Employee Onboarding Security Checklist: A Complete Guide for IT Teams
A comprehensive security checklist for onboarding new employees. Covers account provisioning, password policies, 2FA setup, security training, and access control.
Employee Onboarding Security Checklist: A Complete Guide for IT Teams
Every new hire requires dozens of accounts, access permissions, and credentials. Rush through this process, and you create security gaps that persist for months -- or until a breach exposes them. Sending temporary passwords through Slack DMs, using the same default password for every new hire, or postponing 2FA setup are all common mistakes with serious consequences.
This guide provides a practical, step-by-step security checklist for onboarding new employees.
Pre-Arrival Preparation (D-3 to D-1)
Account Provisioning
Prepare all required accounts before the employee's first day.
| Item | Details | Priority |
|---|---|---|
| Email account | Create company domain email | Essential |
| Slack/Teams | Create workspace account | Essential |
| Cloud storage | Google Drive/OneDrive folder access | Essential |
| Project management | Jira/Notion/Asana account | High |
| VPN access | Remote access VPN credentials | If applicable |
| Source code repo | GitHub/GitLab invitation | Engineering |
Device Preparation
- Apply company security policy to laptop/desktop
- Enable full disk encryption (BitLocker/FileVault)
- Install endpoint protection software
- Configure automatic screen lock (1 minute)
- Set up remote wipe capability (MDM)
- Pre-install required applications
Day One (D-Day)
Step 1: Password Policy Briefing
Cover password requirements on the first day without exception.
Minimum Requirements:
- Length: 12 characters or more
- Composition: uppercase, lowercase, numbers, special characters
- Prohibited: names, birthdays, sequential numbers, dictionary words
- No reuse: cannot reuse previous passwords
- Rotation: change every 90 days
Password Manager Deployment:
- Deploy an enterprise password manager (1Password Business, Bitwarden)
- Store all work account credentials in the manager
- Only the master password needs to be memorized
- Enable emergency access for IT administrators
Step 2: Two-Factor Authentication (2FA) Setup
Set up 2FA on all critical accounts on day one.
| Account | 2FA Method | Priority |
|---|---|---|
| Authenticator app (Google Authenticator, Authy) | Essential | |
| Slack/Teams | Authenticator app | Essential |
| Cloud storage | Authenticator app | Essential |
| VPN | Hardware key (YubiKey) or authenticator app | Essential |
| GitHub/GitLab | Authenticator app or hardware key | Engineering |
| Admin panels | Hardware key recommended | Admin roles |
Important: Avoid SMS-based 2FA where possible -- it is vulnerable to SIM-swapping attacks. Authenticator apps or hardware keys are significantly more secure.
Step 3: Secure Initial Credential Delivery
Delivering temporary credentials safely is critical.
What NOT to do:
- Send passwords through Messenger or Slack DM
- List all account passwords in a single email
- Write passwords on sticky notes
- Use a shared default password for all new hires
What TO do:
- Share initial passwords via LOCK.PUB password-protected memos (24-hour expiry)
- Force password change on first login
- Use different temporary passwords for each service
- Deliver the memo link via email, share the access password in person or via phone
First Week (D+1 to D+7)
Security Awareness Training
Conduct basic security training within the first week.
Required Topics:
- Phishing recognition: How to identify suspicious emails, links, and attachments
- Password management: How to use the company password manager
- Device security: Screen lock, disk encryption, lost device procedures
- Data classification: Confidential, internal, and public data handling
- Incident reporting: How and when to report security concerns
Access Control Configuration
Apply the principle of least privilege when granting access.
| Role | Access Scope | Permission Level |
|---|---|---|
| Individual contributor | Team resources only | Read/Write |
| Team lead | Team + cross-team resources | Read/Write/Manage |
| IT administrator | All systems | Full admin |
| External contractor | Project-specific only | Read-only |
Principles:
- Start with minimum access and add as needed
- Document every access grant with justification
- Review and remove unnecessary permissions quarterly
Ongoing Monitoring
30-Day Review
Conduct a security review 30 days after the hire date.
- All initial passwords have been changed
- 2FA is active on all required services
- No unnecessary access permissions exist
- Password manager is being used correctly
- Security training has been completed
- No security incidents have been reported
Quarterly Audit
- Review access permissions and revoke unnecessary ones
- Verify password rotation compliance
- Review security incident logs
- Confirm departed employee accounts are immediately disabled
Using LOCK.PUB in the Onboarding Process
LOCK.PUB streamlines the secure delivery of initial credentials during onboarding.
- Password-protected memos: Deliver temporary passwords with expiration times
- Encrypted chat rooms: Secure communication channel between IT support and new hires
- Access tracking: Monitor whether the new employee has accessed the credentials
Example Workflow
- Create individual password-protected memos for each service credential (24-hour expiry)
- Send memo links to the new hire's company email
- Share access passwords in person during onboarding orientation
- New hire accesses credentials and immediately changes passwords
- Memos automatically expire -- no credentials lingering in email
Offboarding Security Checklist
Onboarding security is incomplete without offboarding security.
- Immediately disable/delete all accounts
- Set up email forwarding if required
- Change all shared passwords immediately
- Revoke VPN and remote access immediately
- Recover and wipe company devices
- Remove cloud storage access
- Remove source code repository access
- Recover physical access cards and badges
- Review and revoke third-party service access
Conclusion
A security-first onboarding process strengthens your entire organization. From account provisioning to password policies, 2FA setup, security training, and access control -- each step matters. Avoid sending temporary passwords through chat apps or email. Use tools with expiration and password protection to ensure credentials are delivered securely and do not persist in communication logs.
Create a password-protected memo on LOCK.PUB for your next new hire onboarding.
Keywords
You might also like
Passkeys vs Passwords — What You Need to Know in 2026
Understand how passkeys work, how they compare to traditional passwords, and whether you should start using them. Covers FIDO2, WebAuthn, pros and cons, and current adoption status.
How to Trade Crypto P2P Safely — Avoid Scams When Sharing Payment Info
Learn the most common P2P crypto trading scams and how to share payment details securely. Protect yourself from fake payment proofs, chargeback fraud, and clipboard hijacking.
How to Open a Locked Link: A Quick Guide for Recipients
Received a locked link? Learn how to open password-protected links step by step. Quick guide for accessing locked URLs, entering passwords, and troubleshooting access issues.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free