May 23 2024
Security

How to Offboard K–12 IT Staff Members

Follow these steps to ensure your school or district is protected when an IT employee leaves.
by

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame. 

It’s no secret that some K–12 IT employees are being lured away from school districts and charter and private schools to the private sector. Drawn by attractive compensation packages and the ability to work remotely, they can take on a new job without the burden of relocation. 

This exodus is particularly problematic because these workers often leave behind a complex web of credentials, licenses and data — elements that, if mishandled, could compromise institutional integrity. As staff decamp for other opportunities, school leaders face the daunting task of diligently cleaning up their digital trail to prevent them from becoming security pitfalls. Among the threats are zombie accounts — credentials left behind by departing staff that are never removed. Zombie accounts can lurk undetected for months or years, posing a significant security risk. 

To combat these cyber vulnerabilities, IT departments should develop and adhere to a meticulous and consistent offboarding strategy. 

Click the banner to learn more about implementing zero trust in your school.

k12-csam-securitybundle-shieldstudents k12-csam-securitybundle-shieldstudents

 

Step 1: Revoke Credentials and Access Control 

If an employee’s departure is planned and occurs under friendly terms, the IT department should have a standard account deprovisioning process. This should follow a predetermined timeline, usually set to culminate with the employee’s final day of work. During this period, the employee should be informed about the offboarding process, including the schedule for revoking access to email accounts, school networks, databases, VPNs and any other digital resources. 

Under this standard process, the IT team collaborates with HR and the employee’s department to ensure a smooth transition, allowing for the secure transfer of work documents, projects and any institutional knowledge necessary for operational continuity. Tools like Okta or OneLogin can be used to schedule account deactivation, ensuring that access concludes with the employee’s tenure. This organized and respectful approach not only supports security but also fosters goodwill, enhancing the institution’s reputation as a desirable workplace. 

RELATED: Free up your IT staff to focus on higher priorities with managed services.

Some terminations are not amicable, however, and those require immediate action. The IT department must implement an emergency revocation procedure that involves the instantaneous deactivation of all of the employee’s access credentials across the school’s or district’s systems. Immediate action minimizes the risk of retaliatory actions or data breaches, which are heightened concerns in such scenarios.

Under these circumstances, real-time synchronization and access control tools are not just beneficial, they are crucial. Platforms like Okta or OneLogin facilitate immediate, systemwide access revocation, precluding the potential for maliciously compromised data or systems. Additionally, the IT department should conduct a prompt audit of digital access, ensuring the former employee hasn’t created any backdoor entry points. This emergency process, though necessary only occasionally, underscores the need for robust security protocols that can respond swiftly to high-risk situations. 

Step 2: Manage Data and Identify What Needs Archiving 

The next phase involves managing the digital footprint left behind by former employees. IT personnel should work with representatives from the departing employee’s business unit to comb through files, emails and other forms of data to identify information that requires preservation. This task can be daunting, but it’s crucial for maintaining operational continuity and complying with legal and institutional data retention policies. 

Document management systems can automate part of this process, enabling the school to uphold data retention standards without the burden of manual sorting. If the employee’s department uses a document management solution, IT can configure that system to classify and retain or purge files based on the institution’s policies, ensuring that no essential data is lost and that all legal obligations are met. 

DISCOVER: How data governance dictates the roles and responsibilities for data management.  

Step 3: Assess Departing Employees’ Licenses and Subscriptions

Departing employees often leave behind a trail of licenses and subscriptions for various software and online services used during their tenure. IT departments must undertake a thorough reassessment of these digital assets to determine which licenses remain necessary, which can be reallocated and which should be terminated, based on current and anticipated needs. 

Tools like CDW ServiceNow’s asset management solutions can provide invaluable support in this area, offering a comprehensive view of all software licenses, their assigned users and usage levels. This ensures efficient reallocation or cancellation, aids compliance with software licensing agreements and presents an opportunity for cost optimization. 

Step 4: Secure Device Retrieval and Update Inventory 

Hardware retrieval is an aspect of offboarding that requires as much diligence as digital access revocation. All devices issued to employees — laptops, tablets, smartphones, ID cards and more — must be returned, thoroughly inspected and wiped clean of sensitive information before they are reassigned or decommissioned. Overlooking this step can result in a severe data security breach. 

An asset management solution such as CDW ServiceNow enhances tracking and management of physical devices, ensuring each piece of hardware is accounted for and inventory records remain up to date. This systematic approach not only secures data but also optimizes resource allocation and utilization.

LEARN MORE: How Okta manages authorized access for specific groups.

Step 5: Conduct Exit Interviews and Reinforce Legal Obligations 

Exit interviews, while often undervalued, are a critical step in the offboarding process, providing an opportunity to remind departing employees of their ongoing legal and ethical responsibilities. These discussions should emphasize the importance of maintaining confidentiality, particularly regarding student information, and clarify the legal implications of any nondisclosure agreements. 

This meeting is an opportunity for the institution to retrieve any remaining physical materials and discuss the employee’s experiences related to data access and security. Gathering this feedback can unveil potential system vulnerabilities or areas for improvement, enhancing overall data protection strategies. 

Step 6: Seek Opportunities for Regular Reviews and Improvement 

The digital landscape is not static; it evolves constantly, as do the threats within it. An effective offboarding process today may not be efficient tomorrow. Schools must commit to the regular evaluation and refinement of their offboarding protocols, ensuring they remain robust and responsive to the dynamic nature of cybersecurity threats.

This commitment extends to continuous staff training and development, ensuring all personnel — both within and outside of the IT department — are aware of best practices and the latest trends in data security. Fostering a culture of continuous improvement and cybersecurity awareness is not just beneficial, it’s imperative for institutions aiming to safeguard their digital environments in this ever-evolving landscape. 

UP NEXT: How asset-tracking technology saves money and reduces risk.

mathisworks/Getty Images

More On

Related Articles

Close

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.

Click to See the Report