Educause Security Discussion mailing list archives
Re: Emeritus faculty privileges question
From: Paul Chauvet <chauvetp () NEWPALTZ EDU>
Date: Tue, 14 Jul 2020 18:50:19 +0000
Hi Frank, It's a combination of me in IT, and our HR folks. Though we don't use Banner for HR - we do use it for role calculations (faculty, staff, retired, student, alumni, etc). Each of those roles, including retirees, has a "if not deceased" clause. Once that is marked (by HR) in Banner for anyone - they lose all roles (including the retiree role which allows them to keep access). When a person has no roles, the AD account is set to disabled. P.S. I'm both horrified and fascinated that Banner's field for whether someone has passed away is literally the 'dead' indicator: spbpers_dead_ind = 'Y' Paul Chauvet, CISSP Information Security Officer State University of New York at New Paltz 845-257-3828 chauvetp () newpaltz edu [cid:dda11229-cfc3-4eac-a80c-babd142178b4] ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton <bartonf () HUSSON EDU> Sent: Tuesday, July 14, 2020 9:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Emeritus faculty privileges question CAUTION: Message from a non-New Paltz email server. Treat message, links, and attachments with extra caution. For all of you that maintain emeritus access at any level, who is the "point" person on campus that keeps track of them, and lets you know when they pass so that you can close out the legacy access? Frank On Mon, Jul 13, 2020 at 3:10 PM Paul Chauvet <chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu>> wrote: Hello Charles, As soon as HR is notified about a retirement or other departure, they notify IT & we send an automated notice to the retiree. This notice lets them know that they are responsible for downloading any files that they need (along with a list of what data is considered sensitive that they should not download/preserve). The only things we really allow them to keep are email, access to the wireless network with personal devices, and access to library resources. Other systems are not allowed and they are not allowed to keep any college owned hardware (with the only exception being if they do not have a smartphone they can keep their Yubikey which is their second factor for Duo MFA). In the case of keeping access – it is not a right it is a privilege. Access is only granted if there is no objection from HR My response for New Paltz is below: * Are your Emeritus faculty allowed to keep their laptops and desktops? * No (a week or two extension to keep access is occasionally granted to save anything that they need) * If this equipment is allow to be kept, are they removed from your institution's AD domain? * Not applicable for us * Are you reimaging these devices and removing them from your institution's AD domain? * Yes * What level of support and software are you offering? * Username/password reset (including for Duo MFA) but no technical support beyond that * Are you allowing the Emeritus faculty access to their home directories? * No * Are you allowing the Emeritus faculty access to department directories? * No * Are you allowing the Emeritus faculty access to research directories? * No * Are you allowing the Emeritus faculty access to their email, etc? * Yes Paul Chauvet, CISSP Information Security Officer State University of New York at New Paltz 845-257-3828 chauvetp () newpaltz edu<mailto:chauvetp () newpaltz edu> [cid:1734d89ffa54cff311] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Davidson, Charles Sent: Friday, July 10, 2020 12:26 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Emeritus faculty privileges question CAUTION: Message from a non-New Paltz email server. Treat message, links, and attachments with extra caution. Hello, Recently retirement packages for our faculty were sweetened by offering Emeritus Faculty status. Emeritus faculty are provided the same access to their data and equipment as if they were still working for our institution. This is causing our IT to have to rethink security, support, access and privileges for these users. How is your organization dealing with the following concerns and how you are mitigating the risks involved? * Are your Emeritus faculty allowed to keep their laptops and desktops? * If this equipment is allow to be kept, are they removed from your institution's AD domain? * Are you reimaging these devices and removing them from your institution's AD domain? * What level of support and software are you offering? * Are you allowing the Emeritus faculty access to their home directories? * Are you allowing the Emeritus faculty access to department directories? * Are you allowing the Emeritus faculty access to research directories? * Are you allowing the Emeritus faculty access to their email, etc? Answering any or all of the above questions would great help in our planning. We are very interested in hearing if anyone has found a good solution. Thanks, Charlie Charles Davidson, CISSP Information Security Engineer p: (508) 831-6250 [1518278940442_worcester-polytechnic-institute_2014-06-05_14-10-50.981.png] Worcester Polytechnic Institute • Information Technology ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Emeritus faculty privileges question Davidson, Charles (Jul 10)
- Re: Emeritus faculty privileges question Mark Reboli (Jul 10)
- Re: Emeritus faculty privileges question Paul Chauvet (Jul 13)
- Re: Emeritus faculty privileges question Frank Barton (Jul 14)
- Re: Emeritus faculty privileges question Scott Norton (Jul 14)
- Re: Emeritus faculty privileges question Paul Chauvet (Jul 14)
- Re: Emeritus faculty privileges question Paul Chauvet (Jul 14)
- Re: Emeritus faculty privileges question Frank Barton (Jul 14)