DOCU-07

Do you have a documented, and currently implemented, employee onboarding and offboarding policy?

Explanation

This question is asking whether your organization has formal, documented procedures for adding new employees to your systems and removing departing employees' access. An onboarding policy ensures new employees receive proper access rights, training, and equipment in a consistent manner. An offboarding policy ensures that when employees leave, their access is promptly revoked, equipment is returned, and knowledge is transferred. This question is important in a security assessment because improper onboarding can lead to employees having excessive privileges or insufficient security training, while inadequate offboarding creates security risks through orphaned accounts (accounts belonging to former employees that remain active). Many security breaches occur when former employees retain access to systems after departure. The question specifically asks for both documentation of these policies AND evidence that they are currently implemented - not just written down but actually followed in practice. To best answer this question, you should confirm whether formal documentation exists for both processes and describe how these processes are executed and enforced in your organization. Include details about approval workflows, checklists used, and how completion of these processes is verified.

Example Responses

Example Response 1

Yes, our organization maintains comprehensive onboarding and offboarding policies that are documented in our Information Security Policy Manual (Section 7.2 and 7.3) For onboarding, we follow a structured checklist that includes account provisioning with appropriate access levels based on role, equipment issuance, security awareness training, and acknowledgment of acceptable use policies Our IT department coordinates with HR using our ticketing system to track completion of all steps For offboarding, we have a similar checklist that includes immediate access revocation across all systems, collection of company equipment, exit interviews, and knowledge transfer procedures Managers must sign off on the completed offboarding checklist, and IT performs quarterly audits to verify no orphaned accounts exist These processes were last updated in January 2023 and are reviewed annually.

Example Response 2

Yes, we have documented onboarding and offboarding procedures integrated with our HR management system When HR initiates an employee record, it automatically triggers our onboarding workflow in ServiceNow, which assigns tasks to IT, Facilities, and the hiring manager The workflow includes required security training, provisioning of least-privilege access based on job role templates, and equipment setup Our offboarding process is similarly automated - when an employee's termination date is entered in the HR system, a countdown begins with automated reminders to managers, and on the termination date, all access is automatically revoked through our identity management system Both processes are documented in our Operations Manual (OP-12) and Employee Handbook We conduct monthly audits comparing active directory accounts against current employee records to ensure compliance.

Example Response 3

No, we do not currently have a formally documented onboarding and offboarding policy While we do perform certain onboarding activities like setting up accounts and providing equipment to new employees, and we generally disable accounts when employees leave, these processes are handled informally by department managers who notify IT as needed We recognize this as a gap in our security controls and are in the process of developing formal documentation and standardized procedures We expect to have these policies documented and implemented within the next quarter, including formal checklists, approval workflows, and regular compliance audits.

Context

Tab: Organization
Category: Documentation