Carnegie Mellon University
October 12, 2015

Protecting Institutional Data

Carnegie Mellon University has over 13,200 students and 5000 faculty and staff. With so many employees and students, it is likely people will shift job responsibilities, leave their position or graduate. When these changes occur, access to resources no longer required should be removed. This practice is known as deprovisioning and is key to protecting institutional data.

Supervisors should keep a list of job related resources that employees have been authorized to access; and inform system and application managers to deprovision the account when access is no longer authorized.

As you create your list, ask yourself, “What does the employee access in order to perform their job?” Consider the following:

  • Shared service or system passwords – change immediately
  • Keys and access cards
  • Shared mailboxes and calendars
  • Computers, printers and other University provided equipment
  • Voicemail systems
  • Mailman or other mailing lists
  • Shared server drives (e.g., MyDeptFiles)
  • Group membership (e.g., Grouper, LDAP, Windows, Andrew PTS)
  • Enterprise applications
  • Research databases
  • University web site content through the Content Management System (CMS) or Andrew Web Publishing System (AWPS)
  • Shared Social Networking accounts (e.g., Twitter, Facebook, etc.)
  • Third-party managed applications (e.g., Google Accounts)

There are automated processes that deprovision an Andrew account up to 30 days after an employee separates from the University, unless you request early deactivation. During this time, the former employee retains access to CMU systems and services. Many times employees are rehired or return as students. When their account is reactivated, they will have access to anything that was not previously deprovisioned. Do not rely on disabling the Andrew account alone to remove access.

Unauthorized access could negatively affect the University or cause a disclosure of private or restricted institutional data. Please be aware of the systems employees’ access and take the necessary precautions when responsibilities shift or roles change.

For more information review the Guidelines for Data Protection and follow the Procedure for Employee Separation.