An employee offboarding security checklist is the set of access-revocation, device-recovery, and credential-rotation steps a company completes on an employee's last working day so that nobody who has left the organization still has a working login, VPN session, or code-repo key. For most Indian businesses, offboarding is treated as an HR paperwork exercise — the exit form, the final settlement, the relieving letter — while the security side runs on trust and memory. That gap is exactly where ex-employees quietly keep access to email, SaaS tools, VPNs, and production systems for weeks or months after they walk out the door.
Why Offboarding Is the Security Control Everyone Forgets
Onboarding gets a project plan, a laptop-provisioning ticket, and a day-one checklist. Offboarding, in most Indian SMBs, gets a farewell email and a goodbye message on the team chat. IT and security are often told about a departure days after the person has already left — sometimes only when payroll processes the final settlement. In that gap, a former employee's corporate email keeps working, their VPN profile stays active, their name is still listed as a user in three or four SaaS tools, and their SSH key may still authenticate against the production code repository.
This isn't a hypothetical edge case. It happens because provisioning is centralized — IT sets up every new hire the same way — while deprovisioning is distributed. Every SaaS vendor, every shared login, every contractor-facing tool has to be tracked down and closed individually, and in most companies nobody owns the complete list. Growing teams routinely lose track of which tools an employee had access to, especially when departments self-serve SaaS subscriptions on a company card without IT ever being looped in. A checklist only works if there's a single source of truth for "what did this person have access to" — and building that list, once, before someone leaves, is most of the battle.
The Insider Threat Angle: Disgruntled Departures
Not every offboarding is amicable. Layoffs, performance-related exits, and contentious resignations create a narrow but real window where a departing employee has both the motive and the still-live access to cause damage — copying a client list to a personal drive, deleting shared project files, exporting a customer database, or leaving a backdoor account active "just in case." This is a different problem from ongoing insider-threat monitoring of active employees. Offboarding risk is concentrated entirely in the hours and days around the exit date, and unlike behavioral monitoring, it is fully preventable with process discipline rather than surveillance tooling.
The offboarding sequence below is the process most Indian companies think they're following — but usually aren't, because access revocation is scattered across HR, IT, and individual system owners instead of running as one coordinated workflow.
The Offboarding Security Checklist
Use this as a working checklist, not a reference document — assign an owner and a deadline for every row before the resignation notice period even starts.
| Category | Action | Owner | Deadline |
|---|---|---|---|
| Identity and SSO | Disable single sign-on and every federated login tied to the account | IT / Security | Last working day |
| Corporate email | Suspend the inbox, set forwarding to the manager, preserve mailbox for legal hold | IT | Last working day |
| VPN and network | Revoke VPN certificates, remote-access tokens, and Wi-Fi credentials | IT / Security | Last working day |
| SaaS applications | Remove the user from every licensed app — CRM, HRMS, finance, support, design tools | IT / App owners | Last working day |
| Code repositories | Revoke Git and CI/CD access, rotate any deploy keys or tokens the user could see | Engineering lead | Last working day |
| Shared or service accounts | Rotate passwords, API keys, and secrets the employee had access to | Security | Within 24 hours |
| Physical access | Collect ID badges, office keys, and access cards | Admin / Facilities | Last working day |
| Devices | Recover laptop, phone, and hardware tokens; wipe and re-image before reissue | IT | Within 48 hours |
| Exit interview | Sign a written security and confidentiality acknowledgment | HR | Last working day |
| Access audit | Confirm removal across every system and log it for compliance evidence | Security / Compliance | Within 5 business days |
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanCommonly Forgotten Access Points
Even companies that run a formal offboarding checklist tend to close the accounts that are easy to find — primary email and the identity provider — while missing the access points that were set up outside IT's normal provisioning flow. The chart below is an illustrative breakdown of where forgotten access typically clusters, based on the categories most commonly flagged during access-control reviews.
Shared SaaS logins top the list because they're rarely tied to a single named user — a marketing team's shared social-media login or a finance team's shared accounting-tool seat can outlive dozens of employee exits without anyone rotating the password. VPN and remote-access tools come next, especially in companies that grew through remote or hybrid hiring and never centralized how remote credentials are issued and revoked. Email forwarding rules are a quieter risk: an employee can set up a forwarding rule to a personal address weeks before resigning, and it keeps working long after the account itself is technically "disabled" if the rule isn't audited separately.
Building a Repeatable Offboarding SOP
A checklist only works if it's run the same way every time, regardless of whether the exit is friendly or contentious, planned or sudden. The most reliable pattern for Indian SMBs is a joint HR-IT-Security sign-off: HR cannot close the exit file until IT confirms every system on the checklist shows the account as revoked, and Security cannot close its own audit until device return and credential rotation are both verified. This removes the single point of failure where one team assumes another team already handled it.
Two things make this sustainable at scale. First, maintain one running list per employee of every system they were granted access to, updated whenever a new tool is added — not reconstructed from memory on their last day. Second, treat contractors and interns with the same rigor as full-time employees; short-tenure, low-oversight roles are disproportionately represented in access-sprawl incidents because their offboarding is assumed to be automatic when the contract ends, when in practice nobody revokes anything until someone notices.
This isn't a novel idea — it's standard personnel-security practice. NIST SP 800-53 dedicates its personnel-security control family (including termination and transfer controls) to exactly this problem: access must be disabled in step with an employee's status change, not on a best-effort basis. Indian businesses building or refreshing an incident-response and access-hygiene program can also track CERT-In's advisories and DSCI's resources for India-specific guidance on access governance and insider-risk controls.
Offboarding discipline also intersects directly with compliance. Under the DPDP Act 2023, businesses acting as data fiduciaries remain responsible for personal data even after the employee who handled it has left — a former employee with live access to a customer database or CRM extends your compliance exposure, not just your security exposure. A documented, auditable offboarding trail is part of demonstrating reasonable security safeguards for DPDP compliance, not only for internal security hygiene.
Bachao.AI, built by Dhisattva AI Pvt Ltd, reviews access-control hygiene — including stale accounts and offboarding gaps — as part of its automated VAPT scans, alongside broader external-facing vulnerability checks. If you want a fast read on whether your systems still show accounts for people who have already left, start with a free VAPT scan. And if you're building out ongoing insider-risk controls for employees who are still active, the Bachao.AI blog covers that ground separately from offboarding.