Educause Security Discussion mailing list archives
Re: do your former employees get to keep their email address?
From: John K Lerchey <lerchey () ANDREW CMU EDU>
Date: Wed, 21 Aug 2013 15:08:12 +0000
I'll chime in as well. :)
At one time, our central account IDs were "for life". If a person left and then returned for any reason, they got
their old ID again.
As times have changed (FERPA, HIPAA, etc.) we have been moving away from the old model.
- In most cases a departing employee loses access on or near their last day of work.
- Students have grace period before their accounts are disabled (I'm pretty sure that it's 90 days)
- We do allow email forwarding to be set, but disable it for departing employees. Student email
forwarding stays in place until their account is disabled from receiving email.
A more recent change, evolving over the last 2-3 years is that employees that are changing roles that:
- are a known contact for their former position
- have transitioned from employee to student
- have elevated privileges to enterprise systems
Have their old (existing) account terminated and are given a new account. This prevents the former (position) employee
from retaining potentially confidential or restricted email and from retaining any "back door" access based on their
account name.
We don't have an official policy on this yet, but we'll get there some day...
John
John K. Lerchey
Information Security Office
Carnegie Mellon University
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sherry
Callahan
Sent: Wednesday, August 21, 2013 10:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] do your former employees get to keep their email address?
Bob,
We don't allow our employees or students to retain their email address after they leave the University on a permanent
basis and we also don't allow auto-forwarding of email. Employees lose access immediately and students retain access
for up to 6 months after they leave. HIPAA requirements are a huge driver behind that policy, but there are other
reasons as well (licensing, state policy, legal liability, etc. )
We've had that policy in place for about 11 years now, so I can't really comment on a transition like the one you are
about to embark on. However, if I can provide some advice it would be to ensure that this policy change is well
communicated. That will prevent any frustration and phone calls from folks who have lost their access and then want
copies of their email, contacts, etc. If they know to be prepared, they'll have plenty of time to work out the
transition on their own.
Sherry Callahan
Information Security Officer
University of Kansas Medical Center
(913) 588-0966 | scallahan () kumc edu<mailto:scallahan () kumc edu>
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bob Bayn
Sent: Wednesday, August 21, 2013 9:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] do your former employees get to keep their email address?
This is only somewhat security related. USU has just decided, by policy, to terminate an employee's email account and
their email address at the end of employment. There are two motivations for this new policy:
1) University email address is being used as the access token for personal use of software that has been licensed by
USU to include that use. We cannot extend that access to former employees under terms of the licensing agreement.
2) HR wants to be able to access and retain the business related communications that are directed to a former
employee's address.
One category of protest to this decision is from people who want to maintain the professional connections they have
made using their USU address. That can't always be accomplished by sending out a change-of-address message to everyone
in your addressbook. Up to this point we HAVE been maintaining forwards from a former employee's old USU address to
their current address elsewhere.
Has anyone else dealt with this transition in the extent of your email service?
Bob Bayn SER 301 (435)797-2396 IT Security Team
Office of Information Technology, Utah State University
three common hazardous email scams to watch out for:
1) unfamiliar transaction report from familiar business
2) attachment with no explanation in message body
3) "phishing" for your email password
Current thread:
- do your former employees get to keep their email address? Bob Bayn (Aug 21)
- Re: do your former employees get to keep their email address? Sherry Callahan (Aug 21)
- Re: do your former employees get to keep their email address? John K Lerchey (Aug 21)
- Re: do your former employees get to keep their email address? Pete Hickey (Aug 21)
- Re: do your former employees get to keep their email address? Walter Moore (Aug 21)
- Re: do your former employees get to keep their email address? Shalla, Kevin (Aug 21)
- Re: do your former employees get to keep their email address? Roger A Safian (Aug 21)
- Re: do your former employees get to keep their email address? W. Greg Price, Sr. (Aug 21)
- Re: do your former employees get to keep their email address? Tim Doty (Aug 21)
- Re: do your former employees get to keep their email address? Shamblin, Quinn (Aug 21)
- Re: do your former employees get to keep their email address? Tim Faircloth (Aug 21)
- Re: do your former employees get to keep their email address? John C. Roberts (Aug 21)
- Re: do your former employees get to keep their email address? John C. Roberts (Aug 21)
- Re: do your former employees get to keep their email address? Sherry Callahan (Aug 21)