Harmless Systems

There is no such thing as harmless software.

Agile Offboarding

Tips for offboarding employees in a SaaS-powered world.

Offboarding is a topic not frequently brought up in small and medium-size organizations, especially those with only a few employees. So when it's time to offboard, organizations without a plan either panic, partially offboard (without realizing it), or spend a large amount of time ensuring the employee is offboarded. This can be particularly stressful if the employee was terminated.

As you grow, you'll likely adopt more SaaS services that are not linked to your active directory or LDAP. Disabling the person in AD or disabling their email is not enough. Below, we'll share a few tips to help you create a manual offboarding process.

Document the process

Create a living offboarding document in a shared area such as a wiki, SharePoint, or Confluence. You must visit this document regularly and keep it updated. Your document should include a list of accounts and services where employee access needs to be revoked. It may be necessary to include screenshots or detailed steps required to revoke access.

You may want to restrict write access to this document to managers, team leads, or a specific team responsible for offboarding. And giving the entire organization read access is often beneficial in the long run as employees can point out any missing accounts or services. Backup or export your offboarding document regularly.

If you don't have an onboarding document, now is the time to create one and keep it synced with the offboarding document, anytime a new account or service is added to the onboarding document, create a matching offboarding entry.

Sample Living Offboarding Document: PDF MD

Use a password manager

Any decent password management solution will allow you to run a report for a specific user and will detail all of the credentials that the employee has accessed. This will give your offboarder(s) a distinct list of accounts or credentials that need to be rotated or disabled. We all know that sharing passwords or accounts is bad practice but it happens and if you at least share these credentials in a password manager they can be tracked and updated as needed.

Track offboarding progress

Create a spreadsheet or checklist to use during the offboarding process. If you have a large number of external accounts to deactivate a distraction will likely come up during the process or you may need to hand off the process to another team member. Having a checklist ensures no account is forgotten and also makes the offboarder(s) accountable for completing the process correctly. Offboarders should initial each part of the process that they complete. This document should be kept after the offboarding is complete for documentation purposes.

Sample Tracking Spreadsheet: XLSX ODS

Order is important

Some credentials are more important than others. You will likely want to disable an employee's active directory/LDAP, VPN, and email accounts first. What's most important to disable first will depend on your organization.

Build redundancy

Have at least two people involved in offboarding if possible. People get sick, go on vacation, and a time may come where you need to offboard the offboarder. Build redundancy into the process or rotate the responsibly throughout multiple employees.

Reduce the offboarding surface

Ensure you have a formal policy that restricts employees from creating services using their personal accounts when signing up to new services. This is especially critical for things such as integrations for services like Slack, Github, and JIRA. Disabling an employee's account could not only break the integration but may provide the user access to an internal service after they've left the company. Consider using a distribution list that is accessible to multiple people for these kinds of integrations.

Treat all departures equally

Alice might be leaving the organization on good terms but her personal laptop (which has an active session on the company's CRM) could be stolen during her in-between job vacation to Cancun. You can avoid a situation like that by treating all offboarding equally and promptly disabling employee's credentials and sessions.

Communicate

When an employee is offboarded ensure you communicate that with the rest of the organization and any of the external customers/partners that they worked with as soon as possible.

Automate where possible

One advantage to SaaS is that many offerings also have APIs which you can use to manage access. If you have the developer expertise in-house you may be able to automate offboarding process for many services. Some 3rd-party services also exist that will manage this automation offboarding for you, though we've not tried any so we won't suggest any here in this blog post at the moment.