Lesson 23 of 33
In Progress

Resource Off-boarding Process

1                  Introduction

1.1              Purpose

This document describes the steps that need to be taken when GSOC analysts and other members of staff are leaving, whether this be a worked notice period in consultation with GSOC Management or as a result of a termination.

1.2              Scope

The GSOC Resource Offboarding Process applies to the GSOC only. The frequency of which the supporting processes are performed is documented in Upstream (Dependent) Processes and Downstream (affected) Processes.

This document lays out the actions to be followed upon a GSOC member of staff departing the company. Covered are the three main scenarios, where a member of staff is leaving KPMG on good terms, is staying within KPMG but departing the GSOC and those leaving as a result of a disciplinary issue. Standard KPMG leaver’s procedures are to be followed and are as such no in scope for this document.

This document does not go into elaborate detail, provide low-level technical procedures, or address all potential outcomes.

1.3              Ownership

This document is owned by the GSOC Director. The responsibility of ongoing management of this document, including the processes contained therein, rests with the GSOC Director.

1.4              Audience

All members of the KPMG GSOC.

1.5              Exceptions

Exceptions to this process can be temporarily authorized by the GSOC Director or GSOC Operations Manager. Documentation of any process exceptions must be provided to GSOC management for process modifications.

1.6              Reporting Violations

Failure to adhere to this process must be reported directly to the GSOC Director or the GSOC Operations Manager.

1.7              Responsibilities

The following roles have overall responsibility for elements of this process. Please note that these are not comprehensive listing of responsibilities of each of the following roles, but represent these roles specific responsibilities to support the process

1.7.1          GSOC Director

  • Oversight and exception approvals

1.7.2          GSOC Operations Manager

  • Overall management of GSOC Resource Offboarding Process
  • Identify trends for reasons staff are departing
  • Reporting Violations

1.7.3          Tooling Engineer Analyst

  • Management of all GSOC user accounts, system access and processes.
  • Monitoring access to Security Platforms

1.7.4          External to GSOC

All external departments which are engaged within this process will follow their own processes and procedures. They are included here for clarity only. Various roles are conducted by external teams including:

  • Human Resources:       Disciplinary actions, Payroll & P45
  • IT:     KPMG IT asset and account management
  • Facilities:        Security Pass & PIN
  • Finance:          Company Credit Card (if issued)

1.8              Upstream (Dependent) Processes

  • KPMG UK HR Policy
  • KPMG Local HR Policies
  • KPMG Information Technology Management Policy
  • GSOC Change Management Process

1.9              Downstream (Affected) Processes

  • Shift Management Process

2                  GSOC Resource Offboarding Process

Resource Offboarding is defined within the GSOC as “GSOC employees who are leaving the GSOC, either moving internally, leaving the company voluntarily or are having their employment terminated”.

Members of staff wishing to resign from KPMG are to speak with the GSOC Operations Manager in the first instance. If upon completion of this discussion the staff member still wishes resign access to the resignation form can be found on the PeopleCentre homepage.

2.1              Workflow

The following workflow lays out the standard process to be followed when an employee departs the GSOC:

2.2              Resignations

2.2.1          Transition Plan

L1 and L2 Analysts are to hand over all ongoing investigations during their last week in the GSOC as part of their Shift Handover with their shift supervisor.


The GSOC Operations Manager is to work with the departing employee to develop a transition plan. This will highlight what tasks the employee is still working on and establish which need transferring to other employees. The GSOC Operations Manager is to identify all of the weekly duties, projects and incidents the employee is working on. In addition a list off all Member Firms he/she is in direct contact with should be maintained.

GSOC Director and GSOC Operations Manager

In the case of the GSOC Director or the GSOC Operations Manager a succession plan is recommended. All tasks and information held is to be passed onto the other party; L3 analysts are to be involved in this process to assist as required. However in the case of a replacement member of staff filling one of these two roles the Handover/Takeover is to be conducted with this individual.

A plan detailing the final to-do list for all GSOC members is to be drawn up with the departing employee.

2.2.2          Knowledge Transfer

During the employee’s transition period the leaver is to conduct knowledge sharing sessions with other appropriate members of the GSOC (with special emphasis on any encrypted files or work in progress in electronic form which other individuals may not know about) as directed by the GSOC Operations Manager. This is to ensure that all appropriate knowledge is transferred to other members of the team and to ensure that critical information is retained upon the leaver departing.

Table 1 Leavers RACI Matrix

Current Role Tasking’sLeaverGSOC Operations Manager
Training Courses Planned (Internal)RA
Training Courses Planned (External)RA
Change RequestsRA
Outstanding ActionsRA
Ongoing IncidentsRA
Password ManagementRA
Access to external community websites (FS-ISAC, FIRST, CiSP)RA
Impact to rest of team from Leaver departing R

2.2.3          Access Control

Upon notification that an employee intends to depart KPMG the leavers access permissions are to be reviewed with elevated permissions being removed unless specifically required to conduct their job function in their final weeks. However, all elevated permissions should be audited.

Last Day at KPMG GSOC

The following actions are to be conducted on the employees last day. These actions should be recorded and retained for any future investigations (for those individuals who are moving internally within KPMG only their access to GSOC systems, accounts is to be revoked):

  • Disable Network Access (AD) (Check if account is used for any scripts or scheduled tasks)
  • Disable VPN access (if enabled), collect any remote access security devices previously issued
  • Disable access to all GSOC platforms
  • Stop Email access (including OWA access if enabled). All employee emails should be redirected to “UK-FM GSOC
  • Prepare Out of Office response (Review of employees out of office statement to be conducted by the GSOC Operations Manager)
  • Revoking any external accounts (domaintools.com, virustotal.com etc.)
  • Removing access to any telephony or voicemail services

2.2.4          Equipment and Documents

Equipment is defined as all IT devices including mobile phones assigned to GSOC employees. On the leavers last day all GSOC and KPMG equipment is to be returned in compliance with the standard KPMG HR Leavers Policy.

2.2.5          Immediate Removal from GSOC

In the case of Grades A and B the GSOC Director will make an assessment as to whether there is a risk to the GSOC from the employee remaining within the GSOC operations environment. If this is the case GSOC Director will consult with HR with a view to the employee spending their notice period out-with the GSOC.

2.3              Disciplinary Leaver

2.3.1          Immediate Actions

All disciplinary cases are to be conducted in consultation with HR following the appropriate KPMG guidance.

2.4              After Employee Has Left

A review of all systems should be conducted to ensure that there is no further access available to the former employee. The following lays out the actions required when the employee has left the GSOC:

  • Remove email address from any automated reports
  • Establish if any shared accounts need passwords changing as a result
  • Establish which password protected files or other secret information need changing as a result of the user-leaving

2.5              Completed Leavers Checklist

A checklist of actions completed is to be logged detailing all actions completed as part of the employees leaving. In the case of a termination this report should include details investigative findings on the actions taken by the leaver in the time leading up to their termination of employment. This checklist is to be retained for audit purposes and for any subsequent investigations.

2.6              Identify Trends

As part of the Offboarding process the GSOC Operations Manager and L3 Analyst are to maintain a database of the reason staff are leaving the GSOC. This is to identify trends and to enable Management to make internal changes as required to retain staff. The GSOC Operations Manager is to brief the GSOC Director on trends on a monthly basis.