Best practices for ex staff and their devices - Security/Compliance

The thing that must drive your decisions must be based on your data retention policies. Those will drive all decisions regarding accounts, data governance/retention, etc. And consequently, it will also drive how you handle accounts: Everything from immediate deletion of logins/credentials & remote wipe of devices all the way to just "changing passwords" and disabling remote access are on the table. Good question, but rahuljindal is completely correct, there's not "best practice" because every case, every company, and every industry is different. It even changes over time as technology changes and evolves, as laws change. 15 years ago Fax machines were considered the cat's meow for HIPAA compliance, until one day a doctor's office sent his patient's positive HIV test results to an office Fax, where all the colleagues and management saw the results. $2 million later, Fax is no longer considered "HIPAA Compliant". Weird how that works.