Forum Discussion

Galesburg_Tech's avatar
Galesburg_Tech
New Contributor
10 days ago

Best Practice for Retrieving Account Data after an employee leaves

I am setting up a new company and have been  asked  how do we protect the company  from loosing passwords that were saved by an employee who has left the company?   

best practices
discussion

2 Replies

  • Tom's avatar
    Tom
    Bronze Expert
    9 days ago

    Hi Galesburg_Tech​ 

    Regardless of business (/teams / family) one should consider using shared vaults for passwords that might be useful to more than single employees(/family members). That way when someone decides to leave you aren't affected as it still would be in the shared vault.

    Having said that, the obvious 'user had a pin-code for his physical locker' and it would be easier for you to retrieve said code than to check the manual how to reset it, you could 'take over' their account if you have access to the configured e-mail. I.e. as an administrator you would always be able to impersonate said employee for obvious reasons, but with that comes great responsibility (e.g. you wouldn't want to see what else they might have alledgedly stored there).

    Hence shared vaults would be the best way and just ensure you inform regulary if all passwords are stored there. For more information check https://support.1password.com/offboarding/ and if you are looking for more details Best practice for user terminations? | 1Password Community came up through searching (and delivered an 'ow that was me' moment) :)
    For employee point of view, please also check https://support.1password.com/employee-vault/ and inform employees correctly, we mostly give the advise to don't store any thing about 'certain fans' in your employee vault.

    • AJCxZ0's avatar
      AJCxZ0
      Silver Expert
      2 days ago
      Galesburg_Tech wrote:

      how do we protect the company  from loosing passwords that were saved by an employee who has left the company? 

      Since Tom​ has already fully answered the question, I'll add that this is exactly the kind of thing which belongs in a good policy document which is included at the appropriate stage in the on-boarding process, then reinforced periodically.

      Shadow IT is simple compared to shadow SaaS, so it's critical to not give up and try forbidding everything without written approval from the entire management chain, head of IT, and the employee's mother, but ensure that employees understand that every account and credential they create for use in their job should be manageable by the company.
      This does not mean that every individual user account must go in a shared account, as that would be inappropriate, but that no individual should have sole access to, or control of, a service used by the company. Two is one, one is none, etc.

      Do this right and the employee's Private vault should never contain any data which will ever be needed by the company.

      Tom wrote:

      don't store any thing about 'certain fans' in your employee vault.

      Headline: Lasko Cancels Contract with 1Password.