GOV-026 Return of Assets on Termination
Description
Upon termination or change of employment, personnel return all organizational assets in their possession, including devices, access credentials, documentation, and any other items containing organizational information. Return obligations are documented in employment agreements and verified during the offboarding process.
Rationale
Unreturned assets containing organizational data or access credentials represent ongoing exposure after employment ends. A verifiable return process ensures continuity of information security obligations.
Framework Mappings (3)
| HRS-05 | Asset returns | full |
| 5.11 | Return of assets | full |
| PS-4 | Personnel Termination | partial |
Evidence (2)
Completed offboarding checklists confirming asset return was verified for terminated employees.
Example: Offboarding checklist records (Jira/ServiceNow tickets or HRIS offboarding workflow) for a sample of recent terminations, showing: device return confirmation, access credential revocation, and signed exit declaration — each with a completion date and named HR or IT contact.
Test: Request offboarding records for a sample of at least five employees terminated in the last 12 months. For each, verify: (1) a device return confirmation is present (hardware serial number or asset tag), (2) access revocation is confirmed, (3) any organizational information stored on personal devices is addressed, (4) the checklist is signed or marked complete with a date.
Employment agreement clause or exit declaration confirming ongoing confidentiality obligations and asset return requirements are signed by the employee.
Example: Employment agreement template (legal counsel-approved document), Section on Termination Obligations, referencing: return of all company property, ongoing confidentiality obligations post-employment, and prohibitions on retaining copies of organizational data — signed by a sample of recent hires.
Test: Request the employment agreement template and a signed copy for a sample of three current employees and three recent terminations. Verify: (1) asset return obligation is explicitly stated, (2) ongoing confidentiality requirement post-employment is present, (3) the signed agreement is on file for each sampled individual.
Questions (2)
Does your organization's offboarding process require all organizational assets to be returned upon termination, and is completion verified and documented?
Completed offboarding checklists for recent terminations should show device return confirmation (asset tag or serial number), access revocation, and a named verifier.
Are ongoing confidentiality and data protection obligations explicitly stated in employment agreements and acknowledged before employment begins?
Employment agreements should include asset return obligations and post-employment confidentiality clauses, with signed copies retained in the HRIS or document store.