Memo: Remove account access for terminated faculty, staff
On March 1, 2023, Chief Financial Officer Cathy Anderson and Senior Vice President for Academic Affairs Mitzi Montoya emailed the Council of Academic Deans about appropriately managing account access and university data when faculty and staff leave the University of Utah or transfer to another unit. Delaying or failing to remove access upon termination can result in inappropriate continued access to job-specific documents and systems, causing information security risks for the university.
The full text of the memo:
DATE: March 1, 2023
TO: Council of Academic Deans
FROM: Cathy Anderson, Mitzi Montoya
COPY: Jeff Herring, Steve Hess
RE: Removing file/folder/account access when faculty and staff leave the U
Dear colleagues,
When faculty and staff members terminate their employment at the University of Utah, standard department/college/administrative unit off-boarding processes include ensuring that employees return building keys, office keys, university-owned equipment, etc.
It is equally important to ensure that your offboarding processes include the removal of departing employees’ access to job-specific files, folders, databases, and systems, including UBox and other file shares, group UMail accounts, Active Directory, Microsoft Teams and Slack channels, etc.
Diligent management of your departing employees’ files, folders, and accounts is an important responsibility specified in University of Utah Information Security Policy 4-004 III.A.2.b, (Acceptable Use), Policy 4-004 III.D.3 (Account Termination), and Rule R4-004D III.C, 1-4 (Access Management).*
Delaying or failing to remove access and submit ePAFs upon termination can result in inappropriate continued access to job-specific documents and systems, causing information security risks for the university.
Scenarios include:
-
- A terminated employee is, or becomes, an active university student and therefore continues to have access to university networks, systems, and IT services. Unless units revoke or transfer job-specific access to data and systems, the former employee may continue to access data and accounts associated with their previous employee role.
- A terminated employee is rehired at the university. If the employee’s previous job-specific access was not terminated upon departure, they may continue to access data and accounts associated with their previous job.
- A terminated employee who had multiple appointments and/or was involved in interdisciplinary projects and programs. Such employees require additional access review upon termination to ensure that all appointment/project/program-related access is revoked and, if needed, transferred to current employees.
Thank you for your support as we all do our part to maintain information security. If you have questions, please contact Trevor Long trevor.long@utah.edu, Associate Director for IT Governance, Risk, & Compliance in the Information Security Office.
Online help resources:
-
- Changing Box ownership rights
https://uofu.service-now.com/it?id=uu_kb_article&sys_id=a2e8fa856fff42409c4b52a03f3ee4ba
- Changing Box ownership rights
-
- Leaving the U: What happens to your IT accounts and resources
https://uofu.service-now.com/it?id=kb_article&sys_id=bf5663a8db341cd48984f7731d96193a&table=kb_knowledge
- Leaving the U: What happens to your IT accounts and resources
*University Information Security Policy excerpts:
-
- Policy R4-004A.2.b (Acceptable Use): “Refrain from unauthorized viewing or use of another User’s Accounts, computer files, programs, and/or data. Access to such information does not imply permission to view or use it. All such activity is strictly prohibited.”
- Policy 4-004D.3 (Account Termination): “University Accounts shall be deactivated, disabled and/or deleted as soon as reasonably possible after authorized notification of termination of contract, employment, or relationship with the University.”
- Rule R4-004D III.C, 1-4 (Account Modification and Termination): “Only authorized Users shall have physical, electronic or other access to IT Resources, Information Systems, Information Assets, and Electronic Resources. Access shall be limited to Users with a business need to know, and limited only to the requirements of their job function. It is the shared responsibility of IT Technicians and Users to prevent unauthorized access to IT Resources, Information Systems, Information Assets, and Electronic Resources at the University. Access controls shall include effective procedures for granting authorization, tools and practices to authenticate authorized Users, and prevention and detection of unauthorized use.
-
- Account Authorization – University Accounts shall be issued after the request is authorized appropriately and documented adequately.
- Account Authentication – University Accounts shall be authenticated at a minimum via unique login ids and complex passwords.
- Account Termination – University Accounts shall be deactivated, disabled and/or deleted as soon as reasonably possible after authorized notification of termination of contract, employment, or relationship with the University.
- Account Reaccreditation – University shall conduct periodic reviews of authorized access commensurate with the assessed level of risk.”
Node 4
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.