30.16 - Managing Systems for Employee Turnover (Electronic Information Security Policy)

Created January 21, 2007

A. General. This policy sets out the process for managing computer systems when an employee leaves a department within the University of Idaho or leaves the University of Idaho altogether.

B. Process.

B-1. Departure Information: When an employee departs a department for any reason, the supervisor shall insure that the departing employee receives the following prior to departure:

(1) Conditions governing departmental access to the employee’s electronic communications subsequent to the employee’s separation.

(2) Instructions regarding disposition of personal electronic communications records, such as whether they should be deleted or transmitted to other personal email accounts or personal media.

(3) Instructions if absence message must be installed, indicating separation data and contact information for departmental business.

(4) Date at which time the account will be terminated and not accessible to the former employee.

B-2. Password Changes: Immediately prior to an employee’s departure, the supervisor shall insure that the passwords to which the departing employee had access are changed. This standard practice serves to protect the former employee in the event of any problems and the university systems against possible tampering. Monitoring such User IDs is primarily the responsibility of user area management, with assistance from the ITS Customer Service Manager or IT Security Officer.

B-3. Electronic Systems and Records:

(1) Electronic Systems: Upon an employee’s departure, the electronic communications systems, including computers, laptops, notebooks, PDAs, cellphones, and any other system, shall be collected, and shall only be reused or disposed of once the information on those systems is preserved as provided herein, and the systems are verified by ITS as completely "clean" prior to going back into service or into disposal.

(2) Electronic Records: In the absence of more specific instructions from the office of General Counsel for any departing employee, all information on the electronic systems of a departing employee shall be transferred into an archivable format and archived for 5 years from the date of departure.

B-4. Termination of User ID. Human Resource Services shall notify the ITS Customer Service Manager of an employee termination, as soon as it processes the termination. Upon receipt of the notification, ITS shall suspend the User ID of the terminated employee, and the ITS Security Officer will be alerted so that any necessary files may be retrieved and archived and the User ID is deleted. Reinstatement will require the same level of authorization as establishing a new User ID.

B-5. Involuntary Separation: In cases of involuntary separation, exit procedures shall include standard notification to be sent to employees. Such notification shall be reviewed by General Counsel prior to issuance and include:

(1) Conditions governing employee’s access to electronic communications resources during period of separation, if any, and any arrangements to permit employee temporary access to obtain copies of personal electronic communications. Such conditions shall be limited to insure the security of the University’s system, and the preservation of all electronic information on all of the electronic communication systems used by the employee.

(2) Date when access to electronic communications will terminate.

C. Compliance. ITS will advise appropriate college/division management and the office of Risk Management of any non-compliance with this policy. The college/division management shall be responsible for following up with any non-compliance and shall initiate disciplinary action for such non-compliance, where appropriate.