Inactive IT Accounts Policy. Version 1.0

Transcription

1 Inactive IT Accounts Policy Version 1.0

2 Document History and Reviews Version Date Revision Summary of Changes Author 0.1 Sept 2018 Ali Mitchell New policy 0.2 Sept 2018 Ali Mitchell Added students into paragraph 2, changed layout, changed definition of active into active and added in paragraph on account removal for students 0.3 Sept 2018 Ali Mitchell Amendments to paragraphs 6.1 and Sept 2018 Ali Mitchell Contents section, scope and paragraphs 5, 6 and 7 updated. 0.5 Sept 2018 Ali Mitchell Introduction section updated, paragraphs 5.2, 5.3 and removed 2 bullet points from paragraph 7.1. Paragraph 6.3 added. 0.6 Sept 2018 Ali Mitchell Paragraphs 5.1, 5.2, 5.3, 6.1 and 6.2 updated. 0.7 Oct 2018 Ali Mitchell Added in another paragraph to the introduction. Removed students, added in paragraph 5.4, added exemptions and changed numbering 0.8 Oct 2018 Ali Mitchell Change of Rhiannon Platt s job title 0.9 Oct 2018 Ali Mitchell Table in paragraph 5, slight change to section 7 and incorporate CIDO amendments. 1.0 Nov 2018 Ali Mitchell Removed table in paragraph 5 Document review Date of next review: November 2019 Review Distribution Name Title A. Hill Chief Information and Digital Officer R. Platt Information Governance Manager and Data Protection Officer S. Clifford Vendor and Contracts Manager D. Hepple Lead Cloud Services Engineer M. Harvey Senior Cloud Services Engineer I. Tilsed Assistant Director Strategy and Architecture R. Autherson Head of Development N. Burden Assistant Director Solutions Delivery Approval Version Position Signature Date 1.0 Information Governance Security Steering Group By 8 Nov

3 Contents 1 Introduction Scope Purpose Definition of an inactive IT account Policy for Associates Exceptions. 4 7 Help and advice Policy review and maintenance. 5 3

4 1. Introduction 1.1 IT accounts that are unused are classed as being inactive which can cause unnecessary expenditure on software licences as well as an increased security risk. This policy has been produced to clearly articulate what constitutes an inactive account and what actions will be taken to address the issue. 2. Scope 2.1 This policy is applicable to all staff, including associates IT accounts and should be regarded separately to the process (here) around what happens to IT accounts when staff and students leave the University. 3. Purpose 3.1 The purpose this policy is to inform users that IT accounts will not remain live indefinitely and, after periods of no use, accounts will be removed. 4. Definitions of an inactive IT Account 4.1 IT accounts are deemed to be inactive and applicable for removal, when the user does not carry out at least one of these activities: Log into an University managed Windows desktop Log into the Office 365 University portal Check their University either online, or through their smartphone, tablet or on a home PC through a mail client (such as Outlook) Connect to the University via the VPN service. 5. Policy 5.1 IT accounts that are not being used, are deemed to be inactive and will be suspended after 90 days and deleted at 180 days (6 months) of inactivity. 5.2 After the account has been deleted, this means all s will be removed and also user s files and documents stored in their U: drives and the Office 365 suite as well. Users of inactive accounts will receive notifications in accordance with the table below, as will those staff who originally requested the creation of the account. If the user s original sponsor of their account do not take action to keep the account active, the account will be deleted after the 180 days. 5.4 For staff and associates that are classed as leavers, accounts will be blocked from midnight on the last working day and deleted three months after this date, unless HR advise that the account needs to be kept live. 6. Exceptions 6.1 It is recognised that there will be some situations where the deletion of IT accounts after 180 days is not appropriate. These would include users on: Long term sick Parental leave (maternity, paternity, adoption leave) Sabbatical or secondment or An agreed list of VIPs (held by the service desk) and retired users At the request of HR 4

5 6.2 The sponsors or line managers for any of the users that fit these criteria in paragraph 6.1 will need to raise a SID request to ensure user s accounts are not removed. 7. Help and Advice 7.1 For any issues relating to the removal of IT accounts please contact the SID on or extension 4724 or sid@exeter.ac.uk. For any comments regarding this policy please information-security@exeter.ac.uk 8. Policy Review and Maintenance 8.1 This policy will be reviewed and updated, annually, or as needed, to ensure that the policy remains aligned with changes to relevant laws, contractually obligations and best practice. 5