Growing the team is an exciting time. Bringing on friends, learning from a new starter’s broad experiences, and the general thrill of collectively building a new product to disrupt a stale market are all great excuses to celebrate. The easy mode will be giving everyone access to everything, which can be a low effort and practical strategy for a handful of team members, but can spiral out of control quickly.
| What | Start | Next |
|---|---|---|
| Onboarding, off-boarding, and changes | Detailed checklist | Automation and SSO |
| Access reviews | Manual reviews | Scheduled check based on asset list |
It cannot be overstated how important it is to have well documented and defined employee change activities. An onboarding process can help new employees transition smoothly into your team and save them hours of idle time waiting for access to the resources they need to get started. An off-boarding process will ensure that you do not forget critical steps when someone leaves the company. Both processes will help you establish a predictable set of access controls and minimize the chances of a data breach.
Basics to get started?
Create a detailed checklist template for both the onboarding and off-boarding processes. The core of them both will likely be very similar since one is adding access and the other is removing access. The scope of these checklists should be as broad as possible.
For onboarding, start when the person has committed to working with you. The checklist should be as detailed as you can make it and include everything from technical access changes to important introduction events. Here’s a quick sample to get you started.
-
Background and reference checks completed
-
Contract signed
-
Computer purchased
-
Welcome letter sent
-
Email and messaging accounts setup
-
Swag sent
-
Access to key tools
-
Security awareness training
Off-boarding will work in the opposite direction. From a security perspective, the key step is identifying and removing them from all the systems that they have access to.
-
Received resignation
-
Worked out their final date of access
-
List of all systems they need to be removed from
-
Handover of documentation
-
Removed access
-
Forwarded emails to manager
What’s next?
There is a lot of automation that can occur in HRIS services. They often have built-in checklists and workflows for both onboarding and off-boarding, and can integrate with identity systems like Google Workspace or Office 365 to automate the creation and disabling of system accounts. If you’re lucky, you may have already configured most of your systems with SSO or SAML, which can make the job easier. Ticketing systems are also useful for automating the creation of templates and tracking tasks that have been completed and by whom.
What does Kinde do?
We have integrated most of our critical system’s identity with our Google Workspace account using SAML or enforced social logins. Our onboarding and off-boarding checklists are templated in Notion, with fields for marking when certain tasks have been completed.
Performing regular access reviews helps reduce the risk of data breaches by enforcing the principle of least privilege and maintaining transparency. Early employees tend to have lots of admin rights since everyone is doing everything. Adopting a mindset of granting access only to what people need will greatly reduce the risk of data breaches. The fewer admins there are, the harder it will be for an attacker to cause damage.
Access reviews are particularly useful when reviewing systems where many people have changed roles as the company grows. For example, do they still need access to marketing tools if they’ve moved over to people ops? Does your founder still need admin rights to the production cloud now that there’s an engineering team? Ask these questions.
Basics to get started?
To get started, identify all the places where you have logins set up. Using the vendor list from the SaaS post is a good start, as your team will likely need credentials to use that service and you would have already identified a business owner to work with. Filter that list down to the services that would impact your product’s uptime and your company’s reputation. The trick here is to review them only after periods of change or at least annually. Identify who has an account on that system and which of those users are admins. Then ask the obvious question: Do they still need this access? The owner of the service is likely best placed to make that decision. You might even save some money if those services are pay-per-seat.
What’s next?
Automation is a big help in managing user access. By configuring your systems to use SSO or SAML, you can reduce the number of places you need to audit user access. Even if a supporting system has a user account set up for someone who has left the company, with SSO in place, as long as the account is disabled in the main identity system, the user won’t be able to authenticate to the linked services.
To ensure you don’t forget to perform access reviews, use a ticketing system with a recurring scheduler. Most system owners are savvy enough to self-audit the user list, so it could be as easy as assigning them the ticket and letting them do the work themselves. These records will also provide an audit history in case you need to prove that something has been done.
What does Kinde do?
We have a scheduled Notion task that spawns a reminder once a quarter with instructions on what to do. We’ve captured all the user accounts of the various systems we use into our information assets database. Since our team is fairly small and stable, the access review is pretty quick to finish. Each quarter, we go over every system that’s marked as critical to our services and then try to get all the remaining systems at least once a year for housekeeping.
Get started now
Boost security, drive conversion and save money — in just a few minutes.