Skip to content

Employee Onboarding and Offboarding IT Policy

Policy Status: Draft

This policy is currently draft.

Purpose

To manage IT access for new hires in a timely and secure manner and to protect data and systems during employee exits through standardized onboarding and offboarding processes.

Scope

This policy applies to all Acme Corp employees, contractors, temporary workers, and interns who require access to company IT systems and resources.

Policy Statement

Employee Onboarding

Pre-Start Preparation (Before Day 1): - HR submits new hire request 5 business days before start date - IT provisions user account in identity management system - Email account created - Hardware ordered and prepared - Standard software applications pre-installed - Access requests submitted for required systems

Day 1 Activities: - Employee receives hardware (laptop, phone, peripherals) - Initial login and password setup - Enrollment in multi-factor authentication - IT orientation session conducted - Acceptable Use Policy acknowledgment signed - Security awareness training assigned - Helpdesk contact information provided

First Week: - Access to necessary systems and applications granted - Role-specific training scheduled - Manager verifies access is appropriate - IT checks in to ensure setup complete - Complete required compliance training

Ongoing: - Additional access requested through standard process - Training completion tracked - Feedback collected on onboarding experience

Employee Offboarding

Notification: - HR notifies IT immediately upon resignation or termination - Minimum 5 business days notice for voluntary departures (when possible) - Immediate notification for terminations

Last Working Day: - All system access disabled at end of business day (voluntary) or immediately (termination) - Email forwarding configured per manager request (max 90 days) - Out-of-office auto-reply set up - File share access for manager delegation (if approved) - Multi-factor authentication disabled

Equipment Return: - All company equipment retrieved (laptop, phone, monitors, peripherals) - Shipping label provided for remote employees - Equipment inspection and sanitization - Asset inventory updated - Personal data separated if applicable

Data Handling: - Manager identifies critical data to preserve - Files transferred to designated successor or shared location - Email archived per retention policy - Personal data removed from devices - Secure data deletion on returned equipment

Account Deactivation Timeline: - System access: Disabled on last working day - Email account: Converted to shared mailbox for 90 days, then archived - Application accounts: Disabled immediately - VPN access: Revoked immediately - Physical access badges: Deactivated and retrieved - Cloud service access: Removed within 24 hours

Exit Checklist Completion: - IT completes offboarding checklist - Verifies all access removed - Confirms equipment retrieved - Documents completion in ticketing system - Notifies HR of completion

Transfers and Role Changes

Internal Transfer: - Manager notifies IT of role change - Review current access against new role requirements - Remove access no longer needed - Provision new access required - Update identity management system - Confirm changes with new and old managers

Leave of Absence: - Long-term leave (>30 days): Disable accounts, preserve data - Return from leave: Re-enable access, verify still appropriate - Document leave period in access logs

Roles and Responsibilities

Role Responsibility
HR Team Notify IT of new hires, terminations, and role changes; coordinate onboarding/offboarding
IT Team Provision and de-provision access, manage hardware, complete checklists, maintain documentation
Managers Submit access requests, approve access for team members, notify IT of status changes, identify critical data during offboarding
Employees Return equipment, cooperate with offboarding process, maintain equipment during employment
Security Team Monitor for unauthorized access post-termination, review offboarding compliance

Procedures

1. Onboarding Process

  1. HR creates ticket in system with new hire details
  2. IT assigns onboarding ticket to team member
  3. User account created in Active Directory/Okta
  4. Email address configured
  5. Hardware prepared with standard software
  6. Access provisioned per role template
  7. Equipment shipped or prepared for pickup
  8. Day 1 orientation scheduled
  9. Onboarding checklist completed and documented
  10. New hire survey sent after Week 1

2. Offboarding Process

  1. HR creates offboarding ticket with termination details
  2. IT prioritizes based on termination type (voluntary vs. involuntary)
  3. Account disabled per timeline
  4. Equipment return coordinated
  5. Data preservation per manager request
  6. Access removal verified across all systems
  7. Passwords reset on shared accounts
  8. Offboarding checklist completed
  9. Final verification and documentation
  10. HR notified of completion

3. Role Change Process

  1. Manager submits role change request
  2. IT reviews current access
  3. Excess access removed
  4. New access provisioned
  5. Manager approves final access
  6. Employee notified of changes
  7. Documentation updated

4. Emergency Offboarding

  1. Security or HR contacts IT Security immediately
  2. All access disabled within 15 minutes
  3. Escalation to CTO if during off-hours
  4. Detailed audit log review
  5. Equipment retrieval coordinated
  6. Post-termination access monitoring for 30 days

Exceptions

  • Contractors may have accelerated onboarding with reduced provisioning
  • Consultants may receive limited access only
  • Emergency hires may receive provisional access pending full provisioning
  • Rehires within 90 days may have expedited reactivation
  • All exceptions documented and approved by IT management

Compliance and Enforcement

  • Onboarding SLA: 100% of Day 1 requirements completed on time
  • Offboarding SLA: 100% of access disabled within required timeframe
  • Equipment Return: 95% of equipment retrieved within 14 days of separation
  • Checklist Completion: 100% of checklists completed and documented
  • Access Review: Monthly audit of recently offboarded accounts to verify access removed
  • Orphaned Accounts: Quarterly review to identify and remove accounts without active employees
  • Compliance Reporting: Quarterly report to management on onboarding/offboarding metrics

References

  • NIST SP 800-53 Rev. 5: Personnel Security (PS Family)
  • HIPAA Security Rule - Access Management (ยง164.308(a)(3)(ii))
  • SOC 2 Trust Service Criteria - Logical Access: New Users and Terminated Users
  • CIS Controls v8 - Control 5: Account Management

Revision History

Version Date Author Changes
1.0 2025-11-08 IT & HR Teams Initial version migrated from Notion

Document Control - Classification: Internal - Distribution: HR, IT, Managers - Storage: GitHub repository - policy-repository