Service Desk
01603 554000
Office Hours
Weekdays 8:30am to 4:30pm

Starters & Leavers – Best Practice Guidance for On-Boarding and Off-Boarding

HomeIT\norwich Policy & Procedure FrameworkStarters & Leavers – Best Practice Guidance for On-Boarding and Off-Boarding

Such is the importance of proper onboarding and off-boarding there are a number of best practices we ask all customers to adhere to; for some customers these are actually contractual obligations:

  • The customer is responsible for informing us of any changes to their staff and their contact details. This includes when a new staff member joins or an existing staff member leaves. The customer must notify us as soon as possible by email or phone.
  • We reserve the right to restrict access to our IT support services to only those individuals who are named users by the customer. We will rely on the customer’s information to determine who is authorised to receive support.
  • If we discover that an unauthorised individual has been accessing our IT support services, we reserve the right to terminate support immediately without any liability or refund to the customer.
  • The customer agrees to indemnify us and hold us harmless against any claims, damages, losses or expenses arising from their failure to inform us of any changes to their staff and contact details.
  • The customer’s personal data and that of their staff will be used solely for the purpose of providing IT support services. We will not disclose any such information to third parties without the customer’s consent, unless required by law.

The Security Risks

If you do not adhere to this guidance then you are more exposed to security risks, including:

  • Unauthorised access: If a former employee still has access to the company’s IT systems, they may be able to access sensitive information, such as financial data, customer records, or trade secrets.
  • Data theft: A former employee may steal or copy sensitive data before they leave the company, which can then be used for personal gain or sold to competitors.
  • Sabotage: A disgruntled former employee may try to sabotage the company’s IT systems, either by deleting data, introducing malware, or disrupting network operations.
  • Legal liability: If a former employee accesses sensitive data or causes damage to the company’s IT systems, the company may be held legally liable for any resulting damages.

Starter On-Boarding Guidance

When a new employee starts in your organisation there are typically several tasks we have to undertake to ensure they have the necessary equipment they need and that it is set up in an appropriate way. Such on-boarding tasks include:

  • Setting up a user account, email address and email delegations.
  • Providing devices such as a PC, phone, and mobile if required.
  • Onboarding and training staff on how to use your IT systems.
  • Setting permissions to grant access to what they need but protecting sensitive data they do not.
  • Updating documentation such as network diagrams, user guides, or standard operating procedures.

Without these actions being performed your employee may be unable to perform their job effectively and in a secure way.

Leaver Off-Boarding Guidance

Of course, when a person leaves, the reverse is true too. We have to undertake off-boarding tasks such as:

  • Deactivating user accounts and email addresses.
  • Retrieving company devices to ensure the data they hold is not compromised.
  • Housekeeping data so it is archived, deleted or transferred to another user.

Without these actions being performed your ex-employee may be able to access your data and IT systems which is a severe data security risk.

Account Reuse

Some customers ask us to ‘reuse’ accounts or allow several users to use the same account. For example, you might have a “sales” or “admin” login for one or more users. If one person leaves and the new person ‘takes over’ the account after a password change, this can lead to problems including:

  • Access to sensitive data: If a new employee is given a user account that was previously used by someone else, they may have access to sensitive data that they should not have access to. This can include confidential information, trade secrets, financial data, or personal information pertaining to the former employee.
  • Confusion and mistakes: Reusing a user account can lead to confusion and mistakes, especially if the new employee is not aware of the previous employee’s activities or access permissions. This can result in accidental deletion of data, unauthorized access, or other errors that can compromise the integrity and security of the company’s IT systems.
  • Legal and compliance issues: Depending on the industry or regulatory requirements that the company operates under, reusing user accounts can violate legal or compliance requirements related to data protection, access control, and user authentication. Account reuse is for example is not Cyber Essentials Compliant.

We do NOT recommend account reuse, except in exceptional circumstances where several people may need to access the same computer throughout the day, for example on a sales counter. In this situation we conduct a review and set up an account with as few rights as possible.