Carnegie Mellon University

Procedure For Employee Separation

Purpose

The purpose of this Procedure is to provide step-by-step instructions for processing an employee separation with respect to the handling of computing resources. This Procedure is a supplement to the Human Resources Employee Separation Checklist.

Applies To

This Procedure applies to anyone processing the separation of a student worker, faculty or staff.

Procedure for Voluntary Employee Separation

The following are step-by-step instructions for voluntary employee separation. 

  1. Process the employee’s separation in Workday

    While this step is listed in the Human Resources Employee Separation Checklist, it is cross-listed here due to its importance in suspending and removing certain user access.  Processing the employee’s separation in Workday should be completed as soon as a separation date is known.  A step-by-step guide to completing this can be found in the Workday Toolkit provided by Human Resources.  Following a 21 day waiting period from an employee’s separation date, his or her Andrew account and Microsoft Active Directory account will be automatically suspended. If the employee is registered as a student, the automatic suspension will not occur and manual intervention may be required (see Step 2). Several additional actions are taken automatically, including removal of any network registration entries and revocation of any digital certificates associated with the employee.

  2. Suspend or remove access to systems and applications

    Employees typically have access to a variety of systems and applications based on their job responsibilities.  This access will need to be suspended or removed upon separation.  Managers should maintain a list of what systems and applications his or her employees have access to so that it is available when a separation occurs.  The types of systems and applications that an employee might have access to include:

    • Computing Services systems and applications

      As referenced in Step 1, suspension or removal of access to some systems and applications, managed by Computing Services, may occur automatically (e.g. Andrew account access and Microsoft Active Directory account access).  Other applications may require manual suspension or removal.  Contact the Help Center if you have questions related to suspension or removal of access to system and applications managed by Computing Services.

    • Department, college or non-Pittsburgh campus systems and applications

      Many systems and applications are managed by a department, college or non-Pittsburgh campus computing staff.  If an employee separation occurs within one of these functional areas, the departmental administrator for that area should be contacted to assist with suspension or removal of access.  Some functional areas also maintain their own help desk, which can also serve as a resource for suspending or removing access.

    • Third-party managed applications

      The University outsources a variety of services (e.g. data processing) to third-party providers.  Employees are often provisioned user accounts to gain access to these services.  The process of suspending or removing this access will vary from one service to the next.  If it is unclear who to contact in order to suspend or remove access to a third-party application, contact either the Computing Services Help Center or your departmental administrator for assistance.

  3. Change any shared account passwords that were known by the employee

    While typically discouraged, it is often a requirement that multiple users share the password to a single account.  For example, the password to a local Administrator account or an application’s super-user account may be shared by more than one employee.  If the employee is in possession of one of these shared passwords, it should be immediately changed.

  4. Disable employee’s access to the voicemail system

    The Telecommunications team within Computing Services is responsible for the University’s voicemail system.  There are several alternatives available to address employee separation including changing the employee’s voicemail password, changing the voicemail message to indicate new contact information or simply disconnecting the voicemail.  Contact the Telecommunications team by phone at 412-268-8500 to discuss alternatives for disconnecting voicemail.  If it is necessary for you to obtain access to a separated employee’s voicemail inbox, please contact the Information Security Office Incident Response team by phone at 412-268-2044, or via email to iso-ir@andrew.cmu.edu.

  5. Revoke physical access to secure facilities and retrieves keys and/or access cards

    Employees are provided with physical access to facilities in several manners.  The Carnegie Mellon ID+ Card provides access to various facilities depending on particular job responsibilities.  Computing Services issues secondary access cards to employees who require access to centrally managed computer rooms (e.g. A-84 and A-100 in Cyert Hall).  Other departments (e.g. the Parking Office), colleges or campuses may issue their own access cards.  Additionally, an employee is likely provided a set of keys to gain access to his or her building, laboratory, office space and/or filing cabinets.  Upon separation, all access cards and keys should be collected from the employee and returned to the appropriate coordinator.  

  6. Retrieve computing hardware from the employee

    Upon separation, all computing hardware issued to an employee will need to be collected.  This includes but is not limited to any University-issued laptops, desktops, computing peripherals, cell phones and hardware tokens (e.g. RSA SecurID tokens).  Any hardware token the employee may have should be immediately returned to the appropriate administrator.  All other hardware can be re-used as deemed appropriate by the manager of the employee. In those limited circumstances where ownership of computer equipment is transferred to the separating employee, the following steps should be considered:

    • Archive any business related documents, as directed by the separating employee’s management
    • Remove all non-public information that is owned or licensed by the University  
    • Remove all software applications that are licensed by the University
    • Remove all Microsoft Windows operating system upgrades (only the original manufacturer installed operating system should be transferred to the separating employee)
    • If necessary, erase the entire content of the device’s hard drive using tools and techniques outlined in the Guidelines for Data Sanitization and Disposal.

Procedure for Involuntary Employee Separation

The Information Security Office works closely with Human Resources in the case of involuntary separation.  Contact your Human Resources representative for details.

Additional Information

If you have any questions or comments related to this Procedure, please send email to the University Information Security Office at iso@andrew.cmu.edu

Additional information can also be found using the following resources:

Revision History

Version Published
Author
Description
1.2 10/24/2017 Laura Raderman

Updated for HR process changes

1.1 01/09/2015 Laura Raderman

Updated for Workday changes

1.0 10/01/2008 Doug Markiewicz
John Lerchey

Original publication


Status:  Published 
Published:  10/08/2008
Last Reviewed:  10/12/2016
Last Updated:  10/24/2017