involves the Human Resources (HR) department, the IT department, and the hiring manager.
3. Overview
This procedure establishes standardized checklists for the security-related aspects of employee onboarding and offboarding. The onboarding process ensures new hires are properly provisioned, trained, and aware of their security responsibilities. The offboarding process ensures timely revocation of access and return of company assets to prevent unauthorized access after departure.
4. Procedure
4.1 Onboarding
| Step | Who | What |
|---|---|---|
| 1 | Human Resources (HR) | Initiates the onboarding process upon a candidate’s acceptance of an offer. |
| 2 | New Hire | Signs the Confidentiality and Non-Disclosure Agreement (NDA) and the Acceptable Use Policy (AUP) as part of their employment agreement. |
| 3 | IT Department | Provisions user accounts, access credentials, and necessary hardware based on the role defined by the hiring manager. |
| 4 | New Hire | Completes the mandatory security awareness training within the first week of employment. |
| 5 | Hiring Manager & HR | Complete and sign the onboarding checklist, verifying all steps have been completed. The checklist is filed in the employee’s HR record. |
4.2 Offboarding
| Step | Who | What |
|---|---|---|
| 1 | Manager / HR | Immediately notifies the IT department of the employee’s departure, providing the exact time and date of termination. |
| 2 | IT Department | Immediately upon notification, revokes all physical and logical access, including disabling user accounts, VPN access, and email. |
| 3 | Departing Employee & Manager | The departing employee returns all company assets, including laptops, mobile devices, and security badges, to their manager. The manager verifies the return of all items. |
| 4 | Manager & HR | Complete and sign the offboarding checklist, verifying all access has been revoked and all assets have been returned. The checklist is filed in the employee’s HR record. |
5. Standards Compliance
This section maps the procedure steps to specific controls from relevant information security standards.
| Procedure Step(s) | Standard/Framework | Control Reference |
|---|---|---|
| 4.1-4.2 | HIPAA Security Rule | 45 CFR § 164.308(a)(3)(i) |
| 4.2 | HIPAA Security Rule | 45 CFR § 164.308(a)(3)(ii)(C) |
6. Artifact(s)
A completed and signed onboarding/offboarding checklist stored in the employee’s confidential HR file.
7. Definitions
Onboarding: The process of integrating a new employee into an organization.
Offboarding: The formal process of separation when an employee leaves a company.
AUP (Acceptable Use Policy): A document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet.
8. Responsibilities
| Role | Responsibility |
|---|---|
| Human Resources (HR) | Manages the overall onboarding/offboarding process and maintains official employee records. |
| IT Department | Responsible for provisioning and revoking access to systems and hardware. |
| Hiring Manager | Responsible for defining access needs, ensuring asset return, and verifying checklist completion. |
| Employee | Responsible for completing required agreements and training, and for returning assets upon departure. |