Skip to main content
All playbooks

Playbook

Insider threat — staff or contractor

Particularly access to grades, finance, or student data. Departing-employee overlay (mid-year vs end-of-year).

The scenario

A finance-office staff member is leaving under tension. The same week, anomalous exports from the ERP appear in audit logs.

First 60 minutes

  1. Coordinate the access revocation with HR — never act on a security suspicion without HR awareness.
  2. Revoke all access (district, vendor, payroll, SIS, ERP, file shares) at the same moment.
  3. Snapshot audit logs for the user's last 90 days to immutable storage.
  4. Notify counsel — insider matters are litigation-likely.
  5. If the suspect handled student PII or finance, preserve everything before any account deletion.

Decisions to make

Timing

  • Mid-year departure: access revoked the day of separation, no grace period.
  • End-of-year transition: phased plan, but vendor and finance access first.

Who to call

  • HR / employee-relations
  • Counsel
  • Law enforcement if criminal conduct suspected

FAQ