Synoptix Onboarding & Offboarding Policy

1. Purpose

This policy defines Synoptix’s standardized procedures for onboarding (hiring, provisioning, and training) and offboarding (termination, role-change, or contract end). The goals are to securely and efficiently grant necessary access to new employees, contractors, and approved partners, and to promptly remove access and recover assets when access is no longer required—protecting Synoptix and customer data while ensuring business continuity.

2. Scope

Applies to all individuals who require access to Synoptix resources: full-time employees, part-time employees, contractors, interns, vendors, and demo partners. Covers account provisioning, device issuance, training, physical access, data handover, exit interviews, credential revocation, and asset recovery in both Synoptix Cloud and on-prem environments.

3. Definitions

• New Starter: any new employee, contractor, intern, or approved partner.
• Offboardee: person whose employment/contract ends or whose role changes to remove previous privileges.
• Provisioning: creation and assignment of accounts, credentials, roles, devices, and access.
• Deprovisioning: disabling/removing accounts, credentials, tokens, and access; recovering company assets.
• Media: devices, backups, printed or removable media (see Media Use & Handling Policy).
• Privileged Account: admin, DBA, or other account with elevated rights.
• Demo Partner: external partner requiring controlled, non-production/demo access.

4. Roles & Responsibilities

5. Onboarding — High-Level Process & Timeline

1. Requisition & Approval (before start date)
   
   • Hiring manager opens HR requisition and creates the role profile, required systems, privilege level (role), and start date.
   • For demo partners or contractors, a Partner/Contractor Access Request form (see Appendix) with sponsor approval is required.
2. Pre-Start (recommended 3–5 business days before start)
   
   • HR initiates background check (where permitted) and collects signed employment/contract documents, NDAs, and acceptable-use and privacy acknowledgements.
   • Manager submits an Access Request ticket in the internal system listing required roles and systems. InfoSec Program Lead reviews high-privilege requests.
   • IT/DevOps prepares accounts in AD/SSO (placeholder account), orders and images company device (if applicable), and ensures required licenses are available.
3. Day 0 / First Day
   
   • HR performs welcome & paperwork; issues laptop and required peripherals (or schedules pickup). IT enforces full-disk encryption, EDR, and device posture (company image).
   • IT enables AD/SSO account, enforces password policy and mandatory MFA enrollment before any Synoptix resources are accessible.
   • Manager assigns first tasks, introduces Security Champion.
4. Within 30 days (mandatory)
   • New starter completes security onboarding: InfoSec orientation, Media Use training, Incident Reporting procedures, Acceptable Use.
   • Role-specific training: Developers (SSDLC), Support (secure handling of customer data), DBA/Infrastructure (privileged access practices).
   • Access verification: Manager confirms correct access levels and files any changes in Access Request system.
5. Ongoing (first 90 days)
   • Probationary review includes confirmation of training completion, access appropriateness, and compliance with policies.
   • New starter must complete any outstanding role-based modules within 90 days.

‍

Key Timelines

• Background checks initiated pre-start.
• AD account & basic access: available on Day 0.
• MFA must be enabled before access to systems.
• Device issued and configured by Day 1 (where applicable).
• Mandatory security training completed within 30 days.

6. Offboarding — High-Level Process & Timeline

Trigger events

• Resignation, termination, end of contract, suspension, role change requiring de-escalation, or criminal conviction affecting trust.

Immediate actions (within 2–4 hours of notification)

• HR must notify IT and InfoSec immediately (within 2 hours) upon confirmed termination/role-change.
• IT/DevOps will disable the AD/SSO account within 4 hours of HR notification (prevent further logins). If termination is immediate for security reasons, IT disables accounts upon notice from HR or Executive Sponsor.
• Revoke VPN access, revoke active sessions (force logout), and disable tokens, API keys, and SSH keys.

Same-day actions

• Revoke privileged credentials and change shared service-account passwords if the offboardee had access.
• Block mobile device and initiate remote wipe (via MDM) for company mobile/managed BYOD.
• Collect company-issued devices and recovery of physical media (laptop, keys, badges, encrypted USBs) or arrange secure pickup.

Within 24–48 hours

• Recover and securely store or destroy any removable media per Media Use & Handling Policy.
• Reassign or lock down any scheduled jobs or cron jobs owned by the user.
• For offboardees who had access to customer environments, notify the customer owner if contractual obligations or customer-specific handover requires it (in coordination with Support and Account Management).

Within 72 hours

• Confirm revocation of all access (cloud consoles, SaaS tools, third-party services) and update inventory.

• Archive the user account in disabled state for 30 days before deletion (see Access Control Policy).
• If a departure is for cause or indicates suspicious behavior, InfoSec will open an investigation and, if warranted, trigger the Incident Response Program.

7. Detailed Onboarding Checklist (Manager / HR / IT joint responsibility)

Pre-start (HR/Manager)

• Offer & contracts signed; NDA and acceptable-use forms signed.
• Background check initiated/completed as applicable.
• Manager submits Access Request with required roles/systems.
• Device request placed (if required).

Day 0 (HR / IT / Manager)

• Welcome & orientation completed.
• AD/SSO account created and linked to email.
• MFA enrolled and verified.
• Device imaged, encrypted, EDR installed, and assigned. Asset tag recorded.
• Initial role-based access provisioned (least privilege).
• Security orientation given by Security Champion or InfoSec lead.
• Access/privilege confirmation logged in the ticketing system.

Within 30 days (Manager / InfoSec)

• New-hire security training completed and recorded.
• Role-based training modules completed (developer, support, DBA, etc.).
• Manager confirms access remains appropriate or files adjustments.
• New starter introduced to Security Champion and reporting channels.

Within 90 days (Manager / HR)

• Probationary review completed; access and role validated.
• Any outstanding training completed.

8. Detailed Offboarding Checklist (Manager / HR / IT joint responsibility)

Immediate (HR notifies IT & InfoSec)

• Confirm termination/role-change and effective time.
• For immediate terminations, request immediate account disablement.

Within 4 hours (IT)

• Disable AD/SSO account and force session logout.
• Revoke VPN, remote access, and public cloud console access.
• Revoke API keys, SSH keys, personal tokens, and OAuth grants.

Same day (Manager / IT / Facilities)

• Collect company devices, badges, access cards, and USBs. Arrange secure pickup if remote.
• Change passwords/credentials for any shared accounts the user managed.
• Remove user from distribution lists and calendar shared resources.

Within 24–48 hours (IT / Infrastructure / Support)

• Reclaim asset(s) and verify device wipe (factory reset + corporate image).
• Recover or sanitize any removable media per Media Use & Handling Policy.
• Reassign outstanding tickets, tasks, and scheduled jobs.

Within 72 hours (Manager / InfoSec)

• Confirm all cloud & third-party access revoked.
• Archive account in disabled state.
• If evidence of suspicious activity exists, InfoSec opens an incident ticket and conducts investigation.

Post-exit (HR / Manager / Legal)

• Conduct exit interview (unless security risk precludes it). Document any knowledge transfer and ongoing obligations (e.g., continued confidentiality).
• Confirm return of all intellectual property, notes, and credentials.
• If employee had access to customer data, confirm whether customer notification or remediation required (coordinate with Support & Legal).
‍

9. Privileged & Customer Production Access — Special Controls

• Privileged Access Approval: Admin/DBA privileges require InfoSec Program Lead sign-off and documented business justification. Temporary elevation uses JIT procedures (max 8 hours) and is logged (see Access Control Policy).

• Production Database Access: Customers control production database access. Synoptix personnel may access production data only when explicitly authorized by the customer and when access is granted through documented process (e.g., customer access approval ticket, temporary access window). All production access is logged and reviewed.
• Extra Safeguards for Privileged Accounts: Stronger MFA (hardware token + app), periodic reproofing, monthly reviews of admin logs, and immediate revocation on separation.

10. Device, Badge & Credential Handling

• Device Issuance: Company devices are asset-tagged and recorded in Endpoint Device Inventory. Device provisioning includes full-disk encryption, EDR, and required posture checks.

• Badge & Physical Access: Badge deactivation occurs in the same 4-hour window as AD account disablement. Visitors must return badges; offboardees must surrender badges during exit.
• Credential Rotation: Any shared or service credentials the offboardee managed must be rotated immediately upon notification of separation.

11. BYOD (Bring Your Own Device) — Brief Guidance

• BYOD is allowed only when enrolled in the company’s MDM with enforced full-disk encryption, corporate containerization for company data, and enabled remote wipe capability. HR/IT must approve BYOD enrollment before granting access. Offboarding includes remote wiping corporate data from BYOD where permitted and feasible.

12. Training, Certifications & Knowledge Transfer

• Mandatory Training: New hires complete InfoSec orientation and Media Use training within 30 days. Role-based modules as required. Completion is recorded centrally.
• Knowledge Transfer: For role changes and departures, a knowledge-transfer plan must be completed before the last working day (unless immediate termination). The plan documents ongoing projects, passwords stored in KMS (only admin-level roles), runbooks, and contact lists.

13. Audit & Reviews

• Semiannual Access Review: Managers must attest to correct access rights for their teams every six months.
• Provisioning/Deprovisioning Audit: InfoSec audits a sample of onboarding/offboarding tickets quarterly for timeliness and completeness. Findings are remediated within 30 days.
• Metrics: Track time-to-provision, time-to-deprovision (target: disable within 4 hours), asset recovery rates, and training completion rates. Report these quarterly to Executive Leadership.

14. Exceptions & Escalation

• Any deviation (e.g., delayed offboarding for payroll or legal reasons) requires a formal Exception Request submitted to the InfoSec Program Lead and Executive Sponsor. Exceptions must include compensating controls and an expiration date (maximum 90 days).

• For suspected malicious activity during offboarding, InfoSec escalates to Incident Response immediately and may involve Legal and Executive Sponsor.

15. Templates & Forms (examples)

‍A. Access Request (Manager submits)

• Employee name:
• Role / Title:
• Start date:
• Required systems & role(s): (e.g., Developer — Dev, Staging; Support — Demo non-prod read-only)
• Privileged access required? (Yes/No) — Justification:
• Manager approval: name & signature:
• InfoSec approval (if privileged): name & signature:

B. Termination Notification (HR submits)

• Employee name:
• Termination effective date/time:
• Reason (optional):
• Devices to recover (asset tags):
• Immediate disable required? (Yes/No):
• HR contact: name/phone/email:
• Manager contact: name/phone/email:

C. Device Return Receipt (IT completes)

• Asset tag:
• Device type:
• Returned by (name):
• Date/time recovered:
• Wipe performed (Yes/No) — Method:
• Device condition notes:
• IT technician: name/signature:

16. Privacy, Legal & Customer Considerations

• Offboarding must honor contractual obligations and customer requirements—if the offboardee had access to specific customer environments, coordinate with Account Management and Support to determine whether customer notification or account re-authorization is required.

• All released personnel remain bound by prior NDAs and confidentiality obligations. Legal will advise if additional action (e.g., litigation hold, non-compete considerations) is necessary.

17. Revision History