Team Access Security Checklist: 14-Item Guide for Managing Permissions

TL;DR

Apply least privilege access: give people only the permissions they need for their role. Require 2FA for all team members, document who has access to what, and have an immediate offboarding process ready. 4 critical items must be fixed before launch, 6 important items within the first week, and 4 recommended items when you can.

Quick Checklist (5 Critical Items)

Implement least privilege accessGive each person only the permissions needed for their role

Require 2FA for all accountsTwo-factor authentication should be mandatory

Create offboarding access checklistList all systems to revoke access from when someone leaves

Revoke access immediatelyWithin minutes of departure, disable all accounts

Rotate shared secrets after departuresChange any shared credentials departing members knew

Access Control Basics 4

Implement least privilege accessGive each team member only the permissions needed for their role. Developers do not need production admin access. How to implement least privilege

Require 2FA for all accountsTwo-factor authentication should be mandatory for GitHub, cloud providers, and all sensitive systems. How to enforce 2FA

Use SSO where availableSingle sign-on centralizes authentication and makes offboarding easier. One disable button kills all access. How to implement SSO

Document access levels by roleDefine what access each role needs. Engineer, designer, marketing should have different permission sets. How to document access levels

Onboarding Process 4

Create onboarding access checklistStandard list of accounts and access to provision for new team members based on their role. How to create onboarding checklist

Verify 2FA setup before granting accessNew team members must enable 2FA before receiving access to sensitive systems. How to verify 2FA setup

Provide security trainingBrief new team members on security policies, phishing awareness, and how to handle credentials. How to provide security training

Use temporary credentials initiallyRequire password change on first login. Do not send permanent credentials in plain text. How to deliver credentials securely

Offboarding Process 3

Create offboarding access checklistComprehensive list of all systems to revoke access from. Run through it immediately when someone leaves. How to create offboarding process

Revoke access immediatelyWithin minutes of departure, disable all accounts. Do not wait until end of day or next week. How to revoke access quickly

Rotate shared secrets they knewIf they had access to shared credentials or API keys, rotate them. They might have copies. How to rotate shared secrets

Ongoing Maintenance 3

Review access quarterlyCheck who has access to what. Remove access that is no longer needed. People accumulate permissions over time. How to audit team access

Audit admin access monthlyAdmin and owner permissions need more frequent review. Minimize who has elevated access. How to audit admin access

Remove inactive accountsAccounts not used in 90+ days should be investigated. Disable accounts for people who have left. How to manage inactive accounts

People Are the Biggest Risk

Most breaches involve human error or compromised credentials. A strong access control policy limits the blast radius when things go wrong. If one account gets compromised, least privilege limits what an attacker can do.

The offboarding process is especially critical. Former employees with lingering access are a common attack vector. Have the checklist ready and run through it immediately, not next week.

How quickly should I revoke access when someone leaves?

Immediately. Have a documented offboarding process ready to go. Within minutes of someone leaving, their access to all systems should be revoked. Delayed offboarding is a major security risk.

Should contractors have the same access as employees?

Contractors should have access limited to what they need for their specific work. Use time-limited access when possible. Review and revoke contractor access when projects end.

How do I handle shared credentials?

Avoid shared credentials when possible. Use a password manager with team sharing features for necessary shared accounts. When someone leaves, rotate any shared credentials they had access to.

TL;DR

Quick Checklist (5 Critical Items)

Access Control Basics 4

Onboarding Process 4

Offboarding Process 3

Ongoing Maintenance 3

People Are the Biggest Risk

How quickly should I revoke access when someone leaves?

Should contractors have the same access as employees?

How do I handle shared credentials?

Related Articles

GitHub Repo Security

Startup Security Checklist

Implement SSO

Check Your Infrastructure Security

Team Access Security Checklist: 14-Item Guide for Managing Permissions