Onboarding & Offboarding Policy¶
Document ID: AUL-POL-09 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy defines the security requirements for onboarding new personnel and offboarding departing personnel at Aulendur Labs, Inc. Proper onboarding grants only authorized access commensurate with role and need-to-know. Proper offboarding revokes all access promptly to prevent unauthorized retention of or access to Aulendur information, CUI, and systems. This policy implements NIST SP 800-171 Rev. 3 control 03.09.02 (Personnel Termination and Transfer).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, interns, and advisors — at hire, role transfer, and separation.
- Systems: All Aulendur systems, including Google Workspace, GitHub (AulendurForge), 1Password Business, Slack, Linode, Cloudflare, AWS, Modal, and the planned CUI Enclave.
- Physical assets: Company-issued laptops, YubiKeys, access badges, and any physical media.
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; authorizes onboarding of new personnel; initiates termination actions. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; determines access levels for each role; executes access provisioning and revocation; verifies offboarding completeness. |
| Hiring Manager | Initiates onboarding request; specifies role-based access needs; verifies onboarding completion. |
| Departing Individual | Returns all Aulendur assets; cooperates with exit procedures. |
| Gusto (HR platform) | Processes employment actions; initiates payroll termination. |
4. Policy Statements¶
4.1 Onboarding — Access Provisioning¶
4.1.1 No system access shall be provisioned until the following prerequisites are complete: (a) personnel screening per the Personnel Security Policy, (b) signed access agreements (NDA, AUP, Code of Conduct), and (c) CTO/ISSM approval of the access request.
4.1.2 Access shall be provisioned on a least-privilege, need-to-know basis. The CTO/ISSM shall map each role to a predefined set of system entitlements:
| System | Default Access (All Staff) | Elevated Access (CTO/ISSM Only) |
|---|---|---|
| Google Workspace | Email, Drive (Internal folders), Calendar, Meet | Admin console, security settings |
| Slack | All non-restricted channels | Workspace admin |
| 1Password Business | Personal vault + shared team vaults | Admin, vault management |
| GitHub (AulendurForge) | Write on assigned repos, no main merge |
Org admin, repo admin, merge to main |
| Linode | Read-only monitoring (if role requires) | Root/admin access |
| Cloudflare | None (unless role requires) | DNS admin, R2 admin |
| AWS | None (unless role requires) | IAM admin, production access |
| Modal | None (unless ML role) | Workspace admin |
4.1.3 The CTO/ISSM shall provision accounts within 2 business days of the individual's start date. Each account shall use the individual's unique identity (firstname.lastname@aulendur.com for Google Workspace; named accounts elsewhere). Shared or generic accounts are prohibited.
4.1.4 The CTO/ISSM shall issue the following to each new hire on or before their first day: (a) YubiKey 5 (FIDO2/WebAuthn) configured for Google Workspace and GitHub, (b) 1Password Business invitation, (c) laptop with full-disk encryption enabled (FileVault/BitLocker/LUKS), and (d) login credentials via 1Password secure sharing (never via email or Slack).
4.1.5 New personnel shall complete security awareness training within 10 business days of their start date per the Security Awareness & Training Policy.
4.2 Role Transfers¶
4.2.1 When personnel transfer to a new role within Aulendur, the CTO/ISSM shall review and adjust system entitlements within 5 business days of the effective transfer date. Access no longer required by the new role shall be revoked. New access required shall be provisioned per the same least-privilege process as onboarding.
4.2.2 Role transfers involving a change in CUI or ITAR access level shall require updated access agreements and CTO/ISSM re-authorization.
4.3 Offboarding — Voluntary Separation¶
4.3.1 Upon notification of a voluntary departure (resignation), the CTO/ISSM shall initiate the offboarding checklist within 1 business day.
4.3.2 On or before the individual's last day, the CTO/ISSM shall:
- (a) Revoke access to all Aulendur systems: Google Workspace (suspend account, then delete after data review within 30 calendar days), GitHub (remove from org), 1Password (remove from team, deauthorize devices), Slack (deactivate), Linode/Cloudflare/AWS/Modal (remove IAM user or API keys).
- (b) Rotate any shared secrets, API keys, or service credentials the departing individual had knowledge of. Rotation shall be completed within 24 hours of the individual's last day.
- (c) Collect all company-issued physical assets: laptop, YubiKey(s), access badges, printed documents, and any portable storage media.
- (d) Verify that the departing individual's endpoint is wiped or returned for forensic hold if required.
- (e) Conduct an exit briefing reminding the individual of: NDA obligations, prohibition on retaining CUI or Confidential data, ITAR non-disclosure obligations (if applicable), and the process for returning any Aulendur data discovered after separation.
4.3.3 The CTO/ISSM shall document the completion of each offboarding step in the offboarding checklist and retain the record for 3 years.
4.4 Offboarding — Involuntary Separation¶
4.4.1 For involuntary terminations (for cause), the CTO/ISSM shall revoke all system access before or simultaneously with the termination notification. Access revocation shall not be deferred to end-of-day.
4.4.2 The CEO shall notify the CTO/ISSM at least 1 hour before a planned involuntary termination meeting to allow pre-staging of access revocation actions.
4.4.3 For involuntary terminations involving suspected misconduct, insider threat indicators, or security incidents, the CTO/ISSM shall: (a) preserve the individual's system activity logs for a minimum of 90 calendar days, (b) place a forensic hold on the individual's email and file storage, and (c) coordinate with the CEO on any legal or law enforcement referrals.
4.5 Contractor and Advisor Offboarding¶
4.5.1 Contractor and advisor access shall have a defined expiration date tied to the contract or engagement period. The CTO/ISSM shall revoke access on the expiration date or upon early termination, whichever is earlier.
4.5.2 The CTO/ISSM shall review all active contractor and advisor accounts quarterly to verify that access is still justified by an active engagement.
4.6 Access Review Reconciliation¶
4.6.1 The CTO/ISSM shall reconcile active system accounts against the current personnel roster quarterly. Any account without a corresponding active employee, contractor, or advisor shall be suspended immediately and investigated.
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Personnel Security Policy
- Acceptable Use Policy
- Code of Conduct & Ethics Policy
- Security Awareness & Training Policy (forthcoming)
- Onboarding SOP (forthcoming)
- Offboarding SOP (forthcoming)
- Access Review SOP (forthcoming)
6. Compliance & Enforcement¶
Failure to complete offboarding procedures within the timelines specified constitutes a policy violation and shall be reported to the CEO. Granting access without completing required screening and agreements, or failing to revoke access upon separation, may result in disciplinary action. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to this policy require written approval per the Policy Exception & Waiver Policy. Emergency access grants shall be ratified within 24 hours per the exception process.
8. Definitions¶
| Term | Definition |
|---|---|
| Onboarding | The process of granting system access, issuing equipment, and completing training for a new hire or contractor. |
| Offboarding | The process of revoking system access, collecting equipment, and completing separation procedures for a departing individual. |
| Least Privilege | The principle that individuals shall be granted only the minimum access necessary to perform their assigned duties. |
| Need-to-know | A determination that a person requires access to specific information to perform their assigned duties. |
| Forensic Hold | The preservation of electronic data and system images for potential investigation or legal proceedings. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.09.02 | Personnel Termination and Transfer | Full |
| CMMC 2.0 L2 | PS.L2-3.9.2 | Personnel Actions | Full |
| NIST SP 800-53 R5 | PS-4 | Personnel Termination | Full |
| NIST SP 800-53 R5 | PS-5 | Personnel Transfer | Full |
| NIST SP 800-53 R5 | PS-8 | Personnel Sanctions | Supports |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.