Date Approved: March 8, 2019
Effective Date: March 8, 2019
Responsible Official: Chief Information Security Officer
Responsible Office: [U]Tech Information Security Office
Revision History: Version 1.1; dated March 21, 2019
Related legislation and University policies: <as referenced in the policy>
- Policy I-1 Acceptable Use of Information Technology (AUP)
- Policy I-1 Acceptable Use Policy
- Policy II-2 Case Network Account Closure Policy
- Policy III-1 Information Types and Sensitivity
- Policy III-1d Controls- Protecting Internal Use Information Systems
Review Period: 5 Years
Date of Last Review: March 21, 2019
Related to: Alumni, Faculty, Staff
Case Western Reserve University has historically extended email account privileges as a courtesy to qualified CWRU alumni after graduation. This privilege also included all services within the Google Suite (formerly called Google Applications for Education). CWRU also has many alumni who are employed by the university. This situation has created risk to the university’s information when employees, who are also alumni of CWRU, leave the university’s employment. Former employees are not to be granted continued access to university business related information resources. This policy addresses the particular risk of disclosure or modification posed by this subset of alumni, those who are employed by CWRU.
This policy applies to all alumni account holders who are current, or former, employees of the university. CWRU Alumni who have never been employed by the university as staff are not in the scope of this policy.
Coordination with Other Policies and Procedures
The CWRU Alumni Account Policy is closely aligned with these policies
The university extends email privileges as a courtesy to all qualified CWRU Alumni, and will continue in this practice. Because CWRU uses the Google Suite for delivery of email services, other useful Google services are also part of the alumni privileges, including Email, Calendar, Contacts, Drive file sharing, Sites, Groups, Meet, Photos, YouTube, to name a few. When an employee is also a CWRU Alumnus, employment related business information in any of these applications (including email) would be available to that employee after termination, which constitutes a data disclosure risk. This policy directly addresses this risk.
- The university will no longer extend alumni email account access to former employees.
- Newly hired employees who are CWRU alumni will be advised upon hire to export their student/alumni Google Suite data before they begin to use and/or receive business information pertaining to university operations in that account.
- University employees who are enrolled as a student while concurrently an employee may become alumni, but also will have no post-employment email/Google Suite services.
University Technology (UTech): Implement technical controls to ensure automated provisioning of email access via role.
Information Security Office(ISO): Monitor risk to terminated employees access to information systems post-employment.
Human Resources: Notify new employees who are CWRU Alumni at orientation of the policy.
Staff: An employee of the university, including faculty, staff, or contractor.
Alumnus: A person who has completed a degree program and has been granted a degree, such as a bachelors, masters, or doctorate degrees. Persons who complete CWRU certificate programs are not considered qualified alumni.
Standards Review Cycle
This standard will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.