We received an Institutional Audit comment regarding termination of access to systems.
The finding required immediate termination of access upon severance or leaving employment.
A team was formed to address the audit comment, identify a new process, and automate account termination within 24 hours of separation.
This presentation will provide:
o Background and Overview
o Policy Review
o Access Termination Process
o IT Processes/Functionality
o Project Implementation
o Summary and Lessons Learned
Intended audience: Anyone who might find themselves involved in a similar project someday. The presentation will be geared towards a wide audience. Both functional user and technical user information will be included. Presentation will not delve deeply into the “nitty gritty” of programming, but will include an overview. This information could be useful for an HR consultant, Business Analyst, programmer, or manager.
2. Agenda
• Background and Overview
• Policy 95 Review
• Access Termination
Process
• IT Processes/Functionality
• EAT Project
Implementation
• Summary
3. Overview
Background
• WCU received an Institutional Audit comment
regarding termination of access to systems
• State Auditor’s review based on ISO 27002 which
requires:
Immediate termination of access upon severance or leaving
employment
• Employee Separations = Access Terminations
• A team was formed to address the audit comment,
identify a new process, and automate account
termination within 24 hours of separation
• Project was named EAT (Employee Access
Termination)
4. EAT Project Process and Scope
Process:
1. Department notifies HR/Career Services/Financial
Aid/Graduate School of separation via appropriate
separation paperwork.
2. HR separates the employee’s record accordingly in
Banner.
3. Automated process reads employee records in
Banner to inactivate accounts on the date provided
by the appropriate separation paperwork.
Scope: Only addressed access termination
Granting access was not included in scope
Access still dependent on same procedures (hiring / compliance
paperwork required)
5. Policy 95 Review
Existing policy for Data Network Security and Access
Control
• Revised to reflect the realities and possibilities of
automated termination
Review and approval occurred at many levels
• Executive Council
• Internal Audit
Policy revision required lots of communication
• Deans
• Department Heads
• Administrative Assistants
Policy 95: http://www.wcu.edu/25378.asp
7. Accountability for
Policy Fulfillment
WCU’s Office of Internal Audit Review Perspective:
It is the responsibility of each department to
provide timely notification of employment and
termination to HR. Departmental notifications
and personnel processing actions are subject to
audit by the University’s Internal Auditor and by
external auditors. As such, the timeframes for
compliance rest at the departmental level.
For audit reporting purposes:
Comments are added to Banner when paperwork
is received by HR after separation date.
8. Termination Paperwork:
Timeliness and Accountability
• Departments need to provide paperwork to HR/Career Services/Financial
Aid/Graduate School as soon as possible before last work date
• If Termination is ‘last minute’, they can call HR to expedite
both employee and access termination
• Termination: Last work date = last access date
- If paperwork is submitted late to HR and no notification is made prior to
last work date, access will continue past true last work date.
- If Account Access is terminated retroactively for the employee, it may
prompt audit questions. Such questions will be directed to the
department for clarification and accountability.
9. New Terminology and Clear
Definition Required
Terminations are based on “Last Day of Access” (Last
Day in the Chair)
• Last Work Date, for WCU, references last day of
formal work
• Formal Contract dates must incorporate complete
date range for required network resource access
- Contract dates for fixed term
Faculty employees reflect time for
course fulfillment past last day of
class to allow for final tasks to be
completed
10. Access Termination Process
How this affects the campus:
• Affects all employees and affiliates
- SPA, EPA Non-Teaching, Hourly, etc.
Account Inactivation on last work date
- Fixed Term ‘Instructor’ type roles (Adjuncts,
Teaching GA’s, Faculty, etc.)
Account inactivation on Contract End Date
- Tenure Track Faculty
Account Inactivation based on individual situation
• Any remaining business after an employee separation
date or contract end date must be facilitated by
Director/Department Head since the employee is no
longer affiliated with the University
11. How Access Termination
Affects Employees
Non Fixed-Term (SPA and EPA) employees
• Last Access date determined by last day
of work.
• Already managed in Banner.
Hourly Employees
• Last Access date determined by last day of work.
• If hourly employee not paid in 6 weeks will be
reviewed for termination
Fixed-Term (Contract Driven) Employees
• Last Day of Access is determined by Contract
dates.
• Contract start and end dates have been aligned to
match true work dates in Banner.
12. Non-Fixed Term
Based Employees
SPA, EPA Non-Faculty, Administrative GA’s, and Hourly
No Access
Employee Former Employee
Last Work Date Last Paycheck
Last Access Date
Last Work Date = Last Access Date
13. Fixed Term
Based Employees
Teaching Employees: Fixed Term Faculty, Graduate TA’s, and Adjuncts
• No access allowed when not under contract
• Access terminated when not under a contract
No Access
Under Contract Not Under Contract
Contract End
Dates to use on contracts supplied by HR and Graduate School
14. Faculty Continuous Access
Access remains intact provided that new contracts and
compliance paperwork are processed by HR before the end of
contract.
Spring Fall Spring
(contract) (contract) (contract)
No break in access
15. Faculty Access
Between Terms
Break in Service occurs when a faculty member does not
have a contract between major terms. State Regulations
and WCU’s Policy
Break in Service 95 on Data and
Network Security
prohibits access
for employees
that are not
Fall under contract.
Spring Spring Therefore access
(no is not allowed
(contract) (contract)
contract)
during a break in
service.
16. How Access Termination Affects
Instructor of Record
Instructor Record
• Any Instructor of Record association for Faculty,
Adjuncts, and Teaching GA’s is ‘Terminated’
• Existing advising association is ‘Terminated’
Instructor Relationships are Affected
• Instructor/Advisor role ended for term (SIAINST)
• Instructor removed from incomplete and future
sections (SSASECT )
Department Head facilitates any questions
regarding students after access is terminated
17. How Access Termination Affects
Email and Network Login
• Network login is ‘Terminated’ on Last Day of Access
• Email is ‘Terminated’ on Last Day of Access
• When Expiration Date is Known Before
‘Termination’, Automated Email Reminders
Sent to Employees :
– Employees may wish to create an auto-response to
inform others of their Last Access Day and alternative
contact information prior to their last work date
18. IT Processes and Functionality
Engaged to Facilitate Terminations
• Supplemental Data Engine fields
- Capture ‘paperwork received date’ to track tardy paperwork and
access terminations, which provides audit information
• WCU Identity Management Roles utilized
- Easily apply termination rules to specific population sets
• Event Initiation and Processing
- Last Day of Access determines entry into the event
processing queue
- Access Termination is processed for registered applications
- Scalable mechanism for additional automated event and
termination processing
22. WCU Roles: What are they?
A high level view of our data reveals three basic roles
23. Role Sub-Components: Each Role (i.e.,
“STUDENT”) Reveals a Variety of Sub-Roles
Intending
Student?
Future Cullowhee
Student? Commuter?
STUDENT
Former Currently
Student? Enrolled?
Continuing?
24. Role Creation: Scalable Mechanism for
Identifying, Managing, and Consuming Roles
Role
Role Memberships
Sub-Role Memberships
26. Example of Role Membership
Worker
Guests • One role may, or may
Cullowhee Commuter
Permanent Staff Worker not, be a member of
Hourly Staff Worker
Temporary Staff Worker
other roles
All Faculty
Adjunct Faculty
Worker
All Faculty • One role may consist of
Faculty
Administrative Student
All Faculty
Worker
many combined roles
Worker
Work Study Administrative Student
• One role may be a
Non-Work Study
Worker
Administrative Student
member of multiple
Worker other roles
GA (non-teaching, non-lab) Administrative Student
Worker
27. Role Maintenance
• Individual role
• PLSQL packages
memberships are
written to utilize role
activated/in-activated
definition rules to
every two hours, based
create/maintain role
upon data changes in
populations
Banner, our system of
record
• Populations refreshed • One individual may
via UC4 (AppWorx) belong to multiple
batch processing jobs roles concurrently
29. Roles Provide:
• Precise definition understanding
• Stability of populations error reduction
• Single source of data sameness across systems
• Auditing information policy enforcement
– Banner data drives role membership
– Banner data drives access control
30. Sample Role Selection (used in
BlackBoard Integration)
WITH BB_Users AS
(SELECT * FROM TABLE (wcuidm.f_group_members ('E'))
UNION
SELECT * FROM TABLE (wcuidm.f_group_members ('35'))
UNION
SELECT * FROM TABLE (wcuidm.f_group_members ('SA'))
UNION
SELECT * FROM TABLE (wcuidm.f_group_members ('8')))
Role Codes
31. WCU Identity Management
Roles
• Easy to figure out problems and solutions
• Wide application for use campus-wide
PeopleAdmin
Active Online Directory
Directory (synced with
Outlook)
Pawprint
Reports Identity
Management
(PersonLookup, Security Groups
New Hires, and Distribution
Terminations) Lists
LMS
Portal (Luminis)
(Blackboard)
33. Events: Process and Timing
• Processing Runs Daily at 1am
• Individuals in Active Roles, with access
expiration as of previous date, are placed in the
queue for termination
• Registered applications are processed against
each event termination
• Backup data is archived
• Detailed outcomes are logged
• Event processing is auditable and reportable
34. Events: Timing and Human Error
• Recognizing we are all
human, we allowed for
inevitable unintended
consequences…
• One caveat was built into the processing to
allow for human error and paperwork
timeliness
– Seven-day window for automated “un-termination”
Paperwork was a day late
“Fat-finger” on the keyboard resulted in incorrect update
38. Event Log Details Per Registered
Application
Useful for Audit and Internal Control
39. Project Magnitude and
Resources
• Upper level support (multiple project demands)
• Subject Matter Experts involved for expertise and
judgment calls (HR, IT, Project Management; others
as needed: Departments, Registrar, etc.)
• Time commitment (2 hr meetings/twice weekly,
independent work time)
• Complexity (policy, rules, process, data)
• Reporting to the Executive Council weekly
• End user training to departmental users, as well as
internal users (i.e. help desk)
• Communication Plan campus wide
40. Project Timeline
• Project kickoff in November
• Initial request for Go-Live: January
• Complexities, communication, holiday
timing, policy changes, program spec and
development, and thorough testing
demanded longer timeline
• Revised Go-Live: March
• Implemented in Audit mode in PROD: February 8
• Implemented in Update mode in PROD: March 1
• Continued communication, as well as minor program
and reporting revisions during March
• Final Project Wrap-Up: early April
41. Lessons Learned
• Clearly defined business practices and
policies are crucial
• Continuous education is necessary for
management turnover
• “Panic control” can be managed by having
solid business practices in place for problem
investigation and resolution when possible
issues arise
• Change is difficult; education is key
42. Summary
• Audit defensible system
– Revising policies to meet auditor and WCU
business practices
– Clarifying early access / late access based on
stakeholders/audit requirements
• Created efficiencies
• Provide timely service to campus
• Accountability
43. Conclusion
"Change is hard because people
overestimate the value of what they
have—and underestimate the value of
what they may gain by giving that up."
- James Belasco and Ralph Stayer
Flight of the Buffalo (1994)