IT Access Revocation Checklist for Hospitality & Tourism
A comprehensive checklist for revoking all IT system access, recovering digital assets, and securing company data when an staff member or contractor departs.
Includes food safety compliance (HACCP), RSA requirements, liquor licensing documentation, and tourism accreditation record keeping.
Complete Checklist
- 1Disable the staff member's primary user account in the directory serviceCritical
- 2Revoke email access and set up an auto-reply or forwarding ruleCritical
- 3Remove access to all business applications and cloud servicesCritical
- 4Disable VPN and remote access credentialsCritical
- 5Remove the staff member from all shared drives and collaboration platforms
- 6Transfer ownership of shared documents and files to the appropriate person
- 7Revoke access to financial systems and banking platforms
- 8Remove the staff member from all email distribution lists and group chats
- 9Change any shared passwords or system credentials the staff member had access toCritical
- 10Recover the company laptop, phone, and any other IT equipment
- 11Wipe company data from any personal devices used under a BYOD policy
- 12Archive the staff member's email mailbox and files for retention purposes
- 13Deactivate the staff member's phone extension and voicemail
- 14Update the IT asset register to reflect returned or reassigned equipment
- 15Confirm all access has been revoked and document the completionCritical
Frequently Asked Questions
What should we do about shared passwords and accounts the staff member knew?
Change all shared passwords and credentials immediately upon departure. This includes social media accounts, shared admin credentials, Wi-Fi passwords, and any system accounts that use shared logins. Implement a password manager and individual account access wherever possible to reduce dependency on shared credentials in the future.
When should IT access be revoked during the offboarding process?
For voluntary resignations, access is typically revoked at the end of the staff member's last working day. For terminations, especially those involving misconduct or sensitive data, access should be revoked simultaneously with or immediately after the termination meeting. Have IT prepared in advance so revocation can happen promptly when triggered.
How long should we retain a departed staff member's email and files?
Best practice is to archive email and files for at least 12 months to handle any follow-up enquiries, legal matters, or business needs. Some industries have longer mandatory retention periods. Set up email forwarding to the departing staff member's replacement during the transition period. Establish a clear data retention policy and follow it consistently.
Need help implementing these checks into your daily operations?
Our team can build custom checklists integrated into your daily operations workflow.