Educause Security Discussion mailing list archives
Re: do your former employees get to keep their email address?
From: John K Lerchey <lerchey () ANDREW CMU EDU>
Date: Wed, 21 Aug 2013 15:08:12 +0000
I'll chime in as well. :) At one time, our central account IDs were "for life". If a person left and then returned for any reason, they got their old ID again. As times have changed (FERPA, HIPAA, etc.) we have been moving away from the old model. - In most cases a departing employee loses access on or near their last day of work. - Students have grace period before their accounts are disabled (I'm pretty sure that it's 90 days) - We do allow email forwarding to be set, but disable it for departing employees. Student email forwarding stays in place until their account is disabled from receiving email. A more recent change, evolving over the last 2-3 years is that employees that are changing roles that: - are a known contact for their former position - have transitioned from employee to student - have elevated privileges to enterprise systems Have their old (existing) account terminated and are given a new account. This prevents the former (position) employee from retaining potentially confidential or restricted email and from retaining any "back door" access based on their account name. We don't have an official policy on this yet, but we'll get there some day... John John K. Lerchey Information Security Office Carnegie Mellon University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sherry Callahan Sent: Wednesday, August 21, 2013 10:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] do your former employees get to keep their email address? Bob, We don't allow our employees or students to retain their email address after they leave the University on a permanent basis and we also don't allow auto-forwarding of email. Employees lose access immediately and students retain access for up to 6 months after they leave. HIPAA requirements are a huge driver behind that policy, but there are other reasons as well (licensing, state policy, legal liability, etc. ) We've had that policy in place for about 11 years now, so I can't really comment on a transition like the one you are about to embark on. However, if I can provide some advice it would be to ensure that this policy change is well communicated. That will prevent any frustration and phone calls from folks who have lost their access and then want copies of their email, contacts, etc. If they know to be prepared, they'll have plenty of time to work out the transition on their own. Sherry Callahan Information Security Officer University of Kansas Medical Center (913) 588-0966 | scallahan () kumc edu<mailto:scallahan () kumc edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn Sent: Wednesday, August 21, 2013 9:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] do your former employees get to keep their email address? This is only somewhat security related. USU has just decided, by policy, to terminate an employee's email account and their email address at the end of employment. There are two motivations for this new policy: 1) University email address is being used as the access token for personal use of software that has been licensed by USU to include that use. We cannot extend that access to former employees under terms of the licensing agreement. 2) HR wants to be able to access and retain the business related communications that are directed to a former employee's address. One category of protest to this decision is from people who want to maintain the professional connections they have made using their USU address. That can't always be accomplished by sending out a change-of-address message to everyone in your addressbook. Up to this point we HAVE been maintaining forwards from a former employee's old USU address to their current address elsewhere. Has anyone else dealt with this transition in the extent of your email service? Bob Bayn SER 301 (435)797-2396 IT Security Team Office of Information Technology, Utah State University three common hazardous email scams to watch out for: 1) unfamiliar transaction report from familiar business 2) attachment with no explanation in message body 3) "phishing" for your email password
Current thread:
- do your former employees get to keep their email address? Bob Bayn (Aug 21)
- Re: do your former employees get to keep their email address? Sherry Callahan (Aug 21)
- Re: do your former employees get to keep their email address? John K Lerchey (Aug 21)
- Re: do your former employees get to keep their email address? Pete Hickey (Aug 21)
- Re: do your former employees get to keep their email address? Walter Moore (Aug 21)
- Re: do your former employees get to keep their email address? Shalla, Kevin (Aug 21)
- Re: do your former employees get to keep their email address? Roger A Safian (Aug 21)
- Re: do your former employees get to keep their email address? W. Greg Price, Sr. (Aug 21)
- Re: do your former employees get to keep their email address? Tim Doty (Aug 21)
- Re: do your former employees get to keep their email address? Shamblin, Quinn (Aug 21)
- Re: do your former employees get to keep their email address? Tim Faircloth (Aug 21)
- Re: do your former employees get to keep their email address? John C. Roberts (Aug 21)
- Re: do your former employees get to keep their email address? John C. Roberts (Aug 21)
- Re: do your former employees get to keep their email address? Sherry Callahan (Aug 21)