EMPLOYEE ACCESSTERMINATION PROJECT   A whale of a tale…
Agenda         • Background and Overview         • Policy 95 Review         • Access Termination           Process        ...
OverviewBackground  • WCU received an Institutional Audit comment    regarding termination of access to systems  • State A...
EAT Project Process and ScopeProcess:1. Department notifies HR/Career Services/Financial   Aid/Graduate School of separati...
Policy 95 ReviewExisting policy for Data Network Security and AccessControl   • Revised to reflect the realities and possi...
Policy 95 stipulates who, what, how, and when… (the rules)
Accountability forPolicy FulfillmentWCU’s Office of Internal Audit Review Perspective:  It is the responsibility of each d...
Termination Paperwork:Timeliness and Accountability• Departments need to provide paperwork to HR/Career Services/Financial...
New Terminology and ClearDefinition RequiredTerminations are based on “Last Day of Access” (LastDay in the Chair)   • Last...
Access Termination ProcessHow this affects the campus:  • Affects all employees and affiliates     - SPA, EPA Non-Teaching...
How Access Termination  Affects EmployeesNon Fixed-Term (SPA and EPA) employees  • Last Access date determined by last day...
Non-Fixed TermBased Employees    SPA, EPA Non-Faculty, Administrative GA’s, and Hourly                                    ...
Fixed TermBased EmployeesTeaching Employees: Fixed Term Faculty, Graduate TA’s, and Adjuncts            •   No access allo...
Faculty Continuous Access       Access remains intact provided that new contracts and    compliance paperwork are processe...
Faculty AccessBetween TermsBreak in Service occurs when a faculty member does nothave a contract between major terms.     ...
How Access Termination AffectsInstructor of RecordInstructor Record   • Any Instructor of Record association for Faculty, ...
How Access Termination AffectsEmail and Network Login• Network login is ‘Terminated’ on Last Day of Access• Email is ‘Term...
IT Processes and FunctionalityEngaged to Facilitate Terminations• Supplemental Data Engine fields  -   Capture ‘paperwork ...
Banner Set-up for SDE4) Run the generated DDL as appropriate user
DDL Creates New ViewPEAEMPL_ADD view contains existing tableelements, plus additional comment fields:
PEAEMPL -- Comment Fields
WCU Roles: What are they?A high level view of our data reveals three basic roles
Role Sub-Components: Each Role (i.e.,“STUDENT”) Reveals a Variety of Sub-Roles                          Intending         ...
Role Creation: Scalable Mechanism forIdentifying, Managing, and Consuming Roles                        Role               ...
Role Set-UpRole Validation Table:                         Rule Definitions                         for Role Creation:
Example of Role MembershipWorkerGuests                                                • One role may, or mayCullowhee Comm...
Role Maintenance                            • Individual role• PLSQL packages                              memberships are...
Sample Person Look-Up Report UtilizingRole Information                    …
Roles Provide:•   Precise definition  understanding•   Stability of populations  error reduction•   Single source of dat...
Sample Role Selection (used inBlackBoard Integration)WITH BB_Users AS(SELECT * FROM TABLE (wcuidm.f_group_members (E))UNIO...
WCU Identity ManagementRoles• Easy to figure out problems and solutions• Wide application for use campus-wide             ...
Event Initiation, Fulfillment andProcessing
Events: Process and Timing• Processing Runs Daily at 1am• Individuals in Active Roles, with access  expiration as of previ...
Events: Timing and Human Error• Recognizing we are all  human, we allowed for  inevitable unintended  consequences…• One c...
Event Processing Report SamplesInstructor Associations – Useful for Departments
Upcoming TerminationsDepartments can subscribe to reports to trackknown, upcoming terminations. This is helpful for gettin...
Event Queue SummaryUseful for Audit and Internal Control
Event Log Details Per RegisteredApplicationUseful for Audit and Internal Control
Project Magnitude andResources  • Upper level support (multiple project demands)  • Subject Matter Experts involved for ex...
Project Timeline• Project kickoff in November• Initial request for Go-Live: January• Complexities, communication, holiday ...
Lessons Learned• Clearly defined business practices and  policies are crucial• Continuous education is necessary for  mana...
Summary• Audit defensible system  – Revising policies to meet auditor and WCU    business practices  – Clarifying early ac...
Conclusion   "Change is hard because people overestimate the value of what theyhave—and underestimate the value ofwhat the...
Upcoming SlideShare
Loading in …5
×

Employee Access Termination -- Cause 2011

934 views

Published on

We received an Institutional Audit comment regarding termination of access to systems.

The finding required immediate termination of access upon severance or leaving employment.

A team was formed to address the audit comment, identify a new process, and automate account termination within 24 hours of separation.

This presentation will provide:
o Background and Overview
o Policy Review
o Access Termination Process
o IT Processes/Functionality
o Project Implementation
o Summary and Lessons Learned

Intended audience: Anyone who might find themselves involved in a similar project someday. The presentation will be geared towards a wide audience. Both functional user and technical user information will be included. Presentation will not delve deeply into the “nitty gritty” of programming, but will include an overview. This information could be useful for an HR consultant, Business Analyst, programmer, or manager.

Published in: Education, Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
934
On SlideShare
0
From Embeds
0
Number of Embeds
38
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Employee Access Termination -- Cause 2011

  1. 1. EMPLOYEE ACCESSTERMINATION PROJECT A whale of a tale…
  2. 2. Agenda • Background and Overview • Policy 95 Review • Access Termination Process • IT Processes/Functionality • EAT Project Implementation • Summary
  3. 3. OverviewBackground • WCU received an Institutional Audit comment regarding termination of access to systems • State Auditor’s review based on ISO 27002 which requires: Immediate termination of access upon severance or leaving employment • Employee Separations = Access Terminations • A team was formed to address the audit comment, identify a new process, and automate account termination within 24 hours of separation • Project was named EAT (Employee Access Termination)
  4. 4. EAT Project Process and ScopeProcess:1. Department notifies HR/Career Services/Financial Aid/Graduate School of separation via appropriate separation paperwork.2. HR separates the employee’s record accordingly in Banner.3. Automated process reads employee records in Banner to inactivate accounts on the date provided by the appropriate separation paperwork.Scope: Only addressed access termination Granting access was not included in scope Access still dependent on same procedures (hiring / compliance paperwork required)
  5. 5. Policy 95 ReviewExisting policy for Data Network Security and AccessControl • Revised to reflect the realities and possibilities of automated terminationReview and approval occurred at many levels • Executive Council • Internal AuditPolicy revision required lots of communication • Deans • Department Heads • Administrative AssistantsPolicy 95: http://www.wcu.edu/25378.asp
  6. 6. Policy 95 stipulates who, what, how, and when… (the rules)
  7. 7. Accountability forPolicy FulfillmentWCU’s Office of Internal Audit Review Perspective: It is the responsibility of each department to provide timely notification of employment and termination to HR. Departmental notifications and personnel processing actions are subject to audit by the University’s Internal Auditor and by external auditors. As such, the timeframes for compliance rest at the departmental level.For audit reporting purposes: Comments are added to Banner when paperwork is received by HR after separation date.
  8. 8. Termination Paperwork:Timeliness and Accountability• Departments need to provide paperwork to HR/Career Services/Financial Aid/Graduate School as soon as possible before last work date• If Termination is ‘last minute’, they can call HR to expedite both employee and access termination• Termination: Last work date = last access date - If paperwork is submitted late to HR and no notification is made prior to last work date, access will continue past true last work date. - If Account Access is terminated retroactively for the employee, it may prompt audit questions. Such questions will be directed to the department for clarification and accountability.
  9. 9. New Terminology and ClearDefinition RequiredTerminations are based on “Last Day of Access” (LastDay in the Chair) • Last Work Date, for WCU, references last day of formal work • Formal Contract dates must incorporate complete date range for required network resource access - Contract dates for fixed term Faculty employees reflect time for course fulfillment past last day of class to allow for final tasks to be completed
  10. 10. Access Termination ProcessHow this affects the campus: • Affects all employees and affiliates - SPA, EPA Non-Teaching, Hourly, etc.  Account Inactivation on last work date - Fixed Term ‘Instructor’ type roles (Adjuncts, Teaching GA’s, Faculty, etc.) Account inactivation on Contract End Date - Tenure Track Faculty Account Inactivation based on individual situation • Any remaining business after an employee separation date or contract end date must be facilitated by Director/Department Head since the employee is no longer affiliated with the University
  11. 11. How Access Termination Affects EmployeesNon Fixed-Term (SPA and EPA) employees • Last Access date determined by last day of work. • Already managed in Banner.Hourly Employees • Last Access date determined by last day of work. • If hourly employee not paid in 6 weeks will be reviewed for terminationFixed-Term (Contract Driven) Employees • Last Day of Access is determined by Contract dates. • Contract start and end dates have been aligned to match true work dates in Banner.
  12. 12. Non-Fixed TermBased Employees SPA, EPA Non-Faculty, Administrative GA’s, and Hourly No Access Employee Former Employee Last Work Date Last Paycheck Last Access DateLast Work Date = Last Access Date
  13. 13. Fixed TermBased EmployeesTeaching Employees: Fixed Term Faculty, Graduate TA’s, and Adjuncts • No access allowed when not under contract • Access terminated when not under a contract No Access Under Contract Not Under Contract Contract EndDates to use on contracts supplied by HR and Graduate School
  14. 14. Faculty Continuous Access Access remains intact provided that new contracts and compliance paperwork are processed by HR before the end of contract. Spring Fall Spring (contract) (contract) (contract) No break in access
  15. 15. Faculty AccessBetween TermsBreak in Service occurs when a faculty member does nothave a contract between major terms. State Regulations and WCU’s Policy Break in Service 95 on Data and Network Security prohibits access for employees that are not Fall under contract. Spring Spring Therefore access (no is not allowed (contract) (contract) contract) during a break in service.
  16. 16. How Access Termination AffectsInstructor of RecordInstructor Record • Any Instructor of Record association for Faculty, Adjuncts, and Teaching GA’s is ‘Terminated’ • Existing advising association is ‘Terminated’Instructor Relationships are Affected • Instructor/Advisor role ended for term (SIAINST) • Instructor removed from incomplete and future sections (SSASECT )Department Head facilitates any questionsregarding students after access is terminated
  17. 17. How Access Termination AffectsEmail and Network Login• Network login is ‘Terminated’ on Last Day of Access• Email is ‘Terminated’ on Last Day of Access• When Expiration Date is Known Before ‘Termination’, Automated Email Reminders Sent to Employees : – Employees may wish to create an auto-response to inform others of their Last Access Day and alternative contact information prior to their last work date
  18. 18. IT Processes and FunctionalityEngaged to Facilitate Terminations• Supplemental Data Engine fields - Capture ‘paperwork received date’ to track tardy paperwork and access terminations, which provides audit information• WCU Identity Management Roles utilized - Easily apply termination rules to specific population sets• Event Initiation and Processing - Last Day of Access determines entry into the event processing queue - Access Termination is processed for registered applications - Scalable mechanism for additional automated event and termination processing
  19. 19. Banner Set-up for SDE4) Run the generated DDL as appropriate user
  20. 20. DDL Creates New ViewPEAEMPL_ADD view contains existing tableelements, plus additional comment fields:
  21. 21. PEAEMPL -- Comment Fields
  22. 22. WCU Roles: What are they?A high level view of our data reveals three basic roles
  23. 23. Role Sub-Components: Each Role (i.e.,“STUDENT”) Reveals a Variety of Sub-Roles Intending Student? Future Cullowhee Student? Commuter? STUDENT Former Currently Student? Enrolled? Continuing?
  24. 24. Role Creation: Scalable Mechanism forIdentifying, Managing, and Consuming Roles Role Role Memberships Sub-Role Memberships
  25. 25. Role Set-UpRole Validation Table: Rule Definitions for Role Creation:
  26. 26. Example of Role MembershipWorkerGuests • One role may, or mayCullowhee CommuterPermanent Staff Worker not, be a member ofHourly Staff WorkerTemporary Staff Worker other rolesAll FacultyAdjunct Faculty Worker All Faculty • One role may consist ofFacultyAdministrative Student All Faculty Worker many combined rolesWorkerWork Study Administrative Student • One role may be aNon-Work Study Worker Administrative Student member of multiple Worker other rolesGA (non-teaching, non-lab) Administrative Student Worker
  27. 27. Role Maintenance • Individual role• PLSQL packages memberships are written to utilize role activated/in-activated definition rules to every two hours, based create/maintain role upon data changes in populations Banner, our system of record• Populations refreshed • One individual may via UC4 (AppWorx) belong to multiple batch processing jobs roles concurrently
  28. 28. Sample Person Look-Up Report UtilizingRole Information …
  29. 29. Roles Provide:• Precise definition  understanding• Stability of populations  error reduction• Single source of data sameness across systems• Auditing information policy enforcement – Banner data drives role membership – Banner data drives access control
  30. 30. Sample Role Selection (used inBlackBoard Integration)WITH BB_Users AS(SELECT * FROM TABLE (wcuidm.f_group_members (E))UNIONSELECT * FROM TABLE (wcuidm.f_group_members (35))UNIONSELECT * FROM TABLE (wcuidm.f_group_members (SA))UNIONSELECT * FROM TABLE (wcuidm.f_group_members (8))) Role Codes
  31. 31. WCU Identity ManagementRoles• Easy to figure out problems and solutions• Wide application for use campus-wide PeopleAdmin Active Online Directory Directory (synced with Outlook) Pawprint Reports Identity Management (PersonLookup, Security Groups New Hires, and Distribution Terminations) Lists LMS Portal (Luminis) (Blackboard)
  32. 32. Event Initiation, Fulfillment andProcessing
  33. 33. Events: Process and Timing• Processing Runs Daily at 1am• Individuals in Active Roles, with access expiration as of previous date, are placed in the queue for termination• Registered applications are processed against each event termination• Backup data is archived• Detailed outcomes are logged• Event processing is auditable and reportable
  34. 34. Events: Timing and Human Error• Recognizing we are all human, we allowed for inevitable unintended consequences…• One caveat was built into the processing to allow for human error and paperwork timeliness – Seven-day window for automated “un-termination”  Paperwork was a day late  “Fat-finger” on the keyboard resulted in incorrect update
  35. 35. Event Processing Report SamplesInstructor Associations – Useful for Departments
  36. 36. Upcoming TerminationsDepartments can subscribe to reports to trackknown, upcoming terminations. This is helpful for gettingpaperwork in on time.
  37. 37. Event Queue SummaryUseful for Audit and Internal Control
  38. 38. Event Log Details Per RegisteredApplicationUseful for Audit and Internal Control
  39. 39. Project Magnitude andResources • Upper level support (multiple project demands) • Subject Matter Experts involved for expertise and judgment calls (HR, IT, Project Management; others as needed: Departments, Registrar, etc.) • Time commitment (2 hr meetings/twice weekly, independent work time) • Complexity (policy, rules, process, data) • Reporting to the Executive Council weekly • End user training to departmental users, as well as internal users (i.e. help desk) • Communication Plan campus wide
  40. 40. Project Timeline• Project kickoff in November• Initial request for Go-Live: January• Complexities, communication, holiday timing, policy changes, program spec and development, and thorough testing demanded longer timeline• Revised Go-Live: March• Implemented in Audit mode in PROD: February 8• Implemented in Update mode in PROD: March 1• Continued communication, as well as minor program and reporting revisions during March• Final Project Wrap-Up: early April
  41. 41. Lessons Learned• Clearly defined business practices and policies are crucial• Continuous education is necessary for management turnover• “Panic control” can be managed by having solid business practices in place for problem investigation and resolution when possible issues arise• Change is difficult; education is key
  42. 42. Summary• Audit defensible system – Revising policies to meet auditor and WCU business practices – Clarifying early access / late access based on stakeholders/audit requirements• Created efficiencies• Provide timely service to campus• Accountability
  43. 43. Conclusion "Change is hard because people overestimate the value of what theyhave—and underestimate the value ofwhat they may gain by giving that up." - James Belasco and Ralph Stayer Flight of the Buffalo (1994)

×