Identity and Access Management

Policy Statement

Business employs a number of administrative and technical controls in support of identity and access management. All Business Users are expected to comply with these standards for providing, modifying, and terminating an individual’s physical and logical access throughout his/her engagement at Business.

Reason for Policy

This policy establishes principles and provisions to support the security and management of information assets and privacy of data in line with regulatory requirements.

Who Should Read this Policy

All users of Business.

1. Identity Management

1.1 Person Types

Business has identified several person types in support of identity management in order to assign identities among information systems. The following list of summarized person types are most common at Business: 

1. All Employees
2. All Subcontractors
3. All Partners
4. All Service Providers
5. All Interns
6. All Visitors
7. All Volunteers

1.2 Business Access

The Business Access Login, is a unique identifier consisting of at least a seven-character username assigned to any individual who, generally, is on the Business, accessing a Business system, or who needs to be tracked by a business unit.

Only one Business Access Login is assigned per individual on approval from the Business Owner. The account associated with a Business Access Login is deactivated when an individual leaves the Business, but the policy is to never reassign a Business Access Login to someone else. The account associated with a Business Access Login can be reinstated should an individual return to the Business after a period of inactivity or other absence.

The following list includes, but is not limited to, the types of individuals who will be assigned a Business Access Login:

1. All Employees
2. All Subcontractors
3. All Partners
4. All Service Providers
5. All Interns
6. All Visitors
7. All Volunteers

1.3 Business Access Login Creation

The process for creating a Business Access Login for new employees is instigated by Human Resources once applicable paperwork is completed. Business Access Login for non-employees are created on approval by the Business Owners. Business Access Login for non-employees such as a temporary, voluntary, vendor, consultant, etc. are requested by the Department Managers.

1.3.1 Minimum Information Required

The following data attributes are required to create a Business Access Login:

1. first name
2. last name
3. month and day of birth
4. personal email address
5. mobile phone number

2. Removal of Access Rights

The access rights of all employees and third party users of information and information assets shall be removed upon termination of their employment, withdrawal, contract or agreement, or adjusted upon a change of employment where applicable.

2.1 Scheduled Termination

Upon termination, the access rights for the individual shall be disabled within 24 hours.

2.2 Immediate Termination due to Severe Misconduct

At the request and discretion of Human Resources, an individual’s access rights shall be immediately terminated following the supply of a resignation notice, notice of dismissal, etc. wherever continued access is perceived to cause an increased risk.

2.3 Leaves of Absence

Individuals on a leave of absence may have their access rights reduced in accordance with the type of leave and expected work responsibilities.

In any situation, email access will remain active in order to foster communication. Access to business systems may be suspended and/or reinstated based on the type of leave. 

2.4 Reduction of Access Rights

At the request and discretion of Human Resources, an individual’s access rights shall be reduced or removed prior to a termination or transfer. Such discretion shall be based on:

1. whether the termination or change is initiated by the individual, or by management and the reason of termination
2. the individual’s current responsibilities
3. the classification and sensitivity of information assets accessible to the individual

2.5 Inactive Accounts

An inactive account is an account that has not been used for any purpose for a period of 180 days, including accounts for recently terminated individuals. A periodic audit, at least quarterly, shall be run by ITS to identify and remove redundant, unneeded, or inactive accounts. Any inactive accounts shall be disabled.

2.6 Suspended Accounts

A suspended account is an inactive account, except where the individual is on an extended leave of absence and is still actively affiliated with Business. Such cases may include maternity/paternity leave, short- or long-term disability, sabbatical, etc. These accounts may remain in a disabled state for the duration of the leave of absence and may be re-enabled (restored) upon return to the Business. 

2.7 Other Account Credentials

If an individual has known passwords for accounts or information assets remaining active, these shall be changed upon termination or change of roles.

3. Additional Offboarding Responsibilities

Upon termination or transfer of an individual at Business, additional tasks (other than removal of access rights) must be completed in a timely manner and documented to signify completion. The individual’s supervisor or the respective department administrator is responsible for completing the Offboarding Checklist, including, but not limited to, the following tasks.

3.1 Building Access

All building identification cards which identify or associate the individual with Business or its affiliates must be collected and securely discarded. Any office or facility keys which provide access to Business or affiliated-managed space must be collected and retained.

3.2 Electronic Equipment

Information systems associated with, assigned to, or primarily used by the individual must be inventoried and retained, unless prior written arrangements have been made, upon the individual’s termination or transfer from Business. The ITS asset management system can be used to assist with reconciling an inventory of the individual’s electronic equipment. Common types of information systems include laptops, desktops, smartphones, tablets, servers, external or portable hard drives or flash media, CDs or DVDs, etc.

Individuals wishing to keep institution-owned computer equipment must have written approval from their Department Administrator and a completed Asset Disposal Request. All systems must be appropriately sanitized and securely erased by ITS.

Business data stored on tagged mobile devices (smartphones and tablets) will be remotely erased by ITS at time of termination.

3.3 Custodial Access

Supervisors may request access to a terminated user’s electronic files, including email, voicemail, and computer, after the user’s last working day at Business. Requests by a Department Administrator, Chair, or Director (where applicable) may be submitted to Human Resources for review. Upon approval, access will be granted to the designated custodian.

If the user is transferring to another department or position within Business, custodial access shall be limited to data relevant to the user’s exiting job responsibilities.

4. Additional Resources

1. Asset Disposal Request
2. Offboarding Checklist

5. Related Policies

1. Responsible Use of Information Technology Resources
2. Integrity Policy
3. Physical Security
4. Authentication and Authorization
5. Administrative Security