Two moments in every employee's time with you carry real IT risk and real productivity cost: the day they start and the day they leave. Handled with a checklist, both are smooth. Handled ad hoc, the first wastes a new hire's first day and the second leaves a security hole behind.

Here is a practical checklist for both.

Why this needs a process

When onboarding is improvised, a new hire spends day one waiting (for an account, a laptop, access to the tools they need). That is a poor first impression and lost productivity.

When offboarding is improvised, something always gets missed. An account stays active, a login still works, a former employee can still reach company data. CISA's small-business guidance specifically calls for promptly removing access when staff depart, because lingering accounts are a well-known, avoidable risk.

A simple, repeatable checklist solves both. It does not need special software (a document everyone follows is enough to start).

The onboarding checklist

Aim to have all of this ready before the new person's first day:

  • Accounts created: email and the core business systems they will use.
  • Multi-factor authentication set up on those accounts.
  • Access granted by role: give them what their job needs, following least privilege. Resist the urge to over-grant "just in case."
  • Device prepared: laptop or desktop set up, updated, encrypted, and running endpoint protection.
  • Access to files and shared resources they will need.
  • Software and licenses assigned.
  • A quick security briefing: how to spot phishing, how to report it, the password and acceptable-use policies.

When this is ready in advance, a new hire is productive on day one instead of waiting.

The offboarding checklist

This should run on the person's last day (ideally at a planned time):

  • Disable accounts: email and every business system. Disabling immediately, rather than deleting, preserves data while cutting access.
  • Revoke multi-factor authentication and any security keys or tokens.
  • End remote access: VPN and remote-desktop accounts.
  • Recover company devices: laptop, phone, security keys.
  • Reclaim or rotate shared credentials the person knew.
  • Forward or preserve their email and files so the business keeps what it needs.
  • Reassign their licenses to avoid paying for unused seats.
  • Check third-party and external tools: accounts on vendor sites, social media, industry portals are easy to forget.

The key principle: access should end the moment employment does. A friendly departure does not change the security math.

Keep the checklist alive

Two small habits keep this working:

  • Assign an owner. Onboarding and offboarding should each be clearly somebody's responsibility, not "whoever notices."
  • Coordinate with HR. IT needs to know about a start or departure in advance (a surprise departure handled days late is exactly when accounts get missed).

The takeaway

Onboarding and offboarding are predictable events, so they should run on a predictable checklist. Do that and new hires start strong while departing staff leave no security gaps behind.

If you would like help building onboarding and offboarding processes (or running them for you), the Flexnet Networks team does this routinely for growing businesses.

Sources