Security

How to Offboard State and Local Government IT Staff Members

Follow these steps to ensure your agency is protected when an IT employee leaves.

Mike Chapple is a teaching professor of IT, analytics and operations at the University of Notre Dame.

In 2023, 77 percent of state and local government CIOs surveyed by the MissionSquare Research Institute said that government workers leaving their jobs voluntarily has “put a strain on their workload.”

This exodus of employees is particularly problematic for IT departments because government staff often leave behind a complex web of credentials, licenses and data — elements that, if mishandled, could compromise institutional integrity. As workers leave government, state and local agencies face the daunting task of diligently cleaning up their digital trail to prevent them from turning into security pitfalls. Among these threats are “zombie accounts,” credentials that are never removed, left behind by departing staff. These accounts can lurk undetected for months or years, posing a significant security risk.

To combat these cybervulnerabilities, government IT departments should adhere to a meticulous and consistent offboarding strategy.

Click the banner below to review tips for identity and access management.

Step 1: Credential Revocation and Access Control

In cases where an employee’s departure is planned and occurs under friendly terms, the IT department should have a standard account-deprovisioning process. This should take place on a predetermined timeline, usually set to coincide with the employee’s final day of work. During this period, the employee should be informed about the offboarding process, including the schedule for revoking access to email accounts, institutional networks, databases, VPN access and any other digital resources.

Under this standard process, the IT team collaborates with HR and the employee’s department to ensure a smooth transition, allowing for the secure transfer of work documents, projects and any institutional knowledge necessary for operational continuity. Tools like Okta or OneLogin can be used to schedule deactivation of the accounts, ensuring that access concludes simultaneously with the employee’s tenure. This organized and respectful approach not only maintains security but also fosters goodwill, enhancing the agency’s reputation as a desirable workplace.

Sometimes, however, terminations are not amicable, and those require immediate action. In such cases, the IT department must implement an emergency revocation procedure that involves the instantaneous deactivation of all the employee’s access credentials across the agency’s systems. Immediate action minimizes the risk of retaliation or data breaches, which are heightened concerns in such scenarios.

Under these circumstances, real-time synchronization and access control tools are not just beneficial, they are crucial. Platforms like Okta or OneLogin can facilitate immediate, systemwide access revocation, precluding any potential for the terminated worker to compromise data or systems. Additionally, the IT department should conduct a prompt audit of all digital access, ensuring the former employee hasn’t created any backdoor entry points. This emergency process, though occasionally necessary, underscores the need for robust security protocols that can swiftly respond to high-risk situations.

Step 2: Comprehensive Data Management and Archiving

The next critical task involves managing the digital footprint left behind by former employees. IT personnel should work with representatives from the departing employee’s business unit to comb through files, emails and other forms of data, identifying information that requires preservation. This task, though daunting, is crucial for maintaining operational continuity and complying with legal and institutional data retention policies.

Document management systems can automate part of this process, enabling an agency to uphold data retention standards without the burden of manual sorting. If the employee’s department uses a document management solution, IT can configure that system to classify, retain or purge files based on the institution’s policies, ensuring that no essential data is lost and that all legal obligations are met.

Step 3: Reassessment of Licenses and Subscriptions

Departing employees often leave behind a trail of licenses and subscriptions for various software and online services used during their tenure. IT departments need to undertake a thorough reassessment of these digital assets. This involves determining which licenses are still necessary, which can be reallocated and which should be terminated, based on current and anticipated needs.

Tools like ServiceNow’s asset management solutions can provide invaluable support in this area, offering a comprehensive view of all software licenses, their assigned users and usage levels. This not only ensures efficient reallocation or cancellation, aiding in compliance with software licensing agreements, but also presents an opportunity for cost optimization.

77%

The percentage of state and local government CIOs who said that government workers leaving their jobs voluntarily has “put a strain on their workload.”

Source: MissionSquare Research Institute, “State and Local Government Employees: Morale, Public Service Motivation, Financial Concerns, and Retention,” March, 2023

Step 4: Secure Device Retrieval and Inventory Update

Hardware retrieval is an aspect of offboarding that requires as much diligence as digital access revocation. All devices issued to employees — laptops, tablets, smartphones and ID cards — must be returned, thoroughly inspected and wiped of sensitive information before reassignment or decommissioning. Overlooking this step can result in severe data security breaches.

An asset management solution like ServiceNow can enhance tracking and management of these physical devices, ensuring each item is accounted for and inventory records are up to date. This systematic approach not only secures data but also optimizes resource allocation and utilization.

Step 5: Exit Interviews and Reinforcement of Legal Obligations

Exit interviews, while often undervalued, are a critical step in the offboarding process, providing an opportunity to remind departing employees of their ongoing legal and ethical responsibilities. These discussions should emphasize the importance of maintaining confidentiality, particularly regarding sensitive information.

This meeting is also an opportunity for an agency to retrieve any remaining physical materials and discuss the employee’s experiences related to data access and security. Gathering this feedback can unveil potential system vulnerabilities or areas for improvement, enhancing overall data protection strategies.

LEARN ABOUT: State CIOs can take these steps for a more resilient workforce.

Step 6: Continuous Review and Improvement

The digital landscape is not static; it evolves constantly, as do the threats within it. An effective offboarding process today may not be as efficient tomorrow. Agencies must commit to the regular evaluation and refinement of their offboarding protocols, ensuring they remain robust and responsive to the dynamic nature of cybersecurity threats.

This commitment extends to continuous staff training and development, ensuring all personnel — both within and outside of the IT department — are aware of the best practices and latest trends in data security. Fostering a culture of continuous improvement and cybersecurity awareness is not just beneficial, it’s imperative for agencies aiming to safeguard their digital environments in this ever-evolving landscape.

Hispanolistic/Getty Images