Educause Security Discussion mailing list archives
Re: Systems Access Policy
From: Ruth Ginzberg <rginzberg () UWSA EDU>
Date: Tue, 27 Mar 2018 14:17:35 +0000
Expanding on Tim’s observation: The deprovisioning process needs to include a process for deprovisioning what may be a plethora of cloud services (some of which may or may not be served by your SSO). Without deprovisioning ALL cloud services as well, former employees often can retain access to things they are not authorized to access. Ruth Ginzberg 608-890-3961 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Tim Faircloth Sent: Tuesday, March 27, 2018 9:09 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Systems Access Policy I’d like to expand upon Frank’s comments by saying that the risk of giving a new hire early access to systems is significantly less than the risk of a former employee retaining access to said systems. In other words, I think it’s more important to worry about timely *de*provisioning. /tim -- Tim Faircloth System Administrator, GSW IIT 229-931-5076 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank Barton Sent: Tuesday, March 27, 2018 9:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Systems Access Policy Michael, I think I may be reading too much between the lines here, so feel free to correct me. The first thing I am noticing is a disconnect between "Hire Date", "Start Date", and "First Day of Classes", and that would be a conversation to have with your HR department. long-story short, if their start-date is the first day of classes, that gives them NO time to set up classes, and to get started, and I don't think it serves your students well. The second thing is that, yes, we set up faculty (and staff) accounts as soon as we are notified by HR that there is a new hire, and that they have passed all of the necessary hurdles (background checks, etc.) This also then creates email, LMS accounts, etc. I would make the argument that this is a net benefit as it then also allows any discussions to move into the institutional email system. This also gives us time to make sure that all of the needed permissions are in place so that they have access to everything that they need when the land. (account provisioning is not instantaneous after all) I guess, I would ask you what risks you do see, and what problems have you seen? obviously, I am not a lawyer, and at the end of the day your general counsel may have the final say as to when accounts get created and activated. Frank On Tue, Mar 27, 2018 at 9:30 AM, Madl, Michael <michael.madl () indwes edu<mailto:michael.madl () indwes edu>> wrote: Good morning, Do your respective universities allow faculty new hires access to systems prior to their hire date for the purposes of building LMS course shells in preparation for their classes? I understand why some institutions may do this ‘but’ I do see inherit risks with setting up accounts prior to official start dates. Accounts can be set up with limited access to start then further loosened after the start date but that creates double work and more of an administrative nightmare. If you could elaborate on any experiences, polices or thoughts around this I would greatly appreciate it. Thanks in advance! -- Frank Barton Security+, ACMT, MCP IT Systems Administrator Husson University
Current thread:
- Systems Access Policy Madl, Michael (Mar 27)
- Re: Systems Access Policy Frank Barton (Mar 27)
- Re: Systems Access Policy Tim Faircloth (Mar 27)
- Re: Systems Access Policy Ruth Ginzberg (Mar 27)
- Re: Systems Access Policy Frank Cafasso (Mar 27)
- Re: Systems Access Policy Boyce, Rori (Mar 28)
- Re: Systems Access Policy Frank Barton (Mar 27)
- Re: Systems Access Policy Frank Cafasso (Mar 27)
- Re: Systems Access Policy Tim Faircloth (Mar 27)
- Re: Systems Access Policy Frank Barton (Mar 27)