Checklist for Offboarding Darren

[jameshochadel]

Team Member Offboarding Checklist

When do we offboard a team member?

We must offboard a team member when they are:

• Absent for 30 or more days, or about to be. For example, team members on detail or extended leave.
• Permanently separating from the team. For example, terminated or reassigned.

See our AC Policy, "When a privileged team member has been absent...".

Special Notes

• Do not create this issue until the System Owner has formally authorized and requested it. You can obtain that OK by one of two ways: A:

  • [ ] A: System Owner creates this issue

  B:

  • [x] B.1: System owner emails cloud-gov-compliance@gsa.gov and cloud-gov-operations@gsa.gov with their authorization
  • [x] B.2: An operator adds links to the email archive of the authorizing email.
  • https://groups.google.com/a/gsa.gov/g/cloud-gov-compliance/c/Vp25tQboWC8

• Please only use first names.

---

Instructions

• [x] Assign this ticket to the person currently staffing the maintenance rotation.

In order to complete Darren's exit from the cloud.gov team, the assignee should complete a prescribed set of tasks that will remove any special access.

Assignee: The tasks below are organized by the role needed to complete them. If you can’t complete any of the items on your checklist personally, you are responsible for ensuring that an appropriate person does it.

For compliance we need to show that critical offboarding actions happen within 24 hours of departure; some actions below need GitHub issues comments when completed. Completing tasks before departure is good. (control PS-4: personnel termination).

Darren

• [ ] Initiate the process via the Leaving TTS Handbook page

Assignee

If the person offboarding is a contractor, reach out to the COR to ensure any offboarding steps specific to their contract are being completed.

• [x] Remove their access to StatusPage
• [x] Remove their agent access to Zendesk - switch their role to "end user"
• [x] Remove them from @cg-team, @cg-operators, and any other @cg- teams in the Slack Team Directory using the three-dot menu (instructions)
  • Check one of the following:
  • [ ] Temporary federal departure: Remove them all private cloud.gov Slack channels, except #cg-priv-gov, so they may continue to receive essential team communications.
  • [x] Permanent departure: If the person is leaving permanently, they will be removed from all channels automatically.
• [x] Remove them from the team roster
• [x] Remove them from the squad list
• [x] In the training tracker: if they're staying at TTS, move them to the "former teammates" tab; if they're leaving TTS, delete them from the spreadsheet
• [x] Remove them as invitees for any meetings on the cloud.gov calendar where they are specifically named
  • Invites where they are listed as part of the cloud.gov invitee group will be removed when they are removed from that group by the System Owner
• [x] Remove them from our dockerhub org

System Owner (or person delegated by System Owner)

The following steps must be conducted and documented within 24 hours of departure:

• [x] Exit interview with supervisor (federal employees) or contract account manager / COR (contractors): Discuss with departee the following information security topics:
  • They are to remove any non-public cloud.gov data (e.g. keys, passwords, code, documents) from any non-GSA device
  • They are not to disclose any non-public cloud.gov technical practices without authorization from GSA
  • They will not access cloud.gov systems or services without authorization from GSA
  • If the System Owner cannot hold this discussion, they will communicate to GSA OHRM that the above topics need to be communicated to the leaving person.
• [x] Remove them from the cloud.gov Github organization
• [x] Remove them from the cloud.gov team Google Group
• [ ] If they are part of the business unit, remove their access to GovDelivery

The following do not directly impact cloud.gov security & operations and can happen later:

• [x] Remove them from Nessus
• [x] Remove them from [Tenable (if Compliance Team)](https://community.tenable.com/s/contacts]
• [x] Remove them from the Cloud Foundry Community GitHub org cloud.gov team
• [x] Remove them from the cloud.gov operations Google Group
• [x] Remove them from the cloud.gov compliance team Google Group
• [x] Remove them from the cloud.gov notifications Google Group
• [x] Remove them from the cloud.gov inquiries Google Group
• [x] Remove them from the cloud.gov support Google Group
• [x] Remove them from the cloud.gov emergency Google Group
• [x] Remove them from the cloud.gov Federal Employees Google Group
• [x] Remove them from our Google Groups for our AWS accounts (relevant for PM, Director, and Deputy Director)
• [x] Remove them from Ubuntu Advantage

Engineering

The following steps must be conducted and documented within 24 hours of departure:

• [x] Not a member of Engineering

-- or --

• [ ] Delete the user in all cloud.gov AWS accounts by submitting a PR to aws-admin
• [ ] Remove their access as an admin on the platform
• [ ] Remove any privileges that their cloud.gov account has due to membership in the cloud.gov team (even if not in Cloud Ops), such as admin_ui.user and scim.read
  • [ ] Verify these permissions have been removed using the cg-scripts validate-admins.sh run from a jumpbox
• [ ] Remove any Org or Space roles that their cloud.gov account holds due to membership in the cloud.gov team (for example, remove them from the cloud-gov and cloud-gov-operators organizations)

[ChrisMcGowan]

According to Nicki Wilson the exit interview piece is done.