Account Creation, Audit, and Termination
This guideline provides a well-defined and organized approach to facilitate system user access being granted, managed, and reviewed, while understanding the sometimes-transient nature of researchers and faculty.
Controls need to be in place to grant, modify, review, and terminate account access to securable university data. Appropriate staff in academic departments or school human resource coordinators are responsible for requesting, authorizing, and reviewing access to university, school, and department systems for each member of the specific unit.
Separate guidelines exist for email accounts. Refer to the Danforth Campus Email Account Creation, Usage, and Termination Guideline.
New faculty and staff will need access to systems to perform their necessary job functions.
- An approval process is recommended before granting access to systems.
- All requests for accounts (email, domain, admin database, etc.) for new employees should be presented in electronic form to the appropriate IT Department. Access should not be granted by any other means.
- Once the request is acted upon, a copy of the electronic request and approval should be archived.
Faculty and staff system access should be reviewed when:
- A faculty or staff member’s job role changes
- Account inactivity
- A faculty or staff member transfers from one department to another
- A faculty or staff member takes a leave of absence for any reason
When employment is terminated, the appropriate staff in the department or school is responsible for requesting the removal of system access and accounts.
- Formal notification of the termination should be presented in electronic form to the appropriate IT Department responsible for terminating system access and the account. The notification should include:
- The effective date of the termination
- Any special requirements surrounding the termination if necessary
- System access and accounts should be disabled upon the termination date.
- Account contents should be retained for 30 days to provide time for the department to identify any important data that needs to be archived or transferred.
- The account should be deleted within 30 days.
- In appropriate circumstances, access can be revoked immediately from a phone call from the department head, director, or faculty chair. A follow up in electronic form is recommended.
- Approval from the chair or school dean should be required for accounts to stay open longer than 30 days. No account should be active longer than six months after the HRMS termination date.
Review of Access
Periodically departments or schools are responsible for reviewing active accounts and the access levels of each account. Account access to securable university data should be reviewed at a minimum of twice a year. All system access and accounts, regardless of access level, should be reviewed at least once a year.
Updated April 1, 2013.