Employee and contractor offboarding revokes all access within 24 hours
Active accounts belonging to former employees and contractors are among the easiest paths for unauthorized access. Disgruntled ex-employees have used retained access to delete data and sabotage systems weeks or months after separation. Even without malicious intent, lingering accounts represent unmonitored credentials that can be compromised without detection. A 24-hour revocation window gives HR time to coordinate a proper handoff while closing the window before access becomes a liability.
Implementation steps
- 1
Establish an HR-to-IT notification process for terminations
Create a documented process where HR notifies IT of any employee or contractor termination on the same business day. For involuntary terminations, notification should happen before or at the moment the employee is informed. The notification should trigger immediate suspension of the identity provider account, which cascades to all SSO-connected applications.
workday bamboohr rippling gusto - 2
Disable the identity provider account first, then deprovision downstream
Immediately suspend or disable the identity provider account as the first action. This blocks access to all SSO-connected applications at once without waiting to deprovision each app individually. Follow up within 24 hours to revoke access in any systems not covered by SSO: VPN certificates, API keys, shared mailboxes, cloud service accounts, and physical access credentials.
okta azure-ad google-workspace rippling - 3
Build an offboarding checklist covering all access types
Document every system category that may hold access credentials: SSO and identity provider, VPN and remote access, cloud consoles (AWS, Azure, GCP), code repositories, ticketing systems, communication platforms, physical access badges, and any service-specific API keys the user may have generated. Run through this checklist for every departure and retain a completed copy for audit purposes.
notion confluence jira okta-lifecycle-management
Evidence required
Offboarding procedure documentation
A written process showing how access is revoked when an employee or contractor leaves.
- - HR offboarding ticket template with IT access revocation steps
- - Identity provider account showing disabled status with a timestamp within 24 hours of termination
- - Completed offboarding checklist for a recent departure
Access revocation audit logs
Evidence that access was actually removed in a timely manner.
- - Okta or Azure AD log showing account suspension timestamp relative to termination date
- - Jira or ServiceNow ticket tracking offboarding completion across all systems
Related controls
Multi-factor authentication is required for all user accounts
Account Security
Unique credentials are used and shared accounts are eliminated
Account Security
Privileged accounts are separated and access is minimized
Account Security
Credentials are revoked immediately on known or suspected compromise
Account Security