Referenced from: Systems Access Control Policy
Normal procedures are as follow:
- If the separation is immediate and involuntary, all system access and collaboration tools are terminated on the communicated separation date from the HR Director (for staff) or the University Administration Designee for UNO AAUP Chapter members (for faculty).
- If the separation is not immediate or is voluntary, e-mail access is allowed through the communicated separation date, in consideration that the employee complies with all use conditions as communicated at the time of separation.
- Continued collaboration tool use by separated employees requires approval of the HR Director or Senior Vice Chancellor for Academic Affairs and Chief Information Security Officer (CISO).
- Separated employees are entitled to base administrative access to systems that deal with benefits, payroll, and tax information. Refer to the Definitions section inside the Systems Access Control Policy for a definition of this access.
- Following BoR guidelines, Emeritus Faculty will keep their existing account within policy guidelines.
Voluntary/Involuntary (not immediate)
Employee has all access removed on the separation date. HR will communicate with the separating employee regarding the separation conditions. In the event that the separation conditions, as outlined in the separation letter, are not followed access may be terminated sooner. After discussing with the employee supervisor to assess any risk the Chief Information Security Officer (CISO) or the Director of Human Resources in consultation with the Vice Chancellor may choose at their discretion to remove access prior to any communicated date.
All access to files, servers, social media, and shared service accounts are removed on the separation day. This day is identified and reported to Information Services (IS) by Human Resources (HR) or the University Administrative Designee. Access to the management of administrative data is also removed. Base administrative access is provided for access to all benefits, documents, etc. that are required dependent upon association with the university after separation. A list of services and their associated access restrictions is available within the UNO Identification and Authentication Policy.
Involuntary (immediate)
- Employee has collaboration tools and system access removed as soon as separation date is received by Information Security Office from HR.
- The Information Security Office acknowledges the receipt of request and notifies HR or Administrative designee when complete. HR or the University Administrative designee acknowledges receipt of notification of completion.
- The employee’s manager, the University Administrative designee or HR Director may make a written request to the Information Security Office for a copy of all files to fulfill business continuity or legal requirements.
- The employee’s manager or the University Administrative designee may also request access to email for business continuity purposes. This may include a forward on the account or direct access depending upon the conditions of separation.
- A courtesy message will be placed on email notifying those outside the university that the individual is out and to contact their supervisor or the Administrative designee for specific questions.
- If personal files were kept in a folder marked “personal” then employees may be able to retrieve personal files with assistance from their manager. HR or the University Administrative designee will arrange the time and facilitate the transfer with assistance from information services.
- Depending upon the conditions of separation, where a staff member is expected to continue some duties prior to the communicated separation date, communication may be monitored and there is no right to privacy.
- All access to files and servers etc. are removed on the separation date. This day is identified and reported to the Information Security Office by HR or the Administrative designee. In the event that the separation guidelines are not followed by the separated employee, as specified from HR or the University Administrative designee at the time of separation, access may be terminated sooner. The HR Director and CISO will consult with the Vice Chancellor to assess any risk to the university and may choose, at their discretion, to remove access prior to any communicated date depending upon the perceived risk.
- Access to the management of administrative data is also removed. Base administrative access is provided for access to all benefits, documents, etc. that are required dependent upon association with the university after separation. SAP is locked upon SAP security coordinator notice.
- Employee has 90 days of limited ESS access.
Employee/Student
In the event that the employee is a currently matriculated student the following steps will be executed- No email messages will be migrated.
- Canvas access will remain and be removed based upon current student access removal schedules depending upon matriculation. The employee will be removed from any employee organizations or groups within Canvas.
- Firefly/ESS access will remain but only with the defined roles the affected individual is maintaining after separation. For an employee who is a student, this would mean that they would retain their student role access to the system. Personal employee functions performed in ESS will be available 90 days after separation.
- Limited Firefly/ESS access will be provided for 90 days.
External IT Services
All external IT service (social media, external web sites, etc.) account passwords will be changed and the separating employee account will be removed unless continued use is authorized by the supervisor within the conditions of separation.
Physical Access
Although the individual may retain the UNO ID card all access that is granted through the university proximity card system is revoked at the separation date.
University Property
All university property should be collected and noted within SAP under “Objects on Loan.” This includes any property identified in § 3.1.1.1 of the Collective Bargaining Agreement – UNO AAUP Chapter.
Special Exceptions
Employees may have multiple associations within the university including but not limited to student, alumni, or employment in a different division. It is up to the manager to identify all additional employment or associations within the university that may affect an involuntary separation. Prior to making the decision to terminate, HR will advise the manager of all other appointments within the university system. In that context, a determination of remaining access will be made by the manager in consultation with HR. IS will be notified of the selected resources for which access will be removed. A list of services and their associated access restrictions is available within the UNO Identification and Authentication Policy (under development).
Before Separation
- Please review the current inventory of systems and data access for the individual that you propose to take some type of personnel action, which will end their employment at UNO. Information Services can assist in gathering technology assets inventory when needed.
- Please review the Separation Checklist (included below) and indicate the access you want the person to have prior to the decision to separate.
- Please identify specific dates that you want their access removed.
Questions that may impact the decision:
- Is the person being terminated for cause?
- Have you determined that you no longer trust this person to act in the university’s best interest?
- Do you fear that the person may destroy data, write inappropriate emails, disrupt business or challenge the reputation of the university?
- Do you want the person to be banned or barred from the facility or require notice before returning to campus?
- Is this a termination at will?
- Will the person continue to have responsibilities for completing assignments during the notice period?
- If so, what data or systems will the person need to complete the expected during the notice period?
- Do you want to have a snapshot of the files the day the notice will be given?
- Do you want them to be allowed to remove personal files from the system?
- Are some of the person’s duties being assigned to others during the notice period?
- If so, what access to systems will those assigned individuals need?
- Do you have concerns about any of the current data authority that this individual has?
- If so, what do you want to discontinue access to and when?
- Have you developed a letter of expectations for the notice period identifying specific duties and specific actions that may negate the notice period and instead terminate for cause? That is, if one has been developed, please provide a copy of it. Please identify what monitoring you want to be done by IS, if any, to ensure they are complying with their separation conditions.
Download the Separation Checklist
History
02/02/2021: Updated policy to reflect Board of Regents policy.