TL;DR: Every employee arrival and departure is a critical moment for your IT security. Without a checklist, active accounts get forgotten, onboarding stalls, and you're exposed to data leaks. Here are two practical lists: onboarding and offboarding, with the tools to automate them.
Friday 4:30 PM, your office manager tells you she's leaving. Monday morning, she still has access to the shared Drive, the company email, the CRM with all your client data, and the online banking. Nobody thought about it because nobody had a list.
The flip side is just as painful. The new hire shows up Monday, motivated, ready to go. Except there's no laptop. No email. No network access. You improvise with the old intern's laptop from two years ago, and three weeks later they're still waiting for VPN access. Great first impression.
Both scenarios happen constantly in SMBs and non-profits. Not from negligence: from lack of process. The good news is that a simple checklist fixes 90% of the problem.
The real risk: ghost accounts in your network
A former employee who still has their access isn't just an administrative annoyance. It's a security breach. NIST SP 800-171 requires that information systems be protected during employee departures and transfers. In practice, that means closing accounts promptly and recovering equipment.
In practice, SMBs don't have a NIST compliance team. But the principle holds: every active account without a legitimate owner is an open door. And with Law 25 in Quebec, you now have a legal obligation to control who accesses the personal information you hold. A former employee who can still browse your client database is a breach of your obligations.
The onboarding checklist: from day 1 to the first month
The goal isn't to do everything the first morning. It's to forget nothing, and to give the new hire what they need to be productive quickly.
| When | What | Owner |
|---|---|---|
| Before day 1 | Order/prepare the workstation (laptop, monitor, keyboard, mouse) | IT / manager |
| Before day 1 | Create the main user account (email, SSO if applicable) | IT |
| Before day 1 | Prepare access based on role: CRM, accounting, file shares | IT + manager |
| Day 1 | Hand over equipment and have them sign the inventory | IT |
| Day 1 | Set up multi-factor authentication (MFA) on all accounts | IT + employee |
| Day 1 | Install the password manager and add the employee | IT |
| Day 1 | Set up VPN if working remotely | IT |
| Day 1 | Have them sign the acceptable use policy and privacy policy | HR |
| Week 1 | Basic training: security, phishing, best practices | IT / manager |
| Week 1 | Verify that all access is working properly | Employee + IT |
| Month 1 | Review access: too much? Not enough? | Manager + IT |
The key point here: preparation starts before day 1. If you wait until the person is sitting at their desk to start creating accounts, you've already lost a day of productivity.
The offboarding checklist: departure day and after
This is the checklist people forget most often, and it's the most critical for security. When someone leaves, especially if the departure is tense, every hour counts.
| When | What | Owner |
|---|---|---|
| Departure day | Disable the main account (SSO, email, Active Directory) | IT |
| Departure day | Revoke VPN access and remote connections | IT |
| Departure day | Revoke access to all SaaS applications (CRM, accounting, etc.) | IT |
| Departure day | Recover equipment: laptop, phone, keys, access cards | IT + HR |
| Departure day | Remove the employee from mailing groups and shared calendars | IT |
| Departure day | Change shared passwords the person had access to | IT |
| Following week | Transfer relevant files and emails to the successor | Manager + IT |
| Following week | Set up a temporary email redirect (with departure notice) | IT |
| 30 days | Archive the mailbox and delete the account | IT |
| 30 days | Verify that no residual access remains | IT |
The most overlooked point: shared passwords. If your team shares a password for the company Instagram account or the website admin panel, it needs to be changed immediately upon departure. That's exactly why a team password manager is essential.
SSO changes everything
When every application has its own user account, offboarding becomes a nightmare. You have to think about each service one by one: email, CRM, file sharing, accounting software, team messaging, internal wiki. You always forget one.
With a single sign-on system (SSO), like Authentik or Keycloak, everything is centralized. One account controls access to all applications. When someone leaves, you disable one account and everything closes. When someone arrives, you create one account with the right groups and everything opens.
It's an upfront investment in setup, but the payoff is immediate: fewer mistakes, less wasted time, and significantly stronger security. For SMBs already using Nextcloud, Odoo, or other internal web applications, SSO integrates naturally.
Our recommendation for an SMB with 10 to 50 employees:
- Set up SSO (Authentik or Keycloak) to centralize access
- Use a team password manager (Vaultwarden) for accounts that don't support SSO
- Create both checklists in your project management tool (Odoo, Nextcloud Deck, or even a simple shared document)
- Assign a clear owner for every departure and every arrival
Law 25 and access management
Since its gradual implementation between 2022 and 2024, Law 25 in Quebec imposes concrete obligations regarding personal information protection. Among them: you must have clear policies on who accesses what, and you must be able to demonstrate that you control that access.
A former employee who still has access to your client database three months after leaving is exactly the kind of situation Law 25 aims to prevent. You need an access register, data retention and destruction policies, and a documented process for revoking access upon departure.
The offboarding checklist isn't just a best practice: it's a legal obligation disguised as common sense.
Automate with the right tools
A paper checklist is better than nothing. But a checklist built into your work tools is far more reliable.
In Odoo, the HR module lets you create onboarding and offboarding plans with automatic activities. When you hire someone, the system automatically generates the tasks: create the email account, prepare the workstation, configure access. Each task is assigned to the right person with a deadline. Nothing falls through the cracks.
Nextcloud can serve as a central repository for onboarding documents, signed policies, and equipment inventory. Combined with SSO, creating the Nextcloud account automatically grants access to the right folders based on the employee's group.
We wrote a full article on Nextcloud for SMBs covering document management and collaboration. A good companion read if you're looking to organize your internal documents.
Les limites d'une checklist
A checklist only works if someone owns it. In an 8-person SMB with no IT department, it's often the owner or the admin assistant managing all this between emergencies. The checklist can exist in a perfectly formatted document and never be followed.
The other reality: some services don't support SSO, especially free tools or shared social media accounts. For those, you'll always need a manual process. The password manager helps, but it doesn't replace the discipline of revoking access.
And if your staff turnover is very low (two or three movements per year), investing in a full SSO setup might not be a priority. In that case, a well-maintained checklist in a shared document with automatic reminders does the job just fine.
What we do at Blue Fox
Our approach is to set up both the tools and the process together. Not just install SSO and leave you with the documentation: we configure the checklists in Odoo or Nextcloud, we train the person in charge, and we make sure the process is realistic for your team size.
We use open source tools (Authentik for SSO, Vaultwarden for passwords, Nextcloud for documents, Odoo for management) because that's been our approach from the start. It gives you full control over your data and access, without depending on a Microsoft or Google subscription to manage who comes in and out of your organization.
If reading this article makes you realize your arrival-departure process is pretty improvised, let's chat about your situation. It's the kind of thing that gets sorted in a few days and saves a lot of headaches.
Sources
- NIST SP 800-171 rev. 2, requirement 3.9.2 — Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- CIS Critical Security Controls v8 — Control 6: Access Control Management
- Commission d'accès à l'information du Québec — Guide on Law 25