Re: Emeritus faculty privileges question

[Paul Chauvet <chauvetp () NEWPALTZ EDU>]

Hi Frank,

It's a combination of me in IT, and our HR folks.

Though we don't use Banner for HR - we do use it for role calculations (faculty, staff, retired, student, alumni, etc). 
 Each of those roles, including retirees, has a "if not deceased" clause.

Once that is marked (by HR) in Banner for anyone - they lose all roles (including the retiree role which allows them to 
keep access).  When a person has no roles, the AD account is set to disabled.

P.S.  I'm both horrified and fascinated that Banner's field for whether someone has passed away is literally the 'dead' 
indicator: spbpers_dead_ind = 'Y'


Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

845-257-3828

chauvetp () newpaltz edu

[cid:dda11229-cfc3-4eac-a80c-babd142178b4]

________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton 
<bartonf () HUSSON EDU>
Sent: Tuesday, July 14, 2020 9:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Emeritus faculty privileges question

CAUTION: Message from a non-New Paltz email server. Treat message, links, and attachments with extra caution.

For all of you that maintain emeritus access at any level, who is the "point" person on campus that keeps track of 
them, and lets you know when they pass so that you can close out the legacy access?

Frank

On Mon, Jul 13, 2020 at 3:10 PM Paul Chauvet <chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>> wrote:

Hello Charles,



As soon as HR is notified about a retirement or other departure, they notify IT & we send an automated notice to the 
retiree.  This notice lets them know that they are responsible for downloading any files that they need (along with a 
list of what data is considered sensitive that they should not download/preserve).  The only things we really allow 
them to keep are email, access to the wireless network with personal devices, and access to library resources.  Other 
systems are not allowed and they are not allowed to keep any college owned hardware (with the only exception being if 
they do not have a smartphone they can keep their Yubikey which is their second factor for Duo MFA).



In the case of keeping access – it is not a right it is a privilege.  Access is only granted if there is no objection 
from HR

My response for New Paltz is below:



  *   Are your Emeritus faculty allowed to keep their laptops and desktops?
     *   No (a week or two extension to keep access is occasionally granted to save anything that they need)
  *   If this equipment is allow to be kept, are they removed from your institution's AD domain?
     *   Not applicable for us
  *   Are you reimaging these devices and removing them from your institution's AD domain?
     *   Yes
  *   What level of support and software are you offering?
     *   Username/password reset (including for Duo MFA) but no technical support beyond that
  *   Are you allowing the Emeritus faculty access to their home directories?
     *   No
  *   Are you allowing the Emeritus faculty access to department directories?
     *   No
  *   Are you allowing the Emeritus faculty access to research directories?
     *   No
  *   Are you allowing the Emeritus faculty access to their email, etc?
     *   Yes







Paul Chauvet, CISSP

Information Security Officer

State University of New York at New Paltz

845-257-3828

chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>

[cid:1734d89ffa54cff311]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Davidson, Charles
Sent: Friday, July 10, 2020 12:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Emeritus faculty privileges question



CAUTION: Message from a non-New Paltz email server. Treat message, links, and attachments with extra caution.



Hello,



Recently retirement packages for our faculty were sweetened by offering Emeritus Faculty status. Emeritus faculty are 
provided the same access to their data and equipment as if they were still working for our institution. This is causing 
our IT to have to rethink security, support, access and privileges for these users. How is your organization dealing 
with the following concerns and how you are mitigating the risks involved?

  *   Are your Emeritus faculty allowed to keep their laptops and desktops?
  *   If this equipment is allow to be kept, are they removed from your institution's AD domain?
  *   Are you reimaging these devices and removing them from your institution's AD domain?
  *   What level of support and software are you offering?
  *   Are you allowing the Emeritus faculty access to their home directories?
  *   Are you allowing the Emeritus faculty access to department directories?
  *   Are you allowing the Emeritus faculty access to research directories?
  *   Are you allowing the Emeritus faculty access to their email, etc?

Answering any or all of the above questions would great help in our planning. We are very interested in hearing if 
anyone has found a good solution.



Thanks,

Charlie



Charles Davidson, CISSP

Information Security Engineer

p: (508) 831-6250

[1518278940442_worcester-polytechnic-institute_2014-06-05_14-10-50.981.png]

Worcester Polytechnic Institute • Information Technology

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community