Re: Retiree Account Privileges

[Mandi Witkovsky <witkovsm () IPFW EDU>]

Exactly the same answers for us.  About 10 years ago, we would do an annual audit to clean up unused accounts.  It took 
a lot of time, and we ended up deleting accounts for people who didn't log in regularly but still wanted to keep the 
account.  Pretty much we only delete the accounts now if the person requests it or they pass away.

mandi

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Melissa 
Jackman
Sent: Tuesday, June 14, 2016 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Retiree Account Privileges

Hi there,

To answer your questions below:


*         How do you determine a retiree from a person who just resigns?

o   HR coding in the ERP - they determine the criteria - usually a University policy (i.e. over 10 years of service)


*         Do you put them on a separate domain such as alumni or retired?

o   No, they maintain their old account



*         Do you provide a full mailbox service or just an e-mail forward?

o   Full Mailbox



*         Do you purge their existing mailbox contents and have them start fresh to protect institutional data?

o   No, because realistically in Office 365 they could have created offline folders and maintained the data anyway.  As 
far as all new mail we require the users to place an out of office on their account that notifies all new incoming 
senders that they are no longer the contact.


*         How long do they get to keep their account or forward?  A time period and then a renewal?  Based on activity?

o   Until they are deceased.

We have had to evaluate some users on a case by case basis depending on what department they are in.  For example, if a 
person in health services retires, they could continue to receive info that falls under HIPPA.  So what we did in those 
instances is delete their old account and create a new one for them.

Hope that helps...
Melissa Jackman
Manager - Help Desk
Duquesne University
412-396-4453
jackman () duq edu<mailto:jackman () duq edu>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gregg, 
Christopher S.
Sent: Tuesday, June 14, 2016 11:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Retiree Account Privileges

I apologize if this was discussed recently.  I scanned the archives and didn't see anything since 2010.

We are revisiting our stance on providing e-mail accounts and/or addresses to retirees when they leave the university.  
We already have a process in place for faculty who are designated as official faculty emeriti but that is a specific 
official role, so this would be for others who don't fit into that category.

I am curious how are your institutions handle this.


*         Do you allow retired faculty and/or staff to keep their e-mail accounts?

If you do provide retirees with e-mail accounts...



*         How do you determine a retiree from a person who just resigns?


*         Do you put them on a separate domain such as alumni or retired?


*         Do you provide a full mailbox service or just an e-mail forward?



*         Do you purge their existing mailbox contents and have them start fresh to protect institutional data?


*         How long do they get to keep their account or forward?  A time period and then a renewal?  Based on activity?

We're a recently migrated Office365 shop.  Our tentative plan to is to offer a new empty mailbox connected to the 
previous SMTP address in our main domain to those who meet the agreed upon age/tenure requirements that our Provost, 
HR, and Advancement folks determine.   We would then like to include some form of activity check and terminate accounts 
that go unused for a period of time.  This plan should  provide a fair amount of risk mitigation.

The main risks remaining would be that some sensitive data still might be mailed to the person's address based on habit 
or old script, or that a retiree would get involved in some incident with their new account that requires significant 
effort by our security and/or legal team (litigation hold, abuse complaint, compromised account, etc).

I'd prefer that if we offer anything it would be an e-mail forward, but there seems to be a consensus among our 
leadership that we should offer a full account to retirees.  I am trying to find a way to provide the service in way 
that limits our risk and meets our business requirement.

Thanks,

Chris



Chris Gregg
Associate Vice President of Information Security & Risk Management
Information Technology Services (ITS)
csgregg () stthomas edu<mailto:csgregg () stthomas edu>
p 1 (651) 962-6265
University of St. Thomas | stthomas.edu<https://www.stthomas.edu/>

[University of St. Thomas : All for the Common Good]<http://www.stthomas.edu/e>