EMPLOYEE ACCESS TERMINATION PROJECT

A whale of a tale…

Agenda• Background and Overview• Policy 95 Review• Access Termination

Process • IT Processes/Functionality• EAT Project

Implementation• Summary

Overview

Background• WCU received an Institutional Audit comment regarding

termination of access to systems• State Auditor’s review based on ISO 27002 which

requires:Immediate termination of access upon severance or leaving employment

• Employee Separations = Access Terminations• A team was formed to address the audit comment,

identify a new process, and automate account termination within 24 hours of separation

• Project was named EAT (Employee Access Termination)

EAT Project Process and Scope

Process:1. Department notifies HR/Career Services/Financial

Aid/Graduate School of separation via appropriate separation paperwork.

2. HR separates the employee’s record accordingly in Banner.3. Automated process reads employee records in Banner to

inactivate accounts on the date provided by the appropriate separation paperwork.

Scope: Only addressed access terminationGranting access was not included in scope

Access still dependent on same procedures (hiring / compliance paperwork required)

Policy 95 Review

Existing policy for Data Network Security and Access Control

• Revised to reflect the realities and possibilities of automated termination

Review and approval occurred at many levels• Executive Council• Internal Audit

Policy revision required lots of communication• Deans • Department Heads• Administrative Assistants

Policy 95: http://www.wcu.edu/25378.asp

Policy 95 stipulates who, what, how, and when… (the rules)

Accountability for Policy FulfillmentWCU’s Office of Internal Audit Review Perspective:

It is the responsibility of each department to provide timely notification of employment and termination to HR. Departmental notifications and personnel processing actions are subject to audit by the University’s Internal Auditor and by external auditors. As such, the timeframes for compliance rest at the departmental level.

For audit reporting purposes:Comments are added to Banner when paperwork is received by HR after separation date.

Termination Paperwork: Timeliness and Accountability

• Departments need to provide paperwork to HR/Career Services/Financial Aid/Graduate School as soon as possible before last work date

• If Termination is ‘last minute’, they can call HR to expedite both employee and access termination

• Termination: Last work date = last access date- If paperwork is submitted late to HR and no notification is made prior to

last work date, access will continue past true last work date. - If Account Access is terminated retroactively for the employee, it may

prompt audit questions. Such questions will be directed to the department for clarification and accountability.

New Terminology and Clear Definition Required

Terminations are based on “Last Day of Access” (Last Day in the Chair)• Last Work Date, for WCU, references last day of

formal work• Formal Contract dates must incorporate complete

date range for required network resource access

- Contract dates for fixed term Faculty employees reflect time for course fulfillment past last day of class to allow for final tasks to be completed

Access Termination Process

How this affects the campus:• Affects all employees and affiliates

- SPA, EPA Non-Teaching, Hourly, etc. Account Inactivation on last work date

- Fixed Term ‘Instructor’ type roles (Adjuncts, Teaching GA’s, Faculty, etc.)

Account inactivation on Contract End Date

- Tenure Track FacultyAccount Inactivation based on individual situation

• Any remaining business after an employee separation date or contract end date must be facilitated by Director/Department Head since the employee is no longer affiliated with the University

How Access Termination Affects Employees

Non Fixed-Term (SPA and EPA) employees• Last Access date determined by last day of work. • Already managed in Banner.

Hourly Employees • Last Access date determined by last day of work. • If hourly employee not paid in 6 weeks will be

reviewed for termination

Fixed-Term (Contract Driven) Employees• Last Day of Access is determined by Contract dates.• Contract start and end dates have been aligned to

match true work dates in Banner.

Non-Fixed Term Based Employees

Last Work Date Last Paycheck

Employee Former Employee

SPA, EPA Non-Faculty, Administrative GA’s, and Hourly

Last Access Date

No Access

Last Work Date = Last Access Date

Fixed Term Based Employees

Contract End

Under Contract Not Under Contract

No Access

• No access allowed when not under contract• Access terminated when not under a contract

Teaching Employees: Fixed Term Faculty, Graduate TA’s, and Adjuncts

Dates to use on contracts supplied by HR and Graduate School

Faculty Continuous Access

Spring(contract)

Fall (contract)

Spring(contract)

Access remains intact provided that new contracts and compliance paperwork are processed by HR before the end of

contract.

No break in access

Faculty Access Between Terms

Spring(contract)

Fall(no contract)

Spring(contract)

Break in Service occurs when a faculty member does not have a contract between major terms. State Regulations

and WCU’s Policy 95 on Data and Network Security prohibits access for employees that are not under contract. Therefore access is not allowed during a break in service.

Break in Service

How Access Termination Affects Instructor of Record

Instructor Record• Any Instructor of Record association for Faculty, Adjuncts,

and Teaching GA’s is ‘Terminated’• Existing advising association is ‘Terminated’

Instructor Relationships are Affected• Instructor/Advisor role ended for term (SIAINST)• Instructor removed from incomplete and future sections

(SSASECT )

Department Head facilitates any questions regarding students after access is terminated

How Access Termination Affects Email and Network Login

• Network login is ‘Terminated’ on Last Day of Access

• Email is ‘Terminated’ on Last Day of Access

• When Expiration Date is Known Before ‘Termination’, Automated Email Reminders

Sent to Employees :– Employees may wish to create an auto-response to

inform others of their Last Access Day and alternative contact information prior to their last work date

IT Processes and Functionality Engaged to Facilitate Terminations• Supplemental Data Engine fields

- Capture ‘paperwork received date’ to track tardy paperwork and access terminations, which provides audit information

• WCU Identity Management Roles utilized- Easily apply termination rules to specific population sets

• Event Initiation and Processing- Last Day of Access determines entry into the event

processing queue- Access Termination is processed for registered applications- Scalable mechanism for additional automated event and

termination processing

Banner Set-up for SDE

4) Run the generated DDL as appropriate user

DDL Creates New View

PEAEMPL_ADD view contains existing table elements, plus additional comment fields:

PEAEMPL -- Comment Fields

A high level view of our data reveals three basic roles

WCU Roles: What are they?

Role Sub-Components: Each Role (i.e., “STUDENT”) Reveals a Variety of Sub-Roles

Future Student?

Former Student?

Continuing?

Currently Enrolled?

Cullowhee Commuter?

Intending Student?

STUDENT

Role Creation: Scalable Mechanism for Identifying, Managing, and Consuming Roles

Role

Role Memberships

Sub-Role Memberships

Role Set-UpRole Validation Table:

Rule Definitions for Role Creation:

Example of Role MembershipROLE MEMBER

Worker Guests Cullowhee Commuter Permanent Staff WorkerHourly Staff WorkerTemporary Staff WorkerAll Faculty WorkerAdjunct Faculty All FacultyFaculty All FacultyAdministrative Student Worker

Worker

Work Study Administrative Student Worker

Non-Work Study Administrative Student Worker

GA (non-teaching, non-lab) Administrative Student Worker

• One role may, or may not, be a member of other roles

• One role may consist of many combined roles

• One role may be a member of multiple other roles

Role Maintenance

• PLSQL packages written to utilize role definition rules to create/maintain role populations

• Populations refreshed via UC4 (AppWorx) batch processing jobs

• Individual role memberships are activated/in-activated every two hours, based upon data changes in Banner, our system of record

• One individual may belong to multiple roles concurrently

Sample Person Look-Up Report Utilizing Role Information

…

Roles Provide:

• Precise definition understanding• Stability of populations error reduction• Single source of data sameness across systems• Auditing information policy enforcement– Banner data drives role membership

– Banner data drives access control

Sample Role Selection (used in BlackBoard Integration)

WITH BB_Users AS (SELECT * FROM TABLE (wcuidm.f_group_members ('E'))UNION SELECT * FROM TABLE (wcuidm.f_group_members ('35'))UNION SELECT * FROM TABLE (wcuidm.f_group_members ('SA'))UNION SELECT * FROM TABLE (wcuidm.f_group_members ('8')))

Role Codes

WCU Identity Management Roles

• Easy to figure out problems and solutions• Wide application for use campus-wide

PeopleAdmin

Event Initiation, Fulfillment and Processing

Events: Process and Timing

• Processing Runs Daily at 1am• Individuals in Active Roles, with access

expiration as of previous date, are placed in the queue for termination

• Registered applications are processed against each event termination

• Backup data is archived• Detailed outcomes are logged• Event processing is auditable and reportable

Events: Timing and Human Error

• Recognizing we are all human, we allowed for inevitable unintended consequences…

• One caveat was built into the processing to allow for human error and paperwork timeliness– Seven-day window for automated “un-termination”

Paperwork was a day late “Fat-finger” on the keyboard resulted in incorrect update

Event Processing Report Samples

Instructor Associations – Useful for Departments

Upcoming Terminations

Departments can subscribe to reports to track known, upcoming terminations. This is helpful for getting paperwork in on time.

Event Queue Summary

Useful for Audit and Internal Control

Event Log Details Per Registered Application

Useful for Audit and Internal Control

Project Magnitude and Resources

• Upper level support (multiple project demands)• Subject Matter Experts involved for expertise and

judgment calls (HR, IT, Project Management; others as needed: Departments, Registrar, etc.)

• Time commitment (2 hr meetings/twice weekly, independent work time)

• Complexity (policy, rules, process, data)• Reporting to the Executive Council weekly• End user training to departmental users, as well as

internal users (i.e. help desk)• Communication Plan campus wide

Project Timeline

• Project kickoff in November• Initial request for Go-Live: January• Complexities, communication, holiday timing,

policy changes, program spec and development, and thorough testing demanded longer timeline

• Revised Go-Live: March• Implemented in Audit mode in PROD: February 8• Implemented in Update mode in PROD: March 1• Continued communication, as well as minor program

and reporting revisions during March• Final Project Wrap-Up: early April

Lessons Learned

• Clearly defined business practices and policies are crucial

• Continuous education is necessary for management turnover

• “Panic control” can be managed by having solid business practices in place for problem investigation and resolution when possible issues arise

• Change is difficult; education is key

Summary

• Audit defensible system– Revising policies to meet auditor and WCU

business practices– Clarifying early access / late access based on

stakeholders/audit requirements• Created efficiencies• Provide timely service to campus• Accountability

Conclusion

"Change is hard because people overestimate the value of what they have

—and underestimate the value of what they may gain by giving that up."

- James Belasco and Ralph Stayer Flight of the Buffalo (1994)