Project Name On- and Off-boarding Checklist

Employee Name Venkata Ramesh Medisetty On-boarding Date 02/03/2014

IBM Employee/Contractor # 065764 Off-boarding Date mm/dd/yyyy

Confirmation of Completed On- Confirmation of Completed Off-

On/Off-Boarding Coordinator Name
boarding Boarding
First. I. Last mm/dd/yyyy mm/dd/yyyy

If building/area access needs to be requested on an IBM

IBM Security Badge (if required)
site or indicate N/A
If building/area access needs to be requested for client
Project Security Badge (if required)
sites or indicate N/A
Include if not an IBM registered asset (e.g. contractor or
Laptop/Desktop Machine # and Serial # (if required)
client asset). Otherwise mark N/A
Include information on any application software loaded to
Application software load (if required)
individual’s machine specific for this project.

Date Yes / No
Comments
On-boarding Checklist Verified or N/A
1.     New member has been approved to be added by the IBM/
Medtronic combined Operations Committee
2.       New GBS workforce member has completed required IBM Yes
DS&P Project Specific Training (IBM employees,
subcontractors and affiliates)
3. HIPAA education is completed at on boarding within 30 days NA
of on-boarding by eligible resource (and annually thereafter
and evidence retained for 6 years).
HIPAA Training HLS0102/ SRM21906
3.       New GBS workforce member has completed or attended all Yes
Medtronic required Induction or Awareness training.
4.       Access requests have been submitted to the appropriate
Process Owners to grant the new GBS workforce member
access to the appropriate: teamrooms, networks, or systems.
5. An on-boarding request has been submitted to MDT and
acknowledged by MDT.
6.       The types of access requests (read, write, change, update,
ALL), submitted for the new GBS workforce member are
appropriate for the role they will be performing on the project,
contract or account.
7.    Access to Medtronic PHI has been approved by BAM/ PM
with appropriate business need to access regulated data.
8.    The Client is aware of the new GBS workforce member, the
role they will be performing, the systems they will be
accessing and the type of access they will need.
9.   The new GBS workforce member is aware of the type of Yes
information they will have access to (for example, Client
sensitive personal information) in the systems, applications or
databases they will have access to.
10.  The Resource Master List has been updated.
11.    Project documentation (roles and responsibilities, SOD,
Workforce Member Master Log, User access list) has been
IBM Confidential Page 1
 Date Yes / No
Comments
On-boarding Checklist Verified or N/A
updated to include this new GBS workforce member and the
role they will be performing.
12.   If GR resource, work permit has been established
13(i). New resource has submitted documents for background Yes
checks
13(ii). Background check and drug testing completed according to
contractual requirements.
14.   New GBS workforce member’s PC is compliant with
ITSC300. PGP Whole Disk Encryption is installed and
operating.
15.   If the new GBS workforce member will have any privileged Yes
access, they are aware of workstation usage restrictions
according to IBM standards (as defined in ITCS300).
16.   Workforce member’s ISAM record is updated to reflect their Yes
current project job role
17. ITCS300 compliance validation is reviewed to assure ISAM Yes
Risk Indicator is set to SPI and HIPAA
18. Resource has signed HIPAA acknowledgment form. NA
19. New GBS workforce member understands that they should Yes
not use any Open Source Software or LinuxOS on this project
without appropriate IBM approval regardless of how obtained
(e.g. client provided).

Immediately inform Project Manager of any Open Source

currently on workstation.
20. New member has been added to One Handoff Directory and
information is complete.

Date Yes / No
Comments
Off-boarding Checklist Verified or N/A
1. All software licenses (not part of the MDT Standard Load)
have been returned to their owner, and the software removed
from the MDT workstation.
2. Documents and information related to the project or area
have been returned. Confidential documents have been
returned (or destroyed as required). IBM CONFIDENTIAL
information has been removed from MDT issued hardware/
workstations.
3. Formal communications with the Client was sent informing
the client that the GBS workforce member is leaving the
project.
4. MDT hardware/workstations have been returned to MDT in a
state consistent with MDT policies (regarding hard drive
formatting, with power on and windows passwords identified
or removed etc.), and the email captured showing receipt of
the hardware return.
5. If applicable, desktop and laptop(s) have been returned. If
client hardware, all IBM Confidential information has been
removed in a manner so that it cannot be recreated. Hard
disk was reformatted if necessary.
6. Confirm all MDT Confidential, Personal Information, Sensitive
Personal Information (including application data and project-
specific code) has been removed from the GBS workforce
member's workstation and other portable storage media used
by the workforce member before the workforce member has
IBM Confidential Page 2
 Date Yes / No
Comments
Off-boarding Checklist Verified or N/A
left the project, contract or account..

GBS workforce member and IBM manager to complete and

provide the Off-Boarding Data Removal Certificate, including
completion date.
7. User Ids and passwords have been removed from desktops
and laptops.
8. GBS workforce member accesses to Client’s systems,
databases, & applications in both production and non-
production and client networks and teamrooms were revoked
or deleted when the GBS workforce member left.

Indicate timing of revocation here – Validate revocation

requirements. Refer to Revocation - ITCS104: Chapters 1.1,
1.5 and 3. (Currently ITCS104 refers to 3 days for privileged
access, 2 weeks for general access)
9. A termination has been submitted for the departing member
to inform MDT of their departure in WorkDay This includes
the identification of the member’s “last working day.”
10. IBM network access has been revoked, Lotus Notes ID was
disabled and IBM team room accesses have been revoked,
IBM badge has been returned for GBS workforce member for
those separated from IBM, including subcontractors.

(Note: AT&T Dialer ID must be revoked within 24 hours of

separation from IBM -- project is responsible for timeliness
when the separated resource is a subcontractor.
11. All activities and other development system access were
transferred to another GBS workforce member.
12. Account IDs for the person off-boarded must be promptly
removed and requests must be retained for 2 years.
13. Account IDs for eligible HIPAA off-boarded resource has been
promptly removed. Requests must be retained for 2 years.
14. MDT issued RSA Secure-ID Token has been returned
15. The Resource Master List has been updated to reflect the
departed GBS workforce member.
16. The Separation of Duties (SOD) matrix has been updated, as
necessary, to replace the GBS workforce member’s
assignment.
17. The Workforce Member Master List has been updated to
reflect the departed GBS workforce member
18.  IBM badge has been returned for GBS workforce member for
those separated from IBM, including subcontractors.
19. IBM badge, GR Card, Business Credit Cards (AMEX), IBM
Security Badge, and other such materials are ready to be
returned on the last day of the assignment.

Completed checklists are stored in the Medtronic teamroom and retained for a minimum of 24 months from off-
boarding

IBM Confidential Page 3