Secure IT onboarding and offboarding checklists

Itzik Alvas. Co-founder & CEO, Entro
November 30, 2023

Ensuring the security of an organization’s data, assets, and secrets has become more important than ever. This is especially true when it comes to the onboarding and offboarding of employees, where potential security vulnerabilities can arise. As IT personnel have access to critical information and systems, it’s essential to have a robust secure onboarding and offboarding process in place to minimize risks to the organization’s security.

According to the wise folks at OneLogin, companies took longer to de-provision employees than it takes a snail to finish a marathon. And guess what? This delayed dance is a major cause of data breaches within organizations.

So, what’s your game plan? We’ve got your back with not just any checklist, but a superhero-level guide for employee onboarding and offboarding. We’re talking account provisioning, security training that even James Bond would envy, device security tighter than Fort Knox, and much more. It’s like planning a heist but legal and with less Hollywood glamour.

By following these checklists, you can ensure that your organization’s IT security onboarding and offboarding process protects sensitive data like secrets. Let’s dive in!

What is onboarding?

The new employee onboarding journey is like giving your newest team member the ultimate backstage pass. From diving into their role to getting the lowdown on the company vibe, and procedures, and meeting the awesome squad, it’s the VIP treatment for a smooth takeoff. A well-guided onboarding sets the stage for a rockstar performance, ensuring your newbie becomes a productivity pro quickly. When new employees are properly introduced to the company, they have a better chance of having a good job and staying with the company for a long time.

The importance of onboarding

Here’s why onboarding matters:

    • Access control: VIP pass to the work realm 

Secure onboarding ensures that new employees receive the appropriate access permissions to perform their roles effectively while preventing unauthorized access to sensitive data.

    • Secrets security training: Jedi training for the digital age

Employee onboarding provides an opportunity to educate new hires about secrets security best practices, policies, and procedures, fostering a culture of security awareness from day one.

    • Compliance: Transforming rulebooks into a dance floor

A thorough IT onboarding process helps new employees understand and adhere to secrets management compliance, minimizing the risk of non-compliance and potential security breaches.

What is offboarding?

The grand finale of the employment journey, also known as employee  offboarding, is like the theatrical exit from a stage. It encompasses various activities and procedures to ensure a smooth transition for the departing employee and to protect the organization’s interests. Tasks include the dramatic revoking of access to applications as well as secrets like API keys, tokens and the like, the enlightening exit interviews, the retrieval of company relics (laptops, ID badges), and the grand finale of settling payments and benefits.

Importance of offboarding

Here’s what makes employee offboarding an important part of security for an organization:

    • Data security: Locking the vault, not the employee 

Secure offboarding processes are essential for safeguarding the organization’s data by promptly revoking access rights and retrieving company-owned devices and credentials from departing employees.

    • Mitigating insider threats: Avoiding drama

Proper offboarding reduces the risk of disgruntled former employees exploiting their access to cause harm to the organization, whether through data theft, sabotage, or unauthorized access.

    • Legal and regulatory compliance: Crossing I’s and dotting T’s

Offboarding procedures help organizations comply with data protection regulations by ensuring ex-employees can no longer access sensitive information after departure.

Offboarding challenges – Creep access and over-permissions

Offboarding, or the process of managing employee departures, introduces a set of complex challenges. One prominent issue is the existence of “zombie IT” – lingering access and permissions that should have been revoked after an employee leaves. This situation not only exposes the organization to security risks but also raises concerns about data integrity.

Orphan secrets further compound the problem. These are credentials or access keys that remain unaccounted for after an employee’s departure. This is usually the result of secrets sprawl. The risk of these secrets falling into the wrong hands poses a serious threat to the organization’s data security.

In offboarding, clarity on secrets ownership is vital for security. A well-defined process and open communication among IT, security, and stakeholders are essential. Ideally, a dedicated individual and a robust secrets management solution should be used to manage access to secrets during employee exits.

A strong offboarding protocol ensures swift access right revocation, reducing the risk of zombie IT and orphan secrets. Regular audits and policy updates proactively address these security challenges. While a protocol is needed and can help, manual review alon is not enough for air-tight security. Especially for secrets, you require an automated system that can verify that all needed secrets and tokens related to the user have been offboarded.

Security guidelines for safe IT onboarding

1. Access control implementation

Ensure that sensitive information and systems are protected during the initial integration. Give people permission based on their job responsibilities. Check and update permissions regularly. For example, a new marketing hire should not have the same level of access as someone in IT administration.

2. Comprehensive security training

Conduct thorough security training sessions for new employees. Tell your employees how to spot fake websites, make strong passwords, and remember to keep your personal information private. An example could be simulating a phishing attack during training to enhance employees’ ability to identify and report such incidents. An essential topic to be covered during training is that users should not share secrets across communication or collaboration tools like Slack and Jira. This is often done for convenience, but it one of the most frequent sources of secrets leaking.

3. Device security protocols

Implement stringent procedures to secure devices utilized by new employees. This involves installing security software, and regularly updating and encrypting sensitive data. For example, the encryption of company laptops safeguards against unauthorized access in the event of loss or theft.

4. Clear security policies and guidelines

Provide new employees with a clear set of security policies and guidelines. This should cover acceptable use of company resources, reporting security incidents, and the consequences of policy violations.

Security guidelines for safe IT offboarding

1. Prompt revocation of access

It is imperative to promptly revoke access to all systems and accounts upon an employee’s departure from the organization. For example, you should terminate access to email accounts and shared drives on the last day of employment. If the employee is a developer, their access to the organization’s AWS account, and developer tools like Jira and Slack should be revoked simultaneously. You also need to revoke all tokens, and list all secrets that were created by the developer and rotate them. This last measure is vital to ensure no secret is at risk of exposure.

2. Data backups and retrieval

Ensure that critical data is backed up regularly, and develop a process for retrieving data from departing employees. This prevents data loss and ensures a smooth transition. An example is transferring important project files from an outgoing employee’s account to a shared team repository.

3. Exit interviews and security debriefs

Conduct exit interviews that include a security debrief to remind employees of their ongoing obligation to keep company information confidential. For instance, you should reiterate the importance of not sharing proprietary information even after leaving the company.

4. Device return and data wiping

Establish a policy for the return of company-issued devices, and implement a thorough data-wiping process to erase sensitive information.

Insider and outsider threats: Navigating the risks

IT onboarding plays a pivotal role in addressing insider and outsider threats.

Insider threats

An employee at a financial institution with access to personal information intentionally gives it to a rival for their own gain. This breach of trust not only undermines the organization’s reputation and trust in the market but also compromises the privacy and security of the customers.

Proper onboarding procedures can help mitigate this risk by instilling a culture of security awareness in new employees. This includes educating them on the significance of secrecy, data security, and the consequences of unauthorized disclosure.

Outsider threats

An external hacker sends phishing emails to employees, attempting to trick them into divulging their login credentials. With thorough onboarding that includes security awareness training, employees are better equipped to recognize and report phishing attempts, reducing the risk of unauthorized access to the organization’s systems.

Outsiders usually try to get into the organization’s systems or data without permission. A robust onboarding process establishes a strong foundation for security awareness, acting as a critical defense against social engineering tactics and other attempts by external actors to breach the organization’s security perimeter. Since targeted secrets attacks are one of the top three attack vectors, it is critical to train developers to think twice before sharing them.

IT Onboarding checklist for security

Here’s a new employee IT onboarding and offboarding checklist you can keep handy for every new hire:

Account provisioning Create user accounts with appropriate access levels and permissions.

Provide secure passwords and establish password policies.

Grant access to necessary software, tools, and networks.

Create cloud tokens with the least privileges needed

 Keep a recording of all secrets and tokens created

Security awareness training Security policies, procedures, and best practices should be taught to new employees

 Train them to identify and avoid common security threats like phishing attacks

Device security Issue company-approved devices and ensure they are properly configured and encrypted

Install necessary security software, such as antivirus and firewall

 Enable remote tracking and wiping capabilities for devices

Network access Grant access to appropriate networks and restrict access to sensitive areas

Implement network segmentation and enforce access controls

 Set up VPN access for remote workers

Data protection Explain data handling policies and confidentiality requirements

Encrypt sensitive data and ensure secure data storage

 Establish backup and recovery procedures

IT Offboarding checklist for security

  Account deactivation Disable user accounts immediately upon termination or departure

Remove access to all systems, networks, and applications

 Revoke VPN and remote access privileges

Device and data retrieval Collect all company-issued devices, including laptops, mobile phones, and tablets

Ensure all data is securely erased from the devices

 Get any removable storage devices like USB drives or external hard drives

Access and credential management Review and remove any shared or privileged credentials associated with the departing employee

Update access control lists and permissions to reflect their departure

Disable or delete any access tokens or keys. Make sure those tokens and secrets are not in use

Data transfer and archiving Transfer ownership of relevant files, documents, or projects to appropriate team members

 Documents and data needed for legal or regulatory compliance should be archived or stored in a safe place

Exit interview Conduct a post-interview discussion to gather insights and ensure all security-related issues are handled

 Remind the departing employee of their ongoing obligation to protect confidential information

You’ll notice that some of these points are essential for remote employee onboarding and offboarding – which is all too frequent in today’s remote-first workplace. By following these onboarding and offboarding best practices, you can save your organization from various known and unknown threats. The checklists can make this process more systematic. Feel free to use them as a starting point and expand and customize them according to your organization’s needs.


When it comes to secrets security during the onboarding and offboarding process, Entro emerges as a stalwart guardian, offering solutions that transcend traditional onboarding and offboarding practices. The ability to unveil hidden secrets scattered across the organization’s various secrets vaults and collaboration tools and enrich these secrets with contextual metadata forms the bedrock of Entro’s prowess. Entro uses anomaly detection to keep a keen eye on misconfigurations and ensures that the organization’s digital fortress remains impregnable. This comes in handy both during the onboarding and offboarding process for any employee.

As organizations navigate the complex terrain of digital security, Entro stands as a solution and a trusted ally, empowering them to embrace the future with confidence and resilience.

Reclaim control over your secrets

Get updates

All secret security right in your inbox

Want full security oversight?

See the Entro platform in action