When an employee leaves the organization, a formal process should be followed to ensure all equipment is returned, and any associated accounts or access is revoked.

Sections

ID	Name	Description
ME021	Unrevoked Access	The subject has left the organization but still has access to services or data that is reserved for employees.
MT003	Leaver	A subject leaving the organisation with access to sensitive data with the intent to access and exfiltrate sensitive data or otherwise contravene internal policies.
MT002	Mover	A subject moves within the organisation to a different team with the intent to gain access to sensitive data or to circumvent controls or to otherwise contravene internal policies.
ME021.001	User Account Credentials	User credentials that were available to the subject during employment are not revoked and can still be used.
ME021.002	Web Service Credentials	Web credentials that were available to the subject during employment are not revoked and can still be used.
ME021.003	Physical Access Credentials	Physical security credentials, such as an ID card or physical keys, that were available to the subject during employment are not revoked and can still be used.
ME021.004	API Keys	API keys that were available to the subject during employment are not revoked and can still be used.
ME021.005	SSH Keys	SSH keys that were available to the subject during employment are not revoked and can still be used.
ME021.006	Multi-Factor Authentication	Subjects who are issued Multi-Factor Authentication (MFA) tokens, whether software-based (such as Google Authenticator or Microsoft Authenticator) or hardware devices (like YubiKeys or FIDO2 devices), may retain access to systems if these tokens or devices are not deactivated upon their departure or role change. When a subject leaves the organization or no longer needs access, failing to deactivate their MFA tokens allows them to continue authenticating to systems, potentially bypassing security controls. If a subject’s software-based MFA token remains active, they can still generate valid authentication codes unless the token is unlinked or deactivated. Similarly, if a subject retains a hardware security key, they can use it to authenticate to services as if they were still an active user. In environments using federated authentication (e.g., SAML, OAuth), a subject’s MFA token can provide access to multiple interconnected services, allowing them to authenticate to systems they should no longer be able to access. This opens the possibility of unauthorized access even after the subject has left the organization. To prevent this, organizations must promptly deactivate MFA tokens when subjects are removed from the network. Automating the deactivation process and regularly auditing active tokens will help close any gaps in access control. Additionally, securely managing backup MFA keys ensures that no unauthorized individual can reuse them.