II-2a Alumni Email Account Policy

Overview

Version 1.1
Last Revision Date: March 21, 2019
Approval Date: March 8, 2019
Approval Authority: Chief Information Security Officer

Purpose

Case Western Reserve University has historically extended email account privileges as a courtesy to qualified CWRU alumni after graduation. This privilege also included all services within the Google Suite (formerly called Google Applications for Education). CWRU also has many alumni who are employed by the university. This situation has created risk to the university’s information when employees, who are also alumni of CWRU, leave the university’s employment. Former employees are not to be granted continued access to university business related information resources. This policy addresses the particular risk of disclosure or modification posed by this subset of alumni, those who are employed by CWRU.

Scope:

This policy applies to all alumni account holders who are current, or former, employees of the university. CWRU Alumni who have never been employed by the university as staff are not in the scope of this policy.

Coordination with Other Policies and Procedures

The CWRU Alumni Account Policy is closely aligned with these policies

Policy I-1 Acceptable Use Policy

Policy II-2 Case Network Account Closure Policy

Policy III-1 Information Types and Sensitivity

Policy III-1d Controls- Protecting Internal Use Information Systems

Cancellation:

Not applicable.

Policy Statement

General

The university extends email privileges as a courtesy to all qualified CWRU Alumni, and will continue in this practice. Because CWRU uses the Google Suite for delivery of email services, other useful Google services are also part of the alumni privileges, including Email, Calendar, Contacts, Drive file sharing, Sites, Groups, Meet, Photos, YouTube, to name a few. When an employee is also a CWRU Alumnus, employment related business information in any of these applications (including email) would be available to that employee after termination, which constitutes a data disclosure risk. This policy directly addresses this risk.

Policy

  1. The university will no longer extend alumni email account access to former employees.
    • Newly hired employees who are CWRU alumni will be advised upon hire to export their student/alumni Google Suite data before they begin to use and/or receive business information pertaining to university operations in that account.
  2. University employees who are enrolled as a student while concurrently an employee may become alumni, but also will have no post-employment email/Google Suite services.

Responsibility

University Technology (UTech): Implement technical controls to ensure automated provisioning of email access via role.

Information Security Office(ISO): Monitor risk to terminated employees access to information systems post-employment.

Human Resources: Notify new employees who are CWRU Alumni at orientation of the policy.

Definitions

Staff: An employee of the university, including faculty, staff, or contractor.

Alumnus: A person who has completed a degree program and has been granted a degree, such as a bachelors, masters, or doctorate degrees. Persons who complete CWRU certificate programs are not considered qualified alumni.

Standards Review Cycle

This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.