4 Onboarding and Offboarding Users
Basics
Knowing who has access to your systems is a Critical Security Control. CIS Control 05, Account Management, suggests organizations have processes and tools in place to assign and manage the credentials of your authorized users. Account management includes administrator accounts and accounts vendors may use to access aspects of your infrastructure.
Terms to Know
You should know the following terms:
- Access Control Management
- Administrative account
- Directory Services
- Elevation prompt
- Identity Management Solution
- Onboarding and Offboarding users
- Super-user privileges
Information
Procedures for Onboarding and Offboarding Users
Your district should have a comprehensive yet manageable system to inventory and track all credentials (aka user accounts). Best practice dictates that all active accounts should be tracked and password policies should prevent users from reusing passwords as a component of their credentials. This is especially critical for administrative accounts and those associated with vendors who have the privilege to access resources on your network. Your district may use an Identity Management Solution to facilitate this process.
You may need to coordinate onboarding of users and account creation with Human Resources, payroll, or other departments that oversee the hiring of employees. Procedures these departments may take to verify the identity of new hires include credit, criminal, and other background checks. Some may require biometric records, such as fingerprints. Support staff, paraprofessionals, and substitute teachers may undergo similar checks to confirm their identities. Before assigning an account to new users, the IT Department should have confirmation from the district that the new employees truly are who they say they are and are allowed to have access to your infrastructure. This may be requested and tracked through a ticket system which serves as a handy record of who has completed required steps in the onboarding process.
You should also ensure that user accounts only have access to the information and resources that are appropriate for their role, something achieved through establishing User Access Controls. This is Critical Security Control 06, Access Control Management. Your district should develop consistent access rights for each role and assign users to their appropriate roles. Role-based access is based on the users' need to know, least privilege, privacy requirements, and/or separation of duties. The principle of least privilege limits users, systems, and processes on your network to only those resources they need, resources such as files, systems, and other networks or subnets. Assigning roles and users can be an automated process.
Zero Trust is an evolving set of principles that have come about due to the increase in the number of remote users and those using their own devices to access networks, whether for work, school, or other reasons. Zero Trust flips the authentication process and from granting access to resources based on a user’s physical or network location and assumes. This is sometimes referred to as “allow and ignore,” since once the user has been verified to access a resource, they can continue to access that resource while they are using the network. Zero Trust assumes that no user nor resource can be trusted implicitly. It works from the premise that each user or resource is a potential threat and the network has been or is going to be compromised, so every user, device, application, and transaction must be continually verified. For more information about these evolving principles, including information on Zero Trust 2.0, review the resources from NIST and CIS in the Additional Resources section.
You should understand how the levels of access are determined in your district and how they are assigned to user accounts. All key systems in your district should be identified as to the level of access required, with those that contain sensitive information needing more restricted access.
You should know the standard operating procedures (SOP) your district uses for onboarding new users and assigning them appropriate levels of access. Depending on the size of your district, not all IT technicians may have access to Directory Services, such as Microsoft Active Directory or those used for cloud services. If you are tasked with creating new accounts for users, it is more secure to provide those credentials in person, when possible. If credentials have to be shared remotely, such as for remote workers or onboarding multiple users across several campuses in a limited time, suitable security precautions such as encryption should be taken to prevent the sharing of credential information. If this is your role, determine how your district provides secure access to credentials for new users.
When students or staff--including temporary staff such as substitute teachers--exit your district, you should have a standard offboarding process that includes disabling or removing their credentials. Your district may disable general user accounts instead of removing them in case they may need to be reviewed in the future. Your district should have a clear written procedure for offboarding accounts, which may occur prior to or immediately following termination of the relationship between an individual and the district. Disabling accounts prior to the actual termination may be necessary to prevent malicious attacks in some cases.
Offboarding users is another step that can take coordination between your Human Resources department and departments in charge of student enrollment. Care should also be taken to include removing access to vendors or contractors when no longer necessary. Even with systems and automated processes set up, your department will likely conduct periodic audits of user credentials to ensure they are accurate and up-to-date. This task may require an increased level of access as user credentials can be considered confidential.
Administrative accounts are especially important to disable once an administrator has left the district. When an administrator leaves the system, these accounts should be quickly deactivated and removed. It’s also important to make sure that when your district does onboard an administrator, that their administrative accounts that have increased access, sometimes called super-user privileges, are not configured the same as their general accounts in which they perform routine actions like check email or search the Internet. Malware is commonly introduced during these routine activities and if they occurred with a super-user account, the security breach could be amplified. Some User Account Control systems can generate different tokens that identify one account by either general user or administrative user functions through what may be referred to as an elevation prompt.
Conducting Regular Audits
Every IT Department should conduct regular audits of user credentials and devices, at least annually. This is a process most entry-level IT technicians will be involved in. You may be involved in collecting or otherwise checking inventory of all devices and should be familiar with your district’s SOP for doing so. A physical accounting and audit of devices may occur at the end of each semester but more likely at the end of the academic year, especially if your district provides devices to students.
You may be required to look for devices at other times if they are reported or thought to be missing. Students may pick up the wrong laptop or staff may inadvertently move devices from one room to another without notifying the IT Department. In this case, you or someone in charge of your network can search for a device if it is connected to the network by looking for an IP address or its unique MAP address.
In addition to physical devices, you may be involved in conducting audits of active and inactive credentials. As noted above, your Human Resources and Admissions departments may be involved or should at least follow standard operating procedures for onboarding and offboarding staff and students. It’s good practice to review accounts, however, in case an inactive account was missed. Those inactive accounts are a target for cybercriminals. Know the procedures you must follow after identifying inactive or unused accounts. They may involve checking with HR or other departments to confirm they are truly no longer needed.
A finding in a report on best practices from CoSN’s Peer Review program is that some school districts may also participate in annual external audits of their cybersecurity practices to identify any weaknesses (Crean, n.d.). Changing vendors from year to year can provide different types of information and recommendations.
Remote Network Access
Being able to access resources on your district or school network has become a standard feature and even an expectation for many staff, students and their parents. Staff and students may need to access assignments, applications, and documents from home or elsewhere, but they should do so following appropriate procedures and security guidelines. You should understand how staff and students can access network resources remotely, if they can, and the appropriate security guidelines they should follow.
Cybersecurity Training
Every district should have cybersecurity training opportunities in place for all staff and should consider versions for students, parents, volunteers, and others who interact with the district’s IT infrastructure. You may or may not be directly involved with delivering the training, but you should be aware of what is presented in the training opportunities and the impact it may have on your support duties. Most districts require staff, students, and parents to sign an Acceptable Use Policy or Responsible Use Policy or Staff or Student Handbooks. Check to ensure cybersecurity awareness is included in these documents. Cybersecurity training might be included as a condition for signing of these documents or approval before staff or students access district technology resources.
Different departments may receive different types of training differentiated by the type of data/information they interact with and any security requirements they must follow for keeping it safe. Human Resource, Finance, and others may have access to data separate from classroom teachers, but anyone who has access to student information has to follow policies and legal guidelines for keeping it safe.
Students should also be engaged in ongoing opportunities to learn about cybersecurity threats and to develop stronger digital citizenship skills that allow them to become an informed, safe user of the digital resources that will pervade the rest of their lives. The Readiness and Emergency Management for Schools (REMS) Technical Assistance Center provides an overview of Cyber Safety Considerations for K-12 Schools and School Districts that aligns with cybersecurity awareness and training as well as strategies to prepare for online threats to students and the actions students can take during and following an incident.
Additional Resources
Here are additional resources you may find useful:
- Account and Credential Management Policy Template for CIS Controls 5 and 6 from the Center for Internet Security®
- How User Account Control works from MicrosoftLearn
- Best Practices: User Access Controls from assurancelab
- Crean, M. (n.d.) Best Practices from CoSN’s Peer Review Program. CoSN.
- Cyber Safety Considerations for K-12 Schools and School Districts from the Readiness and Emergency Management for Schools (REMS) Technical Assistance Center
- Zero Trust Maturity Model, Version 2.0 from the Cybersecurity and Infrastructure Security Agency (CISA). Published in 2023.
- Zero Trust Architecture from the National Institute of Standards and Technology (NIST). Has foundational information about Zero Trust but was published in 2020, so may be superseded by the 2023 publication from CISA.
Task/Self-Assessment
Complete the following task or self-assessment:
Identify how your district manages and tracks user credentials, such as an Identity Management System. (You may not have an access level that provides you full access to the inventory, but you may be involved in part of the process of onboarding and offboarding users and conducting periodic audits of those credentials to confirm inactive accounts have been accurately disabled or removed, depending on your department’s SOP.)
Find out the cybersecurity training opportunities offered by your district. You may not be called to deliver them, but you should know what staff, students, and their parents are being told about cybersecurity in the district and the practices they are expected to follow. This will be especially important if you receive a call, email, or other request by someone in the district that may not adhere to district policy. If you have not been able to participate in your district’s cybersecurity training opportunities, determine whether you can attend them to become better informed.