Re: Access and the Terminated Employee

["Sarazen, Daniel" <dsarazen () UMASSP EDU>]

The last day the individual has duties to preform, their access should be gone. 

Is there a benefit in allowing an employee whose on vacation, and won't be coming back, to retain their system access? 



:: Daniel Sarazen, CISSP, CISA
:: Senior Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office
:: 774-455-7558
:: 781-724-3377 Cell
:: 774-455-7550 Fax
:: Dsarazen () umassp edu

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu




-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of LIOTTA, 
KAREN
Sent: Thursday, March 03, 2011 12:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Access and the Terminated Employee

Is the day of separation the last day at work?  Or, would it include any vacation or sick time taken after the 
employee's last day at the workplace?


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dave 
Kovarik
Sent: Wednesday, March 02, 2011 4:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Access and the Terminated Employee

Patrick - we're reviewing the results of a survey we distributed to the NU community so I don't have a consensus at the 
moment but access can continue beyond a "termination" date:
* involuntary - all access is revoked, any info required beyond the date is provided through HR
* voluntary - ID is disabled and all access is revoked on day of separation.  For retirees, access is reduced/restored 
to only that which is appropriate then the ID is re-enabled.
These actions are (of course) subject to our being notified of the separation.  Further, individuals who are hold staff 
and student status obviously complicate matters - we might terminate employment and disable the ID which could affect 
the ability to complete schoolwork.

The end game is to develop a university-wide policy to address terminations AND transfers so that any of these events 
is handled uniformly and rapidly.
- Dave
Dave Kovarik
Northwestern University
847-467-5930

On 3/2/11 11:57 AM, Feehan, Patrick wrote:
> Good Afternoon All:
>
> We are having a discussion about the amount of access a terminated employee can have to (arguably) their information 
> on (clearly) our systems.  This came up in context of employees who had terminated, either voluntarily or 
> involuntarily, and then found that they did not have access to their electronic W-2 information they had requested 
> while in the employ of the College.
>
> In general, do you have policies or processes which dictate what access (if any) a terminated employee may have to 
> wage or benefit information?  Does it make a difference if they were fired versus left on their own (moved on) or 
> even retired?
>
> Thanks.
>
>
> Patrick J. Feehan JD, CIPP
> Director of IT Privacy&  Cybersecurity Compliance Montgomery College
> (240) 567-3087
> patrick.feehan () montgomerycollege edu

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.