Overview
Version 1.0
Last Revision Date: Oct 30, 2009
Approval Date: Nov 6, 2009
Approval Authority: Chief Information Security Officer
Purpose
The Early Account Closure Procedure is defined to inform and instruct
managers and supervisors in the account termination process to be
used. This procedure coordinates actions between Case IT Services
and the Department of Human Resources and is governed by the Case Network
Account Closure Policy.
Scope
This procedure applies to all Case Directory
accounts in
the Case ITS infrastructure.
Cancellation
Not applicable.
Procedure Statement
Early Account Closure
When a person leaves the University, their network accounts are
terminated or suspended in accordance with Case Network
Account Closure Policy. It is understood that there are
conditions that would warrant suspension of network privileges
earlier than the standard time frames. Examples of such
conditions
are:
- - immediate termination of an employee under
conditions that a risk to information or information technology assets
exists for the University
- - a student is suspended via judicial process
and the
current grace period is no longer applicable
- - a violation of the University's Acceptable Use
Policy for any account holder (e.g. alumni or affiliate)
- - the person serves as a systems administrator
and
has elevated privileges for University IT systems and information
Procedure
1. Requests. Supervisors can request immediate termination of an
employee's network account for emergency cases by contacting the office
of Employee
Relations in the Department of Human Resources.
2. Approval. When a request is received for an early account
termination for an employee (faculty or staff) the Department of Human
Resources will review the request for
validity and applicability. If the early account closure
request is
approved, then notification will be made to terminate the user
account. The representatives from Employee Relations will then
send
an email
request to the address:
account-closure-hr[at]case[dot]edu
When a request is received for a
student, alumni, or affiliate account, the Information Security
Office will review the request with the appropriate University
governing organization.
Middleware Engineering will only process early account termination
requests
from the Department of Human Resources or the Information Security
Office. When requests are denied, the standard account
termination processes will remain in effect.
3. Implementation. When requests are approved, the Middleware
Engineering staff
will complete any necessary system changes and respond to the
Department of Human Resources or the Information Security Office within
24 hours or within an agreed upon timeframe.
4. Non-infrastructure Accounts. It should be noted that when a
terminated user has account access to IT systems that are managed
outside the scope of Case Directory Accounts, the supervisor is
responsible to assure that these accounts are also terminated.
Examples include local server accounts, vendor accounts (e.g.
Carbonite, Sprint, IBM, etc.), and any shared departmental
resources. Additional considerations for the Case ERP systems can
be addressed by the Information Security Office.
Responsibility
Supervisor, Manager, Department of Student Affairs, University
Counsel: Identify potential early closure situations for
departing Case users and forward requests in accordance with this
procedure.
Chief Information Security Officer: Assure quality and
consistency of the procedure and policies. Define and communicate
the University risk posture in accordance with information protection
controls
Employee Relations, Department of Human Resources: Maintain
information pertinent to
employee status and approve/disapprove early termination requests.
Information Security Staff: perform risk
assessment activities to evaluate need and scope of account
terminations.
Middleware Engineering Staff: Evaluate and implement account
change requests. Report task completion.
Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of
the
policy effective date, at a minimum. The procedure may be reviewed on a
more frequent basis depending on changes of risk exposure. |
