Exit process?

Published: 2008-07-18
Last Updated: 2008-07-19 14:53:21 UTC
by Adrien de Beaupre (Version: 2)
2 comment(s)

A recent experience with the exit process used by a company spurred me to write about the process by which an organization terminates employees or contractors. 

The very first question is, does your organization have both policy and procedures to deal with:
a) employees leaving voluntarily
b) employees being terminated
c) contractors coming and going
d) special cases

The next question is, do your employees actually follow the policies and procedures, or is there a fair amount of ad-libbing? Discretion in the hands of line management can be a good thing, or a recipe for disaster. I have alsways found checklists to be a good thing.

One employer I left I walked my replacement through the checklist, in case I had forgotten to put anything on it before I left. Good trial run for a new procedure. A friend of mine described a special case where a company founder left, however none of his access was changed. Another special case can be letting systems administrators or people like penetration testers go.

So, some of the things to address are:
- Physical access
- Logical access
- Anything only that person has access to, or special privileges.
- All property
- Non-disclosure agreement reminder
- Intellectual property issues


Chris wrote in with the following:

I've worked for several employers that didn't have a proper "exit" process... So I've had to write one up as one of my "final acts". They've tended to be employer-specific as I've worked in various sectors, so I can't share them easily :-(

One area where checklists are almost essential is when an employee dies in service. People don't think straight in that situation, they make mistakes, they accidentally do things that others might think insensitive in the situation, and so on. Having checklists drawn up before such an event can save a whole lot of hassle and grief.

Also, someone needs to make sure that critical systems don't rely on a leaver's account being present to function properly. I've encountered several systems over the years that were built around a specific person, which would then die horribly when that person's account was later removed.

When I design or build a system, I make absolutely sure that it's designed to what I call the "V'Ger Rule". If you've seen "Star Trek: The Motion Picture", you'll understand.

Put simply, the "V'Ger Rule" states:
"A System must continue to operate in a correct and safe manner in the absence of its Creator".

Or, put another way:

1. No blowing up any spaceships ;
2. No joyriding in Carbon Units ;
3. Fat, balding starship captains are to be shot on sight,   especially ones that follow the "If you can't eat it,
   drink it, steal it, spend it or have sex with it, blow   it up" mantra.

Adrien de Beaupré


2 comment(s)


If the company is ISO certified this process should be there anyway. But even if there is "no need" (as a certification or similar) it is in the interest of both the employer and the employee to have a process in place and have it documented for both parties, that the procedure was followed. It keeps nasty surprises from happening for everyone.
When I think I'm going to leave a company, I start to make a list of the passwords that will need to be changed, access points that need to be removed, accounts that need to be deactivated or canceled, etc. Then, when I meet with my boss, I give him/her the list and ask that these be done before or as I leave. The reason I go to this trouble is so no question of whether I had still had access after the fact should arise. If something goes wrong after I've left a company, I don't want someone to be able to point a finger at me.

Diary Archives