Skip to main content

Account Deactivation Standard Operating Procedure (SOP)

Purpose

To define the standardized process for deactivating user accounts and recovering company assets when an employee, contractor, or third-party user separates from the organization. This procedure ensures timely termination of access to protect organizational data and meet regulatory requirements.

Scope

This SOP applies to all employees, contractors, and third parties with access to systems, applications, or data owned or managed by RS Tech Services.

Roles & Responsibilities

  • Human Resources (HR): Notifies IT of employee terminations or departures and ensures exit checklist is initiated.
  • IT Helpdesk Analyst: Receives HR notification and initiates access deactivation request.
  • System Administrator: Disables and removes user accounts, access privileges, and email within required timeframes.
  • Compliance Officer: Conducts monthly audits to verify all deactivations were completed in accordance with this SOP.

Procedure

  1. HR immediately submits an Employee Termination Notification ticket via Jira. The ticket should include:
    • Employee name and ID number
    • Date and time of termination
    • A list of all company assets held by the employee
    • Confirmation that all keys and access cards have been secured
  2. IT Helpdesk Analyst reviews the request for completeness.
  3. System Administrator disables the employee’s Active Directory account immediately.
  4. System Administrator revokes all logical access (Active Directory, VPN, email, and third-party (customer) applications) to prevent unauthorized entry after separation.
  5. HR should provide the System Administrator with all physical assets (laptop, badge, tokens) collected from the employee. Acceptance of these items should be logged.
  6. IT Helpdesk Analyst verifies that all account deactivations have been completed and notes this in the Jira ticket. The Jira ticket number should be logged for audit purposes.
  7. All deactivation records and Jira tickets must be retained for a minimum of one year for audit and compliance verification.
  8. Compliance Officer conducts a monthly reconciliation to ensure all terminations were properly executed.

Compliance/References

  • "RS Tech Services - User Access and Account Management Policy"
  • "ISO/IEC 27001 – Annex A.9.2.6 Removal or Adjustment of Access Rights"
  • "NIST 800-53 Rev. 5 – AC-2 Account Management"
  • "SOC 2 – Security Principle: Logical Access Controls"

Revision History

VersionDateDescription of ChangeAuthor
1.009-01-2025Initial DraftR. Steele