RCIT-19 Reeves County Offboard Policy

Purpose:

RCIT Employee Offboarding and Access Termination Policy

Regulation Reference

• NIST SP 800-53 Rev. 5 – PS-4 Personnel Termination
• NIST SP 800-53 Rev. 5 – AC-2 Account Management
• NIST SP 800-63 Digital Identity Guidelines
• Texas State Records Retention Schedule
• Reeves County Information Security Policies

IT Reeves County Offboard Policy

Policy Statement:

To protect Reeves County information assets, maintain business continuity, preserve organizational records, and comply with applicable laws, regulations, and security standards, this Offboard Policy establishes requirements and procedures for the timely removal of access, recovery of County property, preservation of County data, and management of electronic records when an employee, contractor, volunteer, elected official, or third-party service provider separates from Reeves County employment or engagement.

This policy applies to all Reeves County departments, employees, contractors, temporary workers, consultants, and any individual granted access to Reeves County information systems, facilities, or data.

Guidelines:

1. Notification Requirements:

• Human Resources and Department Management shall notify the Reeves County Information Technology Department as soon as notice of separation is received.
• Notification shall include the employee's name, department, last day of employment, supervisor, and any special circumstances requiring immediate access termination.
• For involuntary terminations, access removal shall be coordinated to occur at the time the employee is notified of separation.
• Department Directors shall identify any County-owned information, projects, or records requiring transfer to another employee.

2. Account Disablement and Access Removal:

• User access to County information systems shall be disabled immediately upon termination or at the employee's designated separation time.
• Access shall be removed from, including but not limited to:
  • Active Directory accounts
  • Microsoft 365 accounts
  • Email systems
  • VPN services
  • Remote access systems
  • Line-of-business applications
  • Financial systems
  • Public safety systems
  • Cloud services
  • Shared folders and file repositories
  • Physical access control systems
  • Multi-factor authentication services
• Privileged, administrative, or elevated accounts shall be disabled immediately upon termination notification.
• All active sessions, authentication tokens, certificates, and remote connections shall be revoked.

3. Account Retention and Deletion:

• User accounts shall be disabled rather than immediately deleted.
• Disabled accounts shall be retained for a minimum of ninety (90) days unless otherwise required by legal, regulatory, investigative, or operational requirements.
• Account deletion shall not occur until:
  • Required data has been preserved or transferred.
  • Legal holds have been reviewed.
  • Records retention requirements have been satisfied.
  • Department management approves account removal.
• The IT Department shall maintain documentation of account disablement and deletion activities.

4. Email Management:

• User mailbox access shall be disabled immediately upon separation.
• The mailbox shall remain under County control and may be delegated to the employee's supervisor or designee when necessary for County business.
• Automatic email responses may be configured directing correspondents to an alternate County contact.
• Email forwarding to personal email accounts is prohibited unless specifically authorized by County Administration and Legal Counsel.
• Mailboxes shall be retained according to County records retention schedules and legal requirements.

5. Data Preservation and Transfer:

• All County-owned information created, stored, or maintained by the departing employee remains the property of Reeves County.
• The employee's local workstation files, network folders, cloud storage locations, email records, and application data shall be reviewed for business-critical information.
• Department management shall identify information requiring retention or transfer.
• County business records shall be transferred to designated personnel prior to account deletion.
• Data shall not be deleted unless approved by the appropriate records custodian and in accordance with applicable retention schedules.

6. County Property Recovery:

• Prior to separation, the following County-owned property shall be returned when applicable:
  • Desktop computers
  • Laptops
  • Mobile phones
  • Tablets
  • Security badges
  • Access cards
  • Physical keys
  • Authentication tokens
  • Smart cards
  • External storage devices
  • County-issued equipment and accessories
• Departments shall document all recovered property and report missing items to the Information Technology Department and Human Resources.

7. Security and Monitoring:

• The IT Department may preserve logs, emails, files, and system activity records related to the departing employee.
• Security monitoring may continue for investigative, audit, legal, or compliance purposes.
• Any suspicious activity identified during the offboarding process shall be reported immediately to County Administration and appropriate authorities.

8. Contractors and Temporary Personnel:

• Contractor and temporary worker accounts shall be disabled immediately upon contract expiration, project completion, or termination of services.
• Departments sponsoring contractor access shall ensure timely notification to the IT Department.
• Access permissions shall be reviewed regularly to verify continued business need.

9. Documentation Requirements:

• The IT Department shall maintain records of:
  • Account disablement dates and times
  • Access removals
  • Property recovery
  • Data transfers
  • Mailbox actions
  • Account deletion approvals
• Documentation shall be retained in accordance with County record retention requirements.

10. Policy Administration and Enforcement:

• This policy shall be administered by the Reeves County Information Technology Department in coordination with Human Resources and Department Management.
• Failure to comply with this policy may result in disciplinary action, loss of system privileges, termination of employment, contract termination, and potential civil or criminal penalties.
• Employment terms remain subject to applicable laws, County policies, and any collective bargaining agreements or employment contracts.

Offboarding Timeline Summary:

Immediate (At Separation)

• Disable all user accounts.
• Revoke MFA, VPN, and remote access.
• Terminate active sessions.
• Recover County equipment and credentials.

Within 1-5 Business Days

• Review and transfer business data.
• Configure mailbox delegation or auto-response if required.
• Document completed offboarding actions.

Within 90 Days

• Retain disabled accounts.
• Complete records review and legal hold verification.
• Determine final account disposition.

After Retention Requirements Are Met

• Permanently delete accounts and associated access permissions.
• Archive or dispose of data according to County records retention schedules.