data.day
security / offboarding / hr-ops / checklist

Case: Offboarding Without a Checklist, Then Surprise Access Still Open

When an employee leaves, your data is vulnerable. We replace the frantic 'Did we get his laptop?' panic with a structured Offboarding Runbook.

Marta Clarity Marta Clarity

The Ghost in the Machine

It happens every time. Someone quits. There is a frantic week of handover meetings. Then they leave.

Everyone breathes a sigh of relief.

But the ghost remains.

  • Their user account is still an Admin in the CRM.
  • Their credit card is still linked to the stock photo subscription.
  • Their personal email is still the “Recovery Address” for the domain registrar.

The Chaos: The Scrambled Exit

Most teams treat offboarding as an afterthought. It is reactive. “Oh, does Dave still have the key to the office?” “Wait, who owns the Google Drive folder now?”

This chaos creates Liability. If a disgruntled ex-employee deletes a database, that is not a hacker attack. That is you leaving the keys in the ignition.

The System: The Offboarding Runbook

We do not rely on memory for exits. We rely on a Runbook. This is a checklist that triggers the moment a resignation is accepted. It must be executed within 1 hour of the final departure.

I build this list in the company wiki. It has four critical zones.

[TO EDITOR: Create a checklist graphic titled “The Kill Switch Protocol” with checkboxes for Access, Assets, Handover, and Redirection]

Zone 1: The Kill Switch (Identity)

This is immediate.

  1. Disable Active Directory / Google Workspace account.
  2. Crucial: Log out of all active sessions (Force Sign-out).
  3. Change shared passwords (if you are still using them, which you shouldn’t be).

Zone 2: The SaaS Audit (Shadow IT)

This is where the ghosts hide. We keep a “Master Tool List” (see my other article on Tool Sprawl).

  1. Remove user from Slack/Teams.
  2. Remove user from Notion/Asana/Jira.
  3. Check the “Orphaned Accounts” list: Does this user own any API keys?

Zone 3: The Handover (Assets)

Digital assets are harder to track than laptops.

  1. Transfer ownership of Google Drive files to the Manager. (Do not just delete the user!).
  2. Transfer ownership of Calendar events.
  3. Re-route email: Set up an auto-responder: “I have moved on. Please contact [Team Alias].”

Zone 4: The Financials

  1. Cancel corporate cards.
  2. Check for recurring expenses linked to their name.

The “Bus Factor” Check

Offboarding is actually the best time to test your documentation. If Dave leaves and nobody knows how to run the payroll script, you have identified a process failure.

Do not let Dave leave until he writes the SOP for the script. That is the price of his exit.

Security is not a feeling. It is a checklist. Close the loop.

FAQs

HR handles this, right?

HR handles the paperwork. Operations handles the access. Do not assume HR knows about the Admin login for the marketing tool.

Can't we just change the email password?

No. Many apps use OAuth tokens that survive a password change. You must revoke sessions.

This seems paranoid.

It is prudent. 'Trust but verify' is a nice saying. 'Revoke and archive' is a better policy.