Your SlideShare is downloading. ×
Employee Access Termination -- Cause 2011
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Employee Access Termination -- Cause 2011


Published on

We received an Institutional Audit comment regarding termination of access to systems. …

We received an Institutional Audit comment regarding termination of access to systems.

The finding required immediate termination of access upon severance or leaving employment.

A team was formed to address the audit comment, identify a new process, and automate account termination within 24 hours of separation.

This presentation will provide:
o Background and Overview
o Policy Review
o Access Termination Process
o IT Processes/Functionality
o Project Implementation
o Summary and Lessons Learned

Intended audience: Anyone who might find themselves involved in a similar project someday. The presentation will be geared towards a wide audience. Both functional user and technical user information will be included. Presentation will not delve deeply into the “nitty gritty” of programming, but will include an overview. This information could be useful for an HR consultant, Business Analyst, programmer, or manager.

Published in: Education, Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 2. Agenda • Background and Overview • Policy 95 Review • Access Termination Process • IT Processes/Functionality • EAT Project Implementation • Summary
  • 3. OverviewBackground • WCU received an Institutional Audit comment regarding termination of access to systems • State Auditor’s review based on ISO 27002 which requires: Immediate termination of access upon severance or leaving employment • Employee Separations = Access Terminations • A team was formed to address the audit comment, identify a new process, and automate account termination within 24 hours of separation • Project was named EAT (Employee Access Termination)
  • 4. EAT Project Process and ScopeProcess:1. Department notifies HR/Career Services/Financial Aid/Graduate School of separation via appropriate separation paperwork.2. HR separates the employee’s record accordingly in Banner.3. Automated process reads employee records in Banner to inactivate accounts on the date provided by the appropriate separation paperwork.Scope: Only addressed access termination Granting access was not included in scope Access still dependent on same procedures (hiring / compliance paperwork required)
  • 5. Policy 95 ReviewExisting policy for Data Network Security and AccessControl • Revised to reflect the realities and possibilities of automated terminationReview and approval occurred at many levels • Executive Council • Internal AuditPolicy revision required lots of communication • Deans • Department Heads • Administrative AssistantsPolicy 95:
  • 6. Policy 95 stipulates who, what, how, and when… (the rules)
  • 7. Accountability forPolicy FulfillmentWCU’s Office of Internal Audit Review Perspective: It is the responsibility of each department to provide timely notification of employment and termination to HR. Departmental notifications and personnel processing actions are subject to audit by the University’s Internal Auditor and by external auditors. As such, the timeframes for compliance rest at the departmental level.For audit reporting purposes: Comments are added to Banner when paperwork is received by HR after separation date.
  • 8. Termination Paperwork:Timeliness and Accountability• Departments need to provide paperwork to HR/Career Services/Financial Aid/Graduate School as soon as possible before last work date• If Termination is ‘last minute’, they can call HR to expedite both employee and access termination• Termination: Last work date = last access date - If paperwork is submitted late to HR and no notification is made prior to last work date, access will continue past true last work date. - If Account Access is terminated retroactively for the employee, it may prompt audit questions. Such questions will be directed to the department for clarification and accountability.
  • 9. New Terminology and ClearDefinition RequiredTerminations are based on “Last Day of Access” (LastDay in the Chair) • Last Work Date, for WCU, references last day of formal work • Formal Contract dates must incorporate complete date range for required network resource access - Contract dates for fixed term Faculty employees reflect time for course fulfillment past last day of class to allow for final tasks to be completed
  • 10. Access Termination ProcessHow this affects the campus: • Affects all employees and affiliates - SPA, EPA Non-Teaching, Hourly, etc.  Account Inactivation on last work date - Fixed Term ‘Instructor’ type roles (Adjuncts, Teaching GA’s, Faculty, etc.) Account inactivation on Contract End Date - Tenure Track Faculty Account Inactivation based on individual situation • Any remaining business after an employee separation date or contract end date must be facilitated by Director/Department Head since the employee is no longer affiliated with the University
  • 11. How Access Termination Affects EmployeesNon Fixed-Term (SPA and EPA) employees • Last Access date determined by last day of work. • Already managed in Banner.Hourly Employees • Last Access date determined by last day of work. • If hourly employee not paid in 6 weeks will be reviewed for terminationFixed-Term (Contract Driven) Employees • Last Day of Access is determined by Contract dates. • Contract start and end dates have been aligned to match true work dates in Banner.
  • 12. Non-Fixed TermBased Employees SPA, EPA Non-Faculty, Administrative GA’s, and Hourly No Access Employee Former Employee Last Work Date Last Paycheck Last Access DateLast Work Date = Last Access Date
  • 13. Fixed TermBased EmployeesTeaching Employees: Fixed Term Faculty, Graduate TA’s, and Adjuncts • No access allowed when not under contract • Access terminated when not under a contract No Access Under Contract Not Under Contract Contract EndDates to use on contracts supplied by HR and Graduate School
  • 14. Faculty Continuous Access Access remains intact provided that new contracts and compliance paperwork are processed by HR before the end of contract. Spring Fall Spring (contract) (contract) (contract) No break in access
  • 15. Faculty AccessBetween TermsBreak in Service occurs when a faculty member does nothave a contract between major terms. State Regulations and WCU’s Policy Break in Service 95 on Data and Network Security prohibits access for employees that are not Fall under contract. Spring Spring Therefore access (no is not allowed (contract) (contract) contract) during a break in service.
  • 16. How Access Termination AffectsInstructor of RecordInstructor Record • Any Instructor of Record association for Faculty, Adjuncts, and Teaching GA’s is ‘Terminated’ • Existing advising association is ‘Terminated’Instructor Relationships are Affected • Instructor/Advisor role ended for term (SIAINST) • Instructor removed from incomplete and future sections (SSASECT )Department Head facilitates any questionsregarding students after access is terminated
  • 17. How Access Termination AffectsEmail and Network Login• Network login is ‘Terminated’ on Last Day of Access• Email is ‘Terminated’ on Last Day of Access• When Expiration Date is Known Before ‘Termination’, Automated Email Reminders Sent to Employees : – Employees may wish to create an auto-response to inform others of their Last Access Day and alternative contact information prior to their last work date
  • 18. IT Processes and FunctionalityEngaged to Facilitate Terminations• Supplemental Data Engine fields - Capture ‘paperwork received date’ to track tardy paperwork and access terminations, which provides audit information• WCU Identity Management Roles utilized - Easily apply termination rules to specific population sets• Event Initiation and Processing - Last Day of Access determines entry into the event processing queue - Access Termination is processed for registered applications - Scalable mechanism for additional automated event and termination processing
  • 19. Banner Set-up for SDE4) Run the generated DDL as appropriate user
  • 20. DDL Creates New ViewPEAEMPL_ADD view contains existing tableelements, plus additional comment fields:
  • 21. PEAEMPL -- Comment Fields
  • 22. WCU Roles: What are they?A high level view of our data reveals three basic roles
  • 23. Role Sub-Components: Each Role (i.e.,“STUDENT”) Reveals a Variety of Sub-Roles Intending Student? Future Cullowhee Student? Commuter? STUDENT Former Currently Student? Enrolled? Continuing?
  • 24. Role Creation: Scalable Mechanism forIdentifying, Managing, and Consuming Roles Role Role Memberships Sub-Role Memberships
  • 25. Role Set-UpRole Validation Table: Rule Definitions for Role Creation:
  • 26. Example of Role MembershipWorkerGuests • One role may, or mayCullowhee CommuterPermanent Staff Worker not, be a member ofHourly Staff WorkerTemporary Staff Worker other rolesAll FacultyAdjunct Faculty Worker All Faculty • One role may consist ofFacultyAdministrative Student All Faculty Worker many combined rolesWorkerWork Study Administrative Student • One role may be aNon-Work Study Worker Administrative Student member of multiple Worker other rolesGA (non-teaching, non-lab) Administrative Student Worker
  • 27. Role Maintenance • Individual role• PLSQL packages memberships are written to utilize role activated/in-activated definition rules to every two hours, based create/maintain role upon data changes in populations Banner, our system of record• Populations refreshed • One individual may via UC4 (AppWorx) belong to multiple batch processing jobs roles concurrently
  • 28. Sample Person Look-Up Report UtilizingRole Information …
  • 29. Roles Provide:• Precise definition  understanding• Stability of populations  error reduction• Single source of data sameness across systems• Auditing information policy enforcement – Banner data drives role membership – Banner data drives access control
  • 30. Sample Role Selection (used inBlackBoard Integration)WITH BB_Users AS(SELECT * FROM TABLE (wcuidm.f_group_members (E))UNIONSELECT * FROM TABLE (wcuidm.f_group_members (35))UNIONSELECT * FROM TABLE (wcuidm.f_group_members (SA))UNIONSELECT * FROM TABLE (wcuidm.f_group_members (8))) Role Codes
  • 31. WCU Identity ManagementRoles• Easy to figure out problems and solutions• Wide application for use campus-wide PeopleAdmin Active Online Directory Directory (synced with Outlook) Pawprint Reports Identity Management (PersonLookup, Security Groups New Hires, and Distribution Terminations) Lists LMS Portal (Luminis) (Blackboard)
  • 32. Event Initiation, Fulfillment andProcessing
  • 33. Events: Process and Timing• Processing Runs Daily at 1am• Individuals in Active Roles, with access expiration as of previous date, are placed in the queue for termination• Registered applications are processed against each event termination• Backup data is archived• Detailed outcomes are logged• Event processing is auditable and reportable
  • 34. Events: Timing and Human Error• Recognizing we are all human, we allowed for inevitable unintended consequences…• One caveat was built into the processing to allow for human error and paperwork timeliness – Seven-day window for automated “un-termination”  Paperwork was a day late  “Fat-finger” on the keyboard resulted in incorrect update
  • 35. Event Processing Report SamplesInstructor Associations – Useful for Departments
  • 36. Upcoming TerminationsDepartments can subscribe to reports to trackknown, upcoming terminations. This is helpful for gettingpaperwork in on time.
  • 37. Event Queue SummaryUseful for Audit and Internal Control
  • 38. Event Log Details Per RegisteredApplicationUseful for Audit and Internal Control
  • 39. Project Magnitude andResources • Upper level support (multiple project demands) • Subject Matter Experts involved for expertise and judgment calls (HR, IT, Project Management; others as needed: Departments, Registrar, etc.) • Time commitment (2 hr meetings/twice weekly, independent work time) • Complexity (policy, rules, process, data) • Reporting to the Executive Council weekly • End user training to departmental users, as well as internal users (i.e. help desk) • Communication Plan campus wide
  • 40. Project Timeline• Project kickoff in November• Initial request for Go-Live: January• Complexities, communication, holiday timing, policy changes, program spec and development, and thorough testing demanded longer timeline• Revised Go-Live: March• Implemented in Audit mode in PROD: February 8• Implemented in Update mode in PROD: March 1• Continued communication, as well as minor program and reporting revisions during March• Final Project Wrap-Up: early April
  • 41. Lessons Learned• Clearly defined business practices and policies are crucial• Continuous education is necessary for management turnover• “Panic control” can be managed by having solid business practices in place for problem investigation and resolution when possible issues arise• Change is difficult; education is key
  • 42. Summary• Audit defensible system – Revising policies to meet auditor and WCU business practices – Clarifying early access / late access based on stakeholders/audit requirements• Created efficiencies• Provide timely service to campus• Accountability
  • 43. Conclusion "Change is hard because people overestimate the value of what theyhave—and underestimate the value ofwhat they may gain by giving that up." - James Belasco and Ralph Stayer Flight of the Buffalo (1994)