Policy number: CS-1509-2021
Policy Title: IT User Account Lifecycle
Policy Owner: Chief Information Officer
Effective Date: January 27, 2021
On this page:
- Application and Scope
- Accountability and Compliance
- Policy Revision Date
- Specific Links
This policy provides Mohawk College with explicit timelines on the closure of user accounts. The College must keep an accurate and timely account registry to protect the personally identifiable information of our community members, the integrity and availability of our systems, and to further maintain cost efficient infrastructure and licensing.
This policy applies to applicants, students, former students, alumni, employees, former employees, retirees, and third parties of the College and applies to all systems such as but not limited to operating systems, applications, databases, devices, directory services, e-mail, cloud applications, and stand-alone systems.
“Active Directory” is the centralized user account directory that users authenticate against to obtain access to applications, devices, and data.
“Person Record” is the unique record in the College’s primary information system that identifies the individual.
“Job Record” is a record in the College’s primary information system that identifies that a person has an authorized job which indicates a start and end date.
“User” is a person that has been authorized to interact with an Information Technology system such as an application, device, database, or dataset among others.
“User Account” is an account configured by a system administrator either manually or using automation which is assigned to an individual user. Accounts can be locally configured or part of a User Account Directory such as Active Directory.
The rules defined within this policy govern technology professionals in protecting information systems and enable the College for agility when procuring and maintaining technology solutions that are licensed on a per-user account basis which will further reduce overall costs of Information Technology Infrastructure.
5.1 Accountability Framework
This policy has been approved by the Senior Leadership Team.
The Chief Information Officer is responsible for monitoring and enforcing this policy.
6.1 User Access and Termination for College Active Directory Accounts
Individuals who apply to Mohawk College are provided with an applicant account which provides access to e-mail and MyMohawk for application and registration purposes. This account remains active for 2 years from the time of applying.
Student accounts are generated automatically through registration or application processes and are further provisioned with access to systems as required. Student accounts are active for 1 year after the last day of class in which they were registered. Students are encouraged to copy personal items to personal storage and anticipate the closure of their accounts. Mailbox contents are not recoverable after account closure.
6.1.3 Student Employees
Student Employees are provided with a separate student employee user account which must be requested by their manager. This account is to be used for all work-related activities. The account is disabled at the end of employment as per the schedule defined below.
Employee user accounts are generated by having a valid person, payroll, and job record entered into the Human Resources system by Human Resources and a signed and accepted job offer must be completed within the system.
User account credentials are to be sent to the new employee’s personal e-mail as recorded at the time of hire or may be communicated by the hiring manager in advance of start date if the individual is a Faculty member or is further approved by the hiring Human Resources Consultant.
User accounts are disabled at the end of employment either by notification to the Helpdesk by the direct supervisor, a Human Resources Consultant, or data analysis and automation conducted by Information Technology in which the following rules specifically apply:
Faculty user accounts remain fully active for a 45 day grace period after employment to ensure that grades can be posted and they are able to respond to student inquiries.
Faculty retain e-mail access for a further period of 1 year to be able to communicate with managers regarding return on contracts.
All other employee user accounts are disabled at the end of their last day of employment.
Employees are advised to set an out of office alert identifying their direct supervisor as the contact before the last day of employment. Human Resources may request this message to be set by contacting Information Technology. Employees are to copy and remove any content that is personal which is not the intellectual property or sensitive information owned by the College.
188.8.131.52 Inactive Employees
Employees that are not currently active will have their accounts disabled during their period of inactivity and an out of office message will be set to direct individuals to the appropriate contact to facilitate communications.
Employees who retire from Mohawk College do not retain systems access or email access.
6.1.6 Third Party Accounts (College affiliates, contractors, professional services)
The College may create accounts for contractors or other third parties to perform work or represent the College. The contract manager is responsible for establishing the identity of the individual and submitting a Third-Party Access Request Form to the Service Desk and authorize the individual's access. Third Party Accounts receive access to only what is requested and are not automatically entitled to e-mail, portal, or other licensed services. The third-party individual must sign the access request form as acknowledgement of Acceptable Use Policies. The maximum duration of a third-party account is 6 months and access must be set to automatically disable. If access is required for longer than 6 months, the Mohawk College contact responsible for the third-party account may reauthorize an extension only at the end of the 6 months.
6.1.7 Visitors and Guests
Visitors and Guests of the College will be provided Internet Only Wi-Fi accounts enrolled through the Eduroam Visitor Access Portal by any employee. Visitor accounts have a maximum duration of 14 calendar days. Employees are responsible for account creation and accountable for their guest’s behaviour. Account generations are strictly monitored for abuse. Where access to a classroom or library computer is required guests can request an account through the IT Service Desk and must be authorized by a Mohawk College employee.
6.2 Employee Separation Where the Employee is also a Student
Employees that are enrolled as active students at the end of employment are transitioned to a student account.
6.3 User Accounts not Maintained as a part of Active Directory
All systems owned and operated by Mohawk College must have user accounts maintained following the schedules as listed in section 6.1 of this policy.
6.4 Electronic Contents After Employment
Information Technology will maintain contents created by employees on home drives and mailboxes for 6 months in backup. Upon request and authorization of a Human Resources Consultant, Senior Leadership Team, or Mohawk Executive Group member, access to this information may be provided to the departed employees manager or to Human Resources. Information may be retained indefinitely if it is subject to litigation.
6.5 Deceased Students and Employees
Mohawk College community members who become deceased may have their beneficiary or estate request access to the electronic content through legal process. These requests will be handled on a case by case basis and privacy of College information will be carefully handled. All personal user created content belonging to the deceased will be deleted after 1 year.
6.6 User Role Assignment
The College must maintain an accurate registry of users along with their assigned roles within the College’s ERP System. Each role must be kept current with every change.
7.1 Revision Date
The Chief Information Officer and Manager of IT Security will review this policy and ensure it is accurate and maintained.
This space has been intentionally left blank.