Re: Systems Access Policy

[Ruth Ginzberg <rginzberg () UWSA EDU>]

Expanding on Tim’s observation:

The deprovisioning process needs to include a process for deprovisioning what may be a plethora of cloud services (some 
of which may or may not be served by your SSO).  Without deprovisioning ALL cloud services as well, former employees 
often can retain access to things they are not authorized to access.


Ruth Ginzberg
608-890-3961

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Tim Faircloth
Sent: Tuesday, March 27, 2018 9:09 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Systems Access Policy

I’d like to expand upon Frank’s comments by saying that the risk of giving a new hire early access to systems is 
significantly less than the risk of a former employee retaining access to said systems.

In other words, I think it’s more important to worry about timely *de*provisioning.

/tim
--
Tim Faircloth
System Administrator, GSW IIT
229-931-5076

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Tuesday, March 27, 2018 9:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Systems Access Policy

Michael, I think I may be reading too much between the lines here, so feel free to correct me.

The first thing I am noticing is a disconnect between "Hire Date", "Start Date", and "First Day of Classes", and that 
would be a conversation to have with your HR department. long-story short, if their start-date is the first day of 
classes, that gives them NO time to set up classes, and to get started, and I don't think it serves your students well.

The second thing is that, yes, we set up faculty (and staff) accounts as soon as we are notified by HR that there is a 
new hire, and that they have passed all of the necessary hurdles (background checks, etc.) This also then creates 
email, LMS accounts, etc. I would make the argument that this is a net benefit as it then also allows any discussions 
to move into the institutional email system. This also gives us time to make sure that all of the needed permissions 
are in place so that they have access to everything that they need when the land. (account provisioning is not 
instantaneous after all)

I guess, I would ask you what risks you do see, and what problems have you seen? obviously, I am not a lawyer, and at 
the end of the day your general counsel may have the final say as to when accounts get created and activated.

Frank

On Tue, Mar 27, 2018 at 9:30 AM, Madl, Michael <michael.madl () indwes edu<mailto:michael.madl () indwes edu>> wrote:
Good morning,

Do your respective universities allow faculty new hires access to systems prior to their hire date for the purposes of 
building LMS course shells in preparation for their classes?

I understand why some institutions may do this ‘but’ I do see inherit risks with setting up accounts prior to official 
start dates.  Accounts can be set up with limited access to start then further loosened after the start date but that 
creates double work and more of an administrative nightmare.

If you could elaborate on any experiences, polices or thoughts around this I would greatly appreciate it.

Thanks in advance!



--
Frank Barton
Security+, ACMT, MCP
IT Systems Administrator
Husson University