Terminated Employee Information Security Procedures
DIVISION: Administration and Finance
DEPARTMENT: Information Technology Services
SUBJECT: Terminated Employee Information Security Procedures
OBJECTIVE & PURPOSE:
To define policy and procedures relating to information security procedures for terminated employees.
Approved by the Director of Information Technology Services, January 2002
The university's network and applications systems have automated components to insure the proper termination of system access upon employee termination. There are two categories of employees handled by this automated process. The two categories are budgeted (A&P, Faculty, and USPS) and non-budgeted (OPS and Adjunct Instructors).
For budgeted employees, Human Resources, based upon an authorized Personnel Action Form (PAF), enters a termination date in the Payroll Personnel and Budget (PPB) system. This, in turn, generates automated notices to various university personnel, including systems personnel in Information Technology Services, and sets automated termination flags in the Local Applications table that is used by both the Userid and System Access systems.
For non-budgeted employees, no termination date is required by the PPB system, and none is entered by HR. As a result, automated notices cannot be generated for these employees. Instead, the automated flags that are set for budgeted employees when a termination date is entered, are automatically set upon actual termination for the non-budgeted employees.
The technical means by which the various systems handle the termination flags is system dependent, but the same general rules apply. Each system uses a two part process which is broken down into termination and grace period expiration. Upon employee termination, access to a system is disabled. The technical infrastructure associated with that employee (e.g., their Outlook mailbox) is preserved for an additional period of time. This period of time is referred to as the grace period. The grace period serves two purposes. It allows departments to retrieve information that may be necessary for business continuity. It also allows for employees changing status, adjuncts that are not currently active, or student workers on break to keep e-mail, personalized information, and system settings until they are reactivated, or the grace period expires, and this information is deleted. Currently grace periods are 45 days for budgeted employees and OPS employees, and 120 for adjunct instructors. The OPS period is longer to accommodate student OPS over semester breaks. The adjunct period is substantially longer to allow for adjuncts that teach only in Fall and Spring, which is a frequent occurrence.
There are two exceptions to the above processes. The first type of exception occurs when there is a request for special extension of access by the terminating employee's department. In such cases, manual entries are made in Local Applications to indicate an individual with a continuing relationship to the university, and access is maintained until the requesting department asks that the access be terminated. This same method is used for contracted employees, for employees of university affiliated organizations (e.g., food service or bookstore employees), and for VIPs' (e.g., Foundation Board members). In all such cases departments receive an annual report of these manually maintained entries. The report asks them to confirm whether each account should be maintained or removed. This additional process insures that specially requested access is not forgotten.
A second exception to the normal termination process occurs when an employee terminates under less than favorable circumstances. In these situations, the employee's supervisor, or the departmental manager, may request an immediate revocation of access via e-mail. When such requests are received, the userids are disabled immediately. The normal grace period is applied for the rest of the termination process.