User Termination Best Practices
Ensuring that each departing employee retains no access to your IT infrastructure is critical to protecting your systems and data — but there are more steps than you might think.
How to off-board an employee for good
- Disable the departing employee’s account in Active Directory immediately; after 30 days, remove it.
- Disable the user’s email login; forward email to the user’s manager for as long as needed.
- Terminate VPN and Remote Desktop access.
- Terminate access to remote web tools (web apps, Office 365, e-mail, etc.).
- Terminate access to voicemail. Forward phone and voicemail to the user’s manager, and delete them at the manager’s convenience.
- Disable access to business applications such as SAP.
- Change all shared account passwords that the departing user knows.
- Move the user’s personal share data and email archive to the manager’s account; delete them at the manager’s convenience.
- Reset the “FAX/SCAN to e-mail” setting on multi-function printers.
- Remove the user from email group lists, distribution lists, internal phone lists and websites.
- Connect to the user’s workstation and shut it down.
- Retrieve or disable all company-owned physical assets (computer, laptop, phones, tablet, etc.) assigned to the user, and update the IT inventory.
- Copy all needed local data from employee’s computer to manager’s one.
- Change any access codes the user knows, such as PINs for accessing secured rooms.
- Remove any personal belongings from the user’s work area.
- Inform company staff that the user is no longer employed there.
Previous Best Practice
Information Security Risk Assessment Checklist
Next Best Practice
Active Directory Delegation Best Practices
Related best practices