Educause Security Discussion
mailing list archives
Re: Exceptions to not keeping accounts for ex-employees
From: "Cheek, Leigh" <lcheek () UTK EDU>
Date: Fri, 20 Jul 2007 13:30:11 -0400
I have an audit finding on Banner accounts of terminated employees not
being closed. Apparently if a financial aid director creates a query for
the department use, then you cannot delete that account otherwise the
department cannot use that query. You can change the password and
disable the account.
I only have this problem on one campus. Have you run across this
Leigh Cheek, CIA, CISA
Audit and Consulting Services
University of Tennessee
149 Conference Center Building
Knoxville, TN 37996-4114
fax (865) 974-6171
lcheek () utk edu
From: Michael Fox [mailto:Mfox () GEORGIASOUTHERN EDU]
Sent: Friday, July 20, 2007 11:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Exceptions to not keeping accounts for ex-employees
We have a policy for what to do with accounts of employees that are no
longer employed at our university. What we are dealing with (seemingly
on a more frequent basis) is the request for keeping the account active
or available for longer. We have had requests for up to 9 months. The
reasons vary, some are just nonsense and some have what seem to be
Most of these are for e-mail accounts, but we have had a few for other
accounts. Right now our e-mail accounts are separate from all other
accounts so the account team has the ability to disable and remove other
accounts more sensitive (Banner, PeopleSoft, etc).
What I would like to ask is what criteria do other schools use for the
exceptions (if you do allow exceptions)? Also if you do allow exceptions
what are some of the limits you put on the exceptions.
To be honest 99% of the requests for exceptions can be handled by
advanced preparation of the employee and the department but I haven't
gotten others to agree to this (yet).
Any input would be helpful and appreciated.
Georgia Southern University
Information Technology Services
Office of Information Security
mfox () georgiasouthern edu
NOTE: This email message is intended only for the named recipient(s)
above and may contain information that is privileged, confidential, and
or exempt from disclosure under applicable law. If you have received
this message in error, or are not the named recipient(s), please
immediately contact the sender and delete this email message.