March 2019

Table 1: Control satisfaction

Table 2: Document history

1. The purpose of this policy is to define procedures to onboard and offboard users to technical infrastructure in a manner that minimizes the risk of information loss or exposure.
2. This policy applies to all technical infrastructure within the organization.
3. This policy applies to all full-time and part-time employees and contractors.

1. In order to minimize the risk of information loss or exposure (from both inside and outside the organization), the organization is reliant on the principle of least privilege. Account creation and permission levels are restricted to only the resources absolutely needed to perform each person’s job duties. When a user’s role within the organization changes, those accounts and permission levels are changed/revoked to fit the new role and disabled when the user leaves the organization altogether.

1. During onboarding:
   1. Hiring Manager informs HR upon hire of a new employee.
   2. HR emails IT to inform them of a new hire and their role.
   3. IT creates a checklist of accounts and permission levels needed for that role.
   4. The owner of each resource reviews and approves account creation and the associated permissions.
   5. IT works with the owner of each resource to set up the user.
2. During offboarding:
   1. Hiring Manager notifies HR when an employee has been terminated.
   2. HR sends a weekly email report to IT summarizing list of users terminated and instructs IT to disable their access.
   3. IT terminates access within five business days from receipt of notification.
3. When an employee changes roles within the organization:
   1. Hiring Manager will inform HR of a change in role.
   2. HR and IT will follow the same steps as outlined in the onboarding and offboarding procedures.
4. Review of accounts and permissions:
   1. Each month, IT and HR will review accounts and permission levels for accuracy.