Offboarding Best Practices: Secure Asset Return for Third Parties (Aramco’s TPC-18 Explained)

Employee offboarding is a critical process that, if not handled properly, can lead to significant cybersecurity risks. For businesses working with Saudi Aramco, compliance with the Third Party Cybersecurity Standard (SACS-002) is essential. One of its key controls, TPC-18, mandates formal offboarding procedures, including the secure return of assets and removal of access. But why is this so important, and how can your business ensure compliance? Let’s explore.

What is TPC-18?

TPC-18 is a cybersecurity control that requires third-party vendors and contractors to establish formal offboarding procedures for employees. These procedures must include:

• The secure return of company assets (e.g., laptops, mobile devices, access cards).
• The removal of all access privileges to systems, applications, and data.

The goal is to prevent unauthorized access and protect sensitive information after an employee leaves the organization.

Why Does TPC-18 Matter?

1. Preventing Unauthorized Access
   When employees leave an organization, their access to systems and data must be revoked immediately. Failure to do so can lead to data breaches, intellectual property theft, or other security incidents.
2. Compliance with Aramco Standards
   Non-compliance with TPC-18 can lead to serious consequences, including contract termination or legal action. Adhering to this standard is essential for maintaining a strong partnership with Aramco.
3. Protecting Sensitive Data
   Saudi Aramco’s data is highly confidential. Secure asset return and access removal ensure that this information remains protected, even after an employee’s departure.
4. Maintaining Operational Security
   Proper offboarding procedures help maintain the integrity of your systems and prevent disruptions caused by unauthorized access or misuse of assets.

How to Comply with TPC-18

1. Develop Formal Offboarding Procedures
   Create a detailed offboarding checklist that includes:
   • Collection of company assets (e.g., laptops, mobile devices, access cards).
   • Revocation of access to systems, applications, and data.
   • Deactivation of email accounts and other communication tools.
2. Secure Asset Return
   Ensure that all company assets are returned in a secure manner. This includes:
   • Verifying the condition of returned assets.
   • Sanitizing devices to remove any sensitive data (e.g., using NIST 800-88 guidelines).
3. Remove Access Privileges
   Immediately revoke access to all systems, applications, and data upon an employee’s departure. This includes:
   • Disabling user accounts.
   • Removing permissions from shared drives and cloud storage.
   • Updating access control lists (ACLs) and firewall rules.
4. Document the Process
   Maintain detailed records of the offboarding process, including:
   • A list of returned assets.
   • Confirmation of access removal.
   • A signed acknowledgment from the departing employee.
5. Train Your Team
   Educate your HR and IT teams about the importance of secure offboarding and the steps involved. Regular training can help reinforce these practices.

How NHR Can Help

At NHR Alemtithal for IT (NHR), we specialize in helping businesses achieve compliance with Saudi Aramco’s cybersecurity standards, including TPC-18. Our services include:

• Offboarding Process Development
• Cybersecurity Compliance Certification (CCC)
• Employee Training Programs

Don’t risk non-compliance or a security breach. Let NHR guide you through the process and ensure your business meets all Aramco requirements.

Contact Us Today!

For more information or to schedule a consultation, call us at +966 55 653 8840 or email info@nhr.com.sa. Visit our service page to learn more.

Stay compliant, stay secure, and protect your business with NHR!

By implementing secure offboarding practices and partnering with NHR, you can ensure your business meets Aramco’s cybersecurity standards while safeguarding sensitive data. Let us help you navigate the complexities of compliance with ease!

Disclaimer:
The content of this podcast is generated by NotebookLM, an AI-powered tool designed to assist with creative and informational tasks. While every effort has been made to ensure accuracy and relevance, the information and opinions expressed in this podcast are AI-generated and should not be taken as professional advice, factual truth, or the views of any individual or organization. Listeners are encouraged to independently verify any information and consult appropriate experts or sources for specific guidance. The creators of this podcast are not responsible for any errors, omissions, or outcomes resulting from the use of this content. Enjoy responsibly!