Appendix D: Obsidian Security Post-Departure Review #
Obsidian Security monitors the OASIS SaaS environment for threat and posture alerts. After a staff departure, IT should review Obsidian for any security concerns related to the departed user’s accounts.
D.1 Connected Platforms #
Obsidian’s connected platforms include:
- Google Workspace
- JumpCloud
- Slack
- Cloudflare
- GitHub
The review should cover all connected sources for the departed user.
D.2 Review Checklist #
| Item | Completed By |
|---|---|
| - [ ] Check Obsidian for open threat alerts tied to the departed user’s identity | Dustin / IT |
| - [ ] Check Obsidian for open posture alerts (e.g., external forwarding, MFA gaps) | Dustin / IT |
| - [ ] Verify that Google Workspace suspension is reflected in Obsidian’s identity graph | Dustin / IT |
| - [ ] Verify that JumpCloud suspension is reflected in Obsidian | Dustin / IT |
| - [ ] Review Impossible Travel alerts for the 30 days prior to departure | Dustin / IT |
| - [ ] Confirm no Financial External Mail Forwarding rules existed or were created before suspension | Dustin / IT |
| - [ ] Document any findings and escalate if anomalous activity is detected | Dustin / IT |
D.3 Escalation #
If anomalous activity is detected during the post-departure review (e.g., data exfiltration indicators, unauthorized access patterns, forwarding rules to external accounts), the IT Director should:
- Document the finding with screenshots and timestamps.
- Escalate immediately to the Executive Director.
- Preserve all relevant audit logs.
- If the finding meets the threshold for an incident, initiate the OASIS Incident Response process.