II-3b Early Account Closure Procedure

Overview

Version 1.0
Last Revision Date: Oct 30, 2009
Approval Date: Nov 6, 2009
Approval Authority:  Chief Information Security Officer

Purpose

The Early Account Closure Procedure is defined to inform and instruct managers and supervisors in the account termination process to be used.  This procedure coordinates actions between CWRU IT Services and the Department of Human Resources and is governed by the CWRU Network Account Closure Policy.

Scope

This procedure applies to all CWRU Directory accounts in the CWRU UTech infrastructure.

Cancellation

Not applicable.

Procedure Statement

Early Account Closure

When a person leaves the University, their network accounts are terminated or suspended in accordance with CWRU Network Account Closure Policy. It is understood that there are conditions that would warrant  suspension of network privileges earlier than the standard time frames.  Examples of such conditions are:

  • immediate termination of an employee under conditions that a risk to information or information technology assets exists for the University
  • a student is suspended via judicial process and the current grace period is no longer applicable
  • a violation of the University's Acceptable Use Policy for any account holder (e.g. alumni or affiliate)
  • the person serves as a systems administrator and has elevated privileges for University IT systems and information

Procedure

1. Requests.  Supervisors can request immediate termination of an employee's network account for emergency cases by contacting the office of Employee Relations in the Department of Human Resources.

2. Approval.  When a request is received for an early account termination for an employee (faculty or staff) the Department of Human Resources will review the request for validity and applicability.   If the early account closure request is approved, then notification will be made to terminate the user account.  The representatives from Employee Relations will then send an email request to the address:

 account-closure-hr[at]case[dot]edu

When a request is received for a student, alumni, or affiliate account, the Information Security Office will review the request with the appropriate University governing organization.

Middleware Engineering will only process early account termination requests from the Department of Human Resources or the Information Security Office.  When requests are denied, the standard account termination processes will remain in effect.

3. Implementation.  When requests are approved, the Middleware Engineering staff will complete any necessary system changes and respond to the Department of Human Resources or the Information Security Office within 24 hours or within an agreed upon timeframe.

4. Non-infrastructure Accounts.  It should be noted that when a terminated user has account access to IT systems that are managed outside the scope of CWRU Directory Accounts, the supervisor is responsible to assure that these accounts are also terminated. Examples include local server accounts, vendor accounts (e.g. Carbonite, Sprint, IBM, etc.), and any shared departmental resources.  Additional considerations for the CWRU ERP systems can be addressed by the Information Security Office.

Responsibility

Supervisor, Manager, Department of Student Affairs, University Counsel:  Identify potential early closure situations for departing CWRU users and forward requests in accordance with this procedure.

Chief Information Security Officer:  Assure quality and consistency of the procedure and policies.  Define and communicate the University risk posture in accordance with information protection controls

Employee Relations, Department of Human Resources:  Maintain information pertinent to employee status and approve/disapprove early termination requests.

Information Security Staff:  perform risk assessment activities to evaluate need and scope of account terminations.

Middleware Engineering Staff:  Evaluate and implement account change requests.  Report task completion.

Standards Review Cycle

This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The procedure may be reviewed on a more frequent basis depending on changes of risk exposure.