This playbook provides a structured process for managing the Joiners, Movers, and Leavers (JML) lifecycle for employees and third-party contractors, including Bring Your Own Device (BYOD) scenarios. It guides HR, IT, and security teams through onboarding, role transitions, offboarding, contractor management, BYOD compliance, and post-process review. The process ensures secure access provisioning, timely updates, and complete deprovisioning while maintaining compliance and protecting organizational assets.
JML Checklist
The following checklist summarizes key actions for managing joiners, movers, leavers, and contractors.
Onboarding
Verify identity and contract.
Provision accounts and access.
Provide security training.
Role Changes
Review new role requirements.
Update access permissions.
Notify relevant stakeholders.
Offboarding
Revoke all access.
Recover company assets.
Conduct exit interview.
Contractor Management
Verify contractor agreement.
Provision temporary access.
Monitor contractor activity.
BYOD Compliance
Enforce BYOD policy.
Secure BYOD devices.
Remove data on departure.
Post-Process Review
Audit JML process.
Update JML policies.
Document lessons learned.
1. Onboarding
Securely onboard new employees and contractors, ensuring proper access and compliance.
Verify Identity and Contract
Confirm the individual’s identity using official documentation (e.g., ID, work authorization).
For contractors, verify the contract details (e.g., duration, scope of work).
Log verification details in the HR or IAM system.
Provision Accounts and Access
Create accounts in the IAM system based on role requirements (e.g., email, application access).
For contractors, assign temporary, least-privilege access aligned with contract terms.
Ensure BYOD users sign agreements and register devices before granting access.
Provide Security Training
Conduct training on security policies, including BYOD rules (e.g., MDM enrollment, data handling).
Issue credentials and security guidelines (e.g., password policies, acceptable use).
Document training completion for audit purposes.
2. Role Changes
Manage transitions for employees and contractors moving to new roles or projects.
Review New Role Requirements
Obtain details of the new role or project from HR or the project manager.
For contractors, confirm if the role change extends or modifies the contract.
Identify required access (e.g., new systems, elevated permissions).
Update Access Permissions
Modify IAM settings to grant new access and revoke unneeded permissions.
Ensure BYOD devices comply with updated role requirements (e.g., additional apps).
Verify changes align with least-privilege principles.
Notify Relevant Stakeholders
Inform managers, IT, and security teams of the role change.
For contractors, send a confirmation email to the client or third-party contact. Example:
Subject: Confirmation of Access Update for [Contractor Name]
Dear [Client Contact],
We have updated access permissions for [Contractor Name] effective [date], reflecting their new role/project ([role/project name]). The updates include:
- New Access: [e.g., access to system X, project Y]
- Revoked Access: [e.g., previous system Z]
- BYOD Status: [e.g., device compliance verified]
Please confirm these changes meet your expectations or provide feedback by [response deadline]. Contact us for any further details.
Best regards,
[Your Name]
[Your Organization]
[Contact Information]
Log the notification and retain a copy for records.
3. Offboarding
Securely offboard employees and contractors to prevent unauthorized access.
Revoke All Access
Disable accounts in the IAM system for employees and contractors.
Remove access to systems, applications, and physical resources.
Confirm revocation within 24 hours of departure.
Recover Company Assets
Collect company-issued devices, badges, or keys.
For BYOD users, ensure company data is wiped from personal devices (e.g., via MDM).
Document asset recovery in the asset management system.
Conduct Exit Interview
Review confidentiality obligations with the departing individual.
For contractors, confirm contract closure and data handling responsibilities.
Log the interview completion and any issues raised.
4. Contractor Management
Manage third-party contractors to ensure secure and temporary access.
Verify Contractor Agreement
Review the contractor’s agreement for duration, scope, and access needs.
Confirm agreement aligns with organizational policies (e.g., NDA, security clauses).
Provision Temporary Access
Create time-bound accounts with least-privilege access in the IAM system.
Assign access based on project needs (e.g., specific systems, data).
Log access details and expiration dates.
Monitor Contractor Activity
Use security monitoring tools to track contractor access and usage.
Review logs for anomalies (e.g., unauthorized access attempts).
Escalate any issues to the contractor’s point of contact promptly.
5. BYOD Compliance
Ensure personal devices used by employees and contractors meet security standards.
Enforce BYOD Policy
Require all BYOD users to sign the BYOD policy agreement.