Offboard Haywood Wells (8/4) - waiting on confirmation for anything else
Closed this issue · 17 comments
In order to complete Haywood's exit from the cloud.gov team, the assignee should complete a prescribed set of tasks that will remove any special access.
Directions:
Assignee: The tasks below are organized by the role needed to complete them. If you can’t complete any of the items on your checklist personally, you are responsible for ensuring that an appropriate person does it.
For compliance we need to show that critical offboarding actions happen within 24 hours of departure; some actions below need GitHub issues comments when completed. Completing tasks before departure is good. (control PS-4: personnel termination)
Haywood Wells
- Initiate the process via the Leaving TTS Handbook page
Assignee
- Mention the TTS HR liaison and TTS Tech Portfolio in this ticket so they can update with their status
- As part of TTS offboarding, TTS Tech Portfolio will automatically:
- Remove their access to StatusPage
- Remove them from the cloudgov subteam in Docker Hub
- Remove write/push access for NPM from cloudgov-style
- Remove them from HackerOne
- If they are leaving GSA, ask
#admins-slackto convert them to a single-channel alumni user - Remove their agent access to Zendesk - switch their role to "end user"
- Remove them from the cloud.gov group in CloudCheckr
- Update this issue with a comment within 24h of departure that the above steps are complete
- Remove them from
@cg-team,@cg-operators, and any other@cg-teams in the Slack Team Directory using the three-dot menu (instructions) - Remove them from the team roster
- Remove them from the squad list
- In the training tracker: if they're staying at TTS, move them to the "former teammates" tab; if they're leaving TTS, delete them from the spreadsheet
- Remove them as invitees for any meetings on the cloud.gov calendar where they are specifically named
- Invites where they are listed as part of the
cloud.govinvitee group will be removed when they are removed from that group by the System Owner
- Invites where they are listed as part of the
System Owner (or person delegated by System Owner)
The following steps must be conducted and documented within 24 hours of departure:
- Exit interview with supervisor or contract account manager: Discuss with departee the following information security topics:
- They are to remove any non-public cloud.gov data (e.g. keys, passwords, code, documents) from any non-GSA device
- They are not to disclose any non-public cloud.gov technical practices without authorization from GSA
- They will not access cloud.gov systems or services without authorization from GSA
- If the System Owner cannot hold this discussion, they will communicate to GSA OHRM that the above topics need to be communicated to the leaving person.
- Remove them from the cloud.gov Github organization
- Remove them from the cloud.gov team Google Group
- If they are part of the business unit, remove their access to GovDelivery
The following do not directly impact cloud.gov security & operations and can happen later:
- Remove them from Nessus
- Remove them from the Cloud Foundry Community GitHub org cloud.gov team
- Remove them from the
CG-PRIVGoogle Group - Remove them from the cloud.gov operations Google Group
- Remove them from the cloud.gov compliance team Google Group
- Remove them from the cloud.gov notifications Google Group
- Remove them from the cloud.gov inquiries Google Group
- Remove them from the cloud.gov support Google Group
- Remove them from the cloud.gov emergency Google Group
- Remove them from our Google Groups for our AWS accounts (relevant for PM, Director, and Deputy Director)
- Remove them from Search.gov access for cg-site by pinging the search.gov team in the #search Slack channel
Cloud Operations
The following steps must be conducted and documented within 24 hours of departure:
- Delete the user in all cloud.gov AWS accounts. There should be info on which AWS accounts you need to look at here
- Remove their account name from the
inputs.ymlfile in the AWS account audit - Remove their access as an admin on the platform on all environments (tooling/ops, development, staging, and production)
- Remove any privileges that their cloud.gov account has due to membership in the cloud.gov team (even if not in Cloud Ops), such as
admin_ui.userandscim.read- Verify these permissions have been removed using the cg-scripts validate-admins.sh run from a jumpbox
- Remove any Org or Space roles that their cloud.gov account holds due to membership in the cloud.gov team (for example, remove them from the
cloud-govandcloud-gov-operatorsorganizations) - Ensure any keys or passwords they had direct access to are rotated
@kelleyconfer because Haywood is a contractor, I know there are some additional steps or folks to reach out to, so I've added you to this ticket. I'll run through as much as I can, please let me know if there's anything else I can help with!
Squad list update PR in place: cloud-gov/product#1598
@bengerman13 could you please remove Haywood from https://groups.google.com/a/gsa.gov/g/cloud-gov-notifications/members? Thanks!
Removed Haywood from all the Google Group accounts and Nessus; search.gov, GovDelivery don't apply as Haywood never had access.
Removed Haywood from cloud.gov's GitHub organization and teams. Also removed any direct invites to team events on the calendar.
Haywood's AWS accounts have been deleted.
Removed all of Haywood's admin access on the platform:
Ops Admin:
CF Admin:
Removed Haywood from any cloud-gov or cloud-gov-operators orgs and spaces in the platform.
Sent a message to leavingTTS@gsa.gov.
@JJediny, @afeld, and/or @adborden, if there's anything else you need from us here to help complete Haywood's offboarding from cloud.gov and TTS please let us know! He did not have any accounts with HackerOne, StatusPage, Docker Hub, Cloudcheckr, etc.
I think the Slack access is all that should remain - I already removed Haywood from our private channels.
Submitted a deactivate Slack user request via ServiceNow:
Submitted : 2021-07-30 11:21:33 AM
Request Number : REQ0625778
Estimated Delivery : --
Removed Haywood's AWS account name from our AWS account audit: cloud-gov/compliance#241
Haywood's Slack account was deactivated on 7/30: https://gsa-tts.slack.com/archives/C02KW46DP/p1627659165001000
Hey @ccostino usually the Tech Portfolio's checklist kicks in as part of the TTS Offboarding. I'll double check your list here against what we have.
BTW, is this issue part of a template? I think StatusPage moved from Tech Portfolio to cloud.gov since you're the only team using it. I'd want to update the template to reflect that (and in case I find anything else that needs updating).
Rocal has been updated with departure date of 07/30/2021.
Offboarding ticket has been submitted for account deletion and postage for GFE return has been requested.
you're the only team using [StatusPage]
Login.gov does as well: https://logingov.statuspage.io/