Re: Systems Access Policy

["Boyce, Rori" <Rori.Boyce () UNH EDU>]

We have a process used to grant access to people with a legitimate need to access University resources but who do not 
have a qualified role that would give them access (vendors, volunteers, etc.).  Granting access to these users, called 
Sponsored Users, requires the approval of a Dean or higher.  We use this process to provide access to Faculty members 
(and other new hires) that have a legitimate business need to be granted early access prior to their start date with HR 
providing the approvals.  There are limits to the types of access and accounts Sponsored Users can be granted.

Rori


Rori Boyce
Information Security Compliance Program Manager
University of New Hampshire<http://www.unh.edu/>
Information Security Services (ISS)<http://www.unh.edu/it/information-security-services>
d.  (603) 862-2377
m. (603) 731-9071

[ISS UNH logo]



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Cafasso
Sent: Tuesday, March 27, 2018 10:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Systems Access Policy

Caution - External Email
________________________________
We have a pretty strict "no access until your start date" policy for staff, but we have been a little more lenient for 
faculty for the exceptions you've described. I'm not that concerned with allowing LMS access, since they can only 
affect their own classes, but in some cases we've been asked to provide physical computer access well in advance of a 
Fall start date. I have more of an issue with that.

Our faculty contracts run from the start of the Fall semester to the end of the Spring semester, so new Fall 
instructors will always have the first day of classes as their start date. Some don't care about getting their LMS 
course in order prior to day 1, but many do.

Best,
Frank


Frank Cafasso | Chief Information Officer
Office of Information 
Technology<https://urldefense.proofpoint.com/v2/url?u=http-3A__wagner.edu_it&d=DwMFaQ&c=c6MrceVCY5m5A_KAUkrdoA&r=2AhSyVnChVh9m8RkgColV-eypPJWVTYd9FS1d9eZUYg&m=lxjlhMIwYBLIJGVHxU3zqoAY4Z7ZZNX0Cq8FK2ozWxU&s=hJwKUAPPJ_CZapcYIHzHNjGEAr8EHf5rYyH1PaCD5aU&e=>
wagner.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__wagner.edu_&d=DwMFaQ&c=c6MrceVCY5m5A_KAUkrdoA&r=2AhSyVnChVh9m8RkgColV-eypPJWVTYd9FS1d9eZUYg&m=lxjlhMIwYBLIJGVHxU3zqoAY4Z7ZZNX0Cq8FK2ozWxU&s=nvRoYCJGO9CoUqCgjV4gI0d2-jFh5u8kxubB2EGOxUo&e=>
 |  718.420.4220

Connect with Wagner College 
IT!<https://urldefense.proofpoint.com/v2/url?u=http-3A__twitter.com_WagnerCollegeIT&d=DwMFaQ&c=c6MrceVCY5m5A_KAUkrdoA&r=2AhSyVnChVh9m8RkgColV-eypPJWVTYd9FS1d9eZUYg&m=lxjlhMIwYBLIJGVHxU3zqoAY4Z7ZZNX0Cq8FK2ozWxU&s=OhEYkz8WPUul371K40es86ZPrfcU0HilqOnIwd9kahs&e=>

On Tue, Mar 27, 2018 at 10:08 AM, Tim Faircloth <Tim.Faircloth () gsw edu<mailto:Tim.Faircloth () gsw edu>> wrote:
I’d like to expand upon Frank’s comments by saying that the risk of giving a new hire early access to systems is 
significantly less than the risk of a former employee retaining access to said systems.

In other words, I think it’s more important to worry about timely *de*provisioning.

/tim
--
Tim Faircloth
System Administrator, GSW IIT
229-931-5076<tel:(229)%20931-5076>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Frank Barton
Sent: Tuesday, March 27, 2018 9:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Systems Access Policy

Michael, I think I may be reading too much between the lines here, so feel free to correct me.

The first thing I am noticing is a disconnect between "Hire Date", "Start Date", and "First Day of Classes", and that 
would be a conversation to have with your HR department. long-story short, if their start-date is the first day of 
classes, that gives them NO time to set up classes, and to get started, and I don't think it serves your students well.

The second thing is that, yes, we set up faculty (and staff) accounts as soon as we are notified by HR that there is a 
new hire, and that they have passed all of the necessary hurdles (background checks, etc.) This also then creates 
email, LMS accounts, etc. I would make the argument that this is a net benefit as it then also allows any discussions 
to move into the institutional email system. This also gives us time to make sure that all of the needed permissions 
are in place so that they have access to everything that they need when the land. (account provisioning is not 
instantaneous after all)

I guess, I would ask you what risks you do see, and what problems have you seen? obviously, I am not a lawyer, and at 
the end of the day your general counsel may have the final say as to when accounts get created and activated.

Frank

On Tue, Mar 27, 2018 at 9:30 AM, Madl, Michael <michael.madl () indwes edu<mailto:michael.madl () indwes edu>> wrote:
Good morning,

Do your respective universities allow faculty new hires access to systems prior to their hire date for the purposes of 
building LMS course shells in preparation for their classes?

I understand why some institutions may do this ‘but’ I do see inherit risks with setting up accounts prior to official 
start dates.  Accounts can be set up with limited access to start then further loosened after the start date but that 
creates double work and more of an administrative nightmare.

If you could elaborate on any experiences, polices or thoughts around this I would greatly appreciate it.

Thanks in advance!



--
Frank Barton
Security+, ACMT, MCP
IT Systems Administrator
Husson University