Draft-Systems Access Removal
Purpose
This web page provides detailed instructions for securely managing access to employee data when an employee leaves the department or university.
Audience & Scope
This content applies to all college and departmental management, HR personnel, and any IT staff involved in securely managing access to employee data when an employee leaves the department or university.
Act Immediately
As soon as you are aware of an employee’s resignation/retirement, notify or involve your IT staff so they have time to conduct a full assessment and work with you to resolve all issues prior to the separation date. With sufficient notice, Campus IT will be best prepared to help you appropriately remove all system-access permissions from the employee in a timely manner. Details will vary depending on level of access and circumstances of the separation.
Supervisors should remind employees of their obligation to protect sensitive information such as personal identifiers or credit card numbers. Deleting needed business data and/or disclosing sensitive information is considered misuse of State property and could result in disciplinary or legal action.
Day of notice: For most employee separations, the day of notice is the day the employee provides a letter of resignation to their supervisor. In the case of sensitive/immediate employee separation, the day of notice may not apply, as it often involves immediate dismissal or job abandonment.
Enterprise systems: Examples include, but aren’t limited to: HR, Financial, SIS (Student Information System)
HR: Human Resources.
Last day: The separating employee’s official last working day — as opposed to the Separation Date.
OIT: Office of Information Technology.
Planned employee separation: An employee separation, voluntarily or involuntarily, with advanced notice of the separation date. Planned separations may include resignation, retirement, Reduction In Force (RIF), time-limited appointment, temporary employment, transfer within the university, and ending job positions.
S&C: Security and Compliance.
Rapid/Sensitive/immediate employee separation: An employee separation, voluntarily or involuntarily, without advanced notice. Sensitive separations may include dismissal or job abandonment.
SAR: System Access Request (SAR) is a web application that automates the approval process for granting and revoking employee access to HR data, Student Information System (SIS) data, Financial data, and Document Management data — as well as other data systems at NC State.
Separation date: The separating employee’s official last day of employment- generally the day after the Last Day.
Separating department: The department from which the employee is separating.
Separating employee: The employee separating from the department or university; applies to all full-time, probationary, part-time, temporary, student employees, no-pay employees, faculty, staff, Post Docs, and contractors.
Supervisor: The separating employee’s immediate manager.
Wiped Clean: Fully erase the referenced equipment or device.
Asset & System Tracking
Rapid/Sensitive Separations
If it is a sensitive or immediate separation, the appropriate management (manager, department’s HR representative, department’s IT Director, and HR Employee Relations staff) must coordinate communication and actions.
Management may make “rush or emergency” requests by calling the NC State Help Desk at 919.515.HELP (4357).
CAUTION: Do not discuss confidential information during the initial help desk call. The help desk is acting only as a Point of Contact (POC) and will refer your request to a member of OIT Security & Compliance (S&C) for gathering additional details.
IMPORTANT NOTE: Supervisors must work with HR and IT to coordinate the timing of any automatically generated emails announcing account deactivation so that it is sent to the separating employee only <strong>after</strong> being notified of his or her termination. Once a separation action is entered into the HR System, an auto-generated email will be sent to the employee and their supervisor based on the following criteria:
* The employee has a termination date within the next 7 days, and no other active jobs exist.
* There is no future rehire for the employee.
* The terminating job is not a student assignment (student worker, graduate assistantship)
* We haven’t already sent this notice to the employee in the last 2 weeks.
The email contains the following content:
“Dear XXX,
According to our records, your last date of employment or assignment with the University with the XXX department will be XX/XX/XX. As a result, your Unity account, including your NC State Gmail account, is scheduled to be disabled after this date. If you feel you have received this letter in error or an extension of employment is needed, you should contact your departmental HR representative regarding your status in the campus HR System. This notice does not apply to enrolled students.
Deactivation of Gmail accounts may make data and files inaccessible, including Google Drive contents. Please view further information at oit.ncsu.edu.
Note: The manager of the employee, as assigned in the HR System, is copied on this email.
Regards,
Office of Information Technology
North Carolina State University”
Campus Unity Account
EMPLOYEES LEAVING THE UNIVERSITY
If the employee is separating from the university without any requirements for maintaining his or her Unity account, the employee’s Unity and NC State Google accounts will be deactivated upon separation as described below.
A separating employee retains full access to their Unity account, including access to email, MyPack Portal and other campus resources for 21 calendar days after their separation date. After 21 calendar days, the separated employee has access ONLY to the MyPack Portal-Employee Self Service through April of the year following their separation. Their password will be scrambled and if they need to login to the MyPack Portal Employee Self Service, they will be required to reset their password. Their password will be reset to the DEFAULT password which consists of the last four digits of their Employee ID and the four digits of their birth month and day. As a result, it is important for them to keep a record of their Employee ID #.
IMPORTANT NOTE: Once a separation action is entered into the HR System, an auto-generated email will be sent to the employee and their supervisor based on the following criteria:
- The employee has a termination date within the next 7 days, and no other active jobs exist.
- There is no future rehire for the employee.
- The terminating job is not a student assignment (student worker, graduate assistantship)
- We haven’t already sent this notice to the employee in the last 2 weeks.
The email contains the following content:
“Dear XXX,
According to our records, your last date of employment or assignment with the University with the XXX department will be XX/XX/XX. As a result, your Unity account, including your NC State Gmail account, is scheduled to be disabled after this date. If you feel you have received this letter in error or an extension of employment is needed, you should contact your departmental HR representative regarding your status in the campus HR System. This notice does not apply to enrolled students.
Deactivation of Gmail accounts may make data and files inaccessible, including Google Drive contents. Please view further information at oit.ncsu.edu.
Note: The manager of the employee, as assigned in the HR System, is copied on this email.
Regards,
Office of Information Technology
North Carolina State University”
EMPLOYEES REMAINING AS A STUDENT
If the separating employee is continuing with NC State University as a student (including taking classes as a non-degree student), the supervisor must discuss the following topics with the separating employee and perform all duties as specified. The supervisor is responsible especially for clearly explaining what is required of the separating employee and then verifying the employee has followed through before leaving their current position:
- Supervisors must verify whether the employee is also an active student.
- If the separating employee will continue as an active student, student account access (for example, university email, Moodle, and so forth) must remain in effect.
CAUTION: Because the separating employee will continue to have access to university email, he or she may continue to receive job-related email.
- Supervisors must inform separating employees that they are required to facilitate university business by forwarding university business emails to their separated department supervisor or members as appropriate.
CAUTION: Separating employees who have set up email delegation must revoke delegation.
EMPLOYEES TRANSFERRING WITHIN THE UNIVERSITY
If the separating employee is transferring to another position within the university:
- Supervisors must coordinate with their department HR the timing of all actions required per the Human Resources – Transferring Employee Separation Guide.
- Access to Enterprise systems should be revoked/removed via a SAR request (via the MyPack Portal) PRIOR to the transfer by the departing department and re-submitted by the receiving department. The receiving department should submit a SAR request for appropriate access needs. The receiving department may need to contact the departing department to confirm any access removal needs. If both departments enter SAR requests, one may override the other.
- Transferring employees who have set up email delegation must revoke delegation to individuals in the departments they are leaving and set up email delegation for the appropriate individuals in their new departments.
- If transferring employees receive emails pertaining to their former position, they must continue to facilitate university business by forwarding the emails to the appropriate individuals in their former departments.
- When transferring to another position, employees must review their own calendars for any past or future meetings, events, or other information that a supervisor or coworker might need to access after the employee has left.
Item |
Accessible by supervisor after employee’s separation date? |
Description/Notes |
Action Required |
| Email Access | No | Employee Leaving University: Supervisors will not have access to employee emails after the account has been deactivated, which occurs 21 calendar days after the employee’s separation date. OIT is unable to provide copies or access to an employee’s email after the employee’s account is deactivated. This applies to normal separations. OIT will provide assistance as needed for rapid separations and other situations such as deaths.
If the supervisor needs access to the employee’s email, the employee must set up delegated access to their account prior to the employee’s last day worked. The supervisor and/or employee should forward any needed email messages to another email account if there is a need for them to be maintained. Failure to do so will result in forfeiture of access to the separated employee’s emails as proxy access via email delegation will terminate upon account deactivation. Employee Transferring Departments: Transferring employees who have set up mail delegation should revoke delegation to individuals in the departments they are leaving and set up email delegation for the appropriate individuals in their new departments, as needed. If transferring employees receive emails pertaining to their old positions, they should continue to facilitate university business by forwarding the emails to the appropriate individual(s) in their former departments. |
Separating Employee: Set up delegated access to their supervisor. Forward any needed email messages to supervisor or appropriate person.
Transferring Employee: Revoke any delegated access associated with current position. Supervisor: Forward any necessary emails appropriately. |
| Vacation Rule | No | For business continuity, it is recommended that vacation rules are set up on the separating employee’s email account to direct incoming emails to the appropriate person. Vacation rules must be created before the account is deactivated.
|
Separating Employee: Set up vacation rules for the emails that arrive after their last day. (And before account deactivation)
Vacation rule message example: “I am no longer with [department]. Please contact [individual] for assistance.” |
| Email Lists and Groups | No | Supervisors must identify the employee’s administration of any departmental email lists, groups or any use of individual email aliases as a departmental alias.
Supervisors must ensure that the administration and use of email lists or groups are transferred appropriately, and any associated passwords are changed. For example, employees may have established an email list such as “committeeX@lists.ncsu.edu” or a Google group called “CommitteeY” to facilitate communications to members of a particular committee.
|
Separating Employee: Transfer ownership of email lists, groups or email aliases or unsubscribe accordingly.
Supervisor: Reset passwords appropriately. The group/list manager or supervisor or separating employee must unsubscribe the employee from their Google Groups and Lists. |
| Personal Email Messages | No | Separating employees must label personal email messages with the label “personal.” As indicated in section 2.5 of the Computer Use Regulation, computer users must have no expectation of privacy with regard to any personal material stored or archived on university IT resources. | Separating Employee: Label personal messages |
| Retiree Email Account | Yes | Retirees may retain their NC State email account upon request and at the discretion of their department management. A department HR representative will submit a no-pay action in the HR System to maintain access. See instructions for submitting Retiree and Guest Accounts (found near bottom of page).
CAUTION: Retiring employees that retain their email account also retain access to all G Suite Apps. For retirees, supervisors must complete the checklist items related to all G Suite items. For example, if Google Documents owned by retirees are not transferred or access removed from any Google Documents, the retirees will still be able to access the documents, which is not appropriate. |
Retiring Employee: If retiring, request to keep email account as applicable.
Supervisor: Clearly communicate to retiree how they must handle university email that will be received after termination date. |
Calendars
Item |
Accessible by supervisor after employee’s separation date? |
Description/Notes |
Action Required |
| Past/Future Meetings and Events | No | Separating employee must review and manage their calendar to determine if there are any past or future meetings and events a supervisor or coworker might need to address or attend after they leave. The separating employee may have been invited to appointments that now need the supervisor or a co-worker to attend in their absence.
|
Separating Employee: Review calendar and communicate or transfer calendar events as needed.
Supervisor: Confirm (also with team if applicable) events communicated or transferred as needed. |
| Appointment Ownership | No | Ensure continuity of future appointments by changing ownership. There will be less confusion if appointments are not owned by a separating employee.
|
Separating Employee: Change the ownership of single calendar appointments by clicking on a calendar event and choosing “Change Owner” from the More Actions list. The new owner can be a sub-calendar or person. |
| Export Individual Calendars | No | If the separating employee has lots of appointments on their individual work calendars, it may be easier to export the calendar and merge with the supervisor’s calendar rather than changing the ownership of each appointment.
CAUTION: Separating employee must first delete all future meetings that include their supervisor as an attendee, prior to exporting, so as not to create duplicate meeting entries when the supervisor imports the calendar. |
Separating Employee: Export entire individual work calendars into an .ics (iCalendar) file and send to supervisor.
Supervisor: Import the .ics (iCalendar) file into your calendar. |
| Generic/sub-calendars | Yes, in most cases | As long as someone has access to them, sub-calendars will exist after their creators’ accounts are deactivated.
|
Separating Employee: Separating employees (including retirees) must share an existing calendar to transfer the Manage and Share permissions. |
| Export sub-calendars | Yes, in most cases | As long as someone has access to them, sub-calendars will exist after their creators’ accounts are deactivated. If the sub-calendars have many entries in them, it may be best to export the calendar so the supervisor can merge with an existing calendar as appropriate.
Separating employees must export entire sub-calendar(s) into .ics (iCalendar) file(s) for their supervisor to import into another calendar. |
Separating Employee: Export entire work calendars into an .ics (iCalendar) file and send to supervisor.
Supervisor: Import the .ics (iCalendar) file into appropriate calendar. |
G Suite and Network Files
Item |
Accessible by supervisor after employee’s separation date? |
Description/Notes |
Action Required |
| G Suite files, drive, shared drive. | Yes, in some cases | Documents shared with at least one other person with an active university account can be accessed after the separating employee’s account is deactivated.
Separating employees must transfer their Google Drive business-related documents from My Drive to a Shared Drive, which is owned by NC State.
After the content is transferred, the supervisor must remove the separating employee’s access to the Shared Drive. This is preferable to the transferring of ownership to an individual. |
Separating Employee: Transfer documents to a Shared Drive.
Supervisor: Remove the separating employee’s access to the Shared Drive.
|
| G Suite Apps for Education Account Data | No | Separating employees may download backup copies of their personal documents, photos, profile information, contacts, circles, and streamed posts prior to leaving using Google Takeout. | Separating Employee: Download backup copies using Google Takeout. |
| Local and Network Drive Files | No | Separating employees must identify any files on local or network drives that the employee administers or can access and must transfer ownership to departmental shared space, as directed by management. | Separating Employee: Transfer ownership of files in local/network drives to shared file space. |
| University-owned devices | Yes | Supervisors must work with their IT support staff to make sure local university-owned devices are wiped clean and re-used or surplussed as appropriate. | Supervisor: Work with IT support staff to make sure local university-owned devices are wiped clean and re-used or surplussed. See Secure Data Removal guidelines. |
| Student Account Files and Access (associated with Unity ID, for example, MyPack Portal, Moodle, campus wireless network, etc.) | No; however, new graduates are allowed access. | For planned separations when an employee is also a student who will withdraw or otherwise leave the university (unless the separating employee has extended access as a new graduate, as detailed below):
If a separating employee has extended access as a new graduate:
|
Separating Employee: If also a student, make sure supervisor is aware so account is not deactivated and student data is retained.
Supervisor: Confirm all with employee.
|
Personally Owned Devices with University Data or Software
Item |
Description/Notes |
Action Required |
| Files on personally owned equipment | Separating employees who have used any personally owned mobile computer or device (such as a laptop, tablet, or smartphone) for university business must move (not copy) all university data to appropriate university resources that all appropriate department staff can access.
See sections 2.5.1, 6.1, & 6.3 in the Computer Use Regulation for details regarding employee responsibility to remove university-related documents from all personally owned computers and devices. Supervisor CAUTION: Do not wipe the personal device without separating employee’s permission |
Separating Employee: Transfer any university files from personally owned computer/devices to appropriate university resources. Ensure all documents are removed. Make sure all university data is removed from all personally owned device |
| Application software on personally owned equipment | Any university-owned software that was downloaded as a result of being an employee at NC State University must be removed from personally owned computers or devices. | Separating Employee: Remove all university-owned software from personally owned computers/devices. |
Systems, Applications, Voicemail, and other Accounts
Item |
Accessible by supervisor after employee’s separation date? |
Description/Notes |
Action Required |
| Enterprise Systems managed by SAR (System Access Request) | No | The department’s SAR administrator must submit a SAR revoke action to suspend access to enterprise applications such as HR, SIS, Financials, and so forth, before the employee’s last day.
The request must be submitted prior to the separating employee’s last working day with an effective date, so that the action is invoked at the appropriate time. Options include making the request effective immediately (default) or at a future date. |
Supervisor: Notify SAR administrator
|
| Access to Systems, Shared Accounts (Google Groups, Google Generic), Applications, and Resources | No | Supervisors must identify the access a separating employee has to all department-owned systems, web content, and shared accounts such as Google groups or Google generic accounts:
If the service also uses Two-factor Authentication (2FA), remaining users with access must have 2FA activated as well. Resources that the separating employees own or administer may include but are not limited to shared mailboxes, conference rooms, projectors, and other items owned in Web Registry such as Global Resources or Google groups. |
Supervisor: Identify and terminate access accordingly.
|
| Encrypted Business Data and Keys | No | Upon notification of an employee’s separation, his or her supervisor must find out whether the employee uses encryption on any of their computer devices.
If the employee is using personal keys to encrypt the data, the employee must provide all requested business data to the supervisor. If the separating employee uses business encryption keys, then their supervisor must obtain the encryption keys and associated passwords or pins. The password or pin may be changed by the employee before it is provided. The supervisor must change the password after the employee leaves.
|
Separating Employee: Provide supervisor with any encryption keys and associated passwords or pins.
Supervisor: Collect encryption keys accordingly |
| External accounts, including Cloud storage other than Google | No | If the separating employee has external accounts used for university business, supervisors must work with the separating employee to make sure these external accounts are documented and re-assigned and terminated, if appropriate.
For example, employees could have accounts with outside vendors to create support tickets or exchange data with another institution or business partner on behalf of the department or university. Furthermore, separating employees could be using Cloud storage tools such as DropBox or iCloud for university business. |
Supervisor: Designate another individual to take over responsibility and create an account for that person, if necessary, to maintain continuity.
|
| Record Retention | No | Prior to employee’s last day, the supervisor must make sure all university records in the possession of the employee have been transferred to their supervisor.
Supervisors must preserve these records in accordance with the University Record Retention and Disposition Schedules. All records must be preserved including personnel records, student records, and so forth. |
Separating Employee: Confirm appropriate transfer of all owned university records.
Supervisor: Confirm appropriate transfer of all owned university records. |
| Voicemail |
Yes, if access code is obtained. | Supervisors must obtain existing voicemail access code(s) from the separating employee and change employee’s voicemail access code(s) using the instructions for changing via the phone. |
Separating Employee: Give existing voicemail code to supervisor.
Supervisor: Confirm voicemail access and change voicemail access code. |
| Other system access |
Variable |
Supervisors must identify and manage the employee’s access to any other systems in a timely manner (for example: Qualtrics, PCR•360, Proteus, Billboard, AiR/Facilities, and so forth). | Supervisor: Identify employee’s access to any other systems; remove access and change passwords accordingly. |
| Campus Directory | No | Change any customized information (e.g. working title) in the Campus Directory back to the default information. This will eliminate confusion and mis-information if the separating employee returns to the University in a different role. | Separating Employee: Remove any custom information. Ex: Phone Number, address, etc. Note: In order to update the directory, you will need to have DUO Security set up.
Contact the Help Desk at 919-515-HELP (4357) or help@ncsu.edu if you have any questions. |