Vous êtes sur la page 1sur 9

Cornell Information Technology Process Improvement

DEPROVISIONING IT ACCESS GRANTED TO CIT STAFF CORNELL INFORMATION TECHNOLOGIES IT PROCEDURE DOCUMENT Document Number: PRC 2010-011 Comments: Document Revision History Date Author
11/9/2010 11/10/2010 11/18/2010 Jim Haustein Jim Haustein

Related Document Numbers:

Version
0.10 0.11

Description
Ready for Review Additional modifications made Released to CIT

Tom Young/Jim Haustein 1.0

PURPOSE
Deprovisioning of an individuals access to IT resources (henceforth simply referred to as access) occurs when an employees status with CIT changes; for example, a change in role within CIT, transfer to another University unit, or separation from the University. This procedure provides a consistent, reliable and verifiable deprovisioning process for CIT by outlining roles and responsibilities for ensuring that access privileges granted to CIT staff are revoked when no longer required. Scope Scope of deprovisioning included within this document: Campus privileges or universal employee entitlements. o Managed by the Computer Access group. CIT-wide privileges. o Managed by CIT Administration/Human Resources/CIT Technical Support. Role-based privileges. o Managed within the Divisions. Strictly local role-based privileges. Managed within the immediate work group.

Cornell Information Technology IT Process Improvement `

BACKGROUND
Types of Privileges Role based privileges are privileges which are required to perform an employees job role. Role based privileges are generally not managed centrally (that is, by the CIT Administration Division or CIT Technical Support). Some are strictly local to a work group (TSM, KDC, PBX, etc.) Many extend beyond a single work group (PeopleSoft access, for example) or Division (for example, accounts on systems in the server farm). Types of role based privileges include the following: Access for supporting campus services and infrastructure o o Network switches, servers, applications (PeopleSoft, Blackboard, Exchange, etc.). Physical access to the server farm and PBX.

Access for supporting internal services. o File server, internal web site, FRS, RT queues.

End user access to University and CIT services. o Net admin, telecomm coordinator, purchasing approvals, Remedy, internal services (for example, FRS, specific server directories).

CIT privileges include the CIT staff Active Directory group, mailing lists, VPN (virtual private network) group, web site, file server access and some services not specific to CIT (EZ-Backup account, telephone, network jack). Campus privileges include most NetID based privileges (Exchange, PeopleSoft self-service, VPN, Kronos, Red Rover Secure); also wireless network device registration.

Deprovisioning Events Certain changes in employee status may require deprovisioning. For any change in status that triggers deprovisioning, all CIT divisions will need to check what privileges they have granted to the employee. Change in role within CIT. o All current role-based privileges removed.

Transfer to another University unit. o All privileges specific to CIT are removed.

CIT IT Process Improvement Procedure 2010-011 2 of 9

Security Review Version .1.0

Cornell Information Technology IT Process Improvement `

Separation from the University o o Examples: Resignation, retirement, layoff, termination with cause, administrative suspension, leave, etc. Lose all CIT privileges and most campus privileges.

Provisioning Point Catalog Each Division Security Officer will maintain aprovisioning point catalog of the privileges his or her division grants to CIT staff. The catalog comprises the following: Privilege(s) granted. Contact information. As feasible, specific systems or services controlled by Deprovisioning Points. o Including whether production, test or development. Normal turnaround time. Types of authentication. o Are NetIDs used, in association with KDC or AD? (Yes/No/Mixed) o Note any use of a shared password. Types of authorization. o Permit (specify) or Application-Internal. Whether or not high-risk. Whether or not strictly local.

Priorities and Time Frames CIT Directors will identify the provisioning points that control high-risk access within their Division. High-risk access is any access where misuse of privileged access to campus systems and services could disrupt University operations. High-risk access will be flagged in the Provisioning Point Catalog. Relevant high-risk access must be disabled by the close-of-business on the day of the change in status. For all other access privileges, provisioning points must provide the standard time for fulfilling request, which the Director has to review and approve.

PROCEDURE
Normal Deprovisioning The activity details follow the swimlane procedure diagram.

CIT IT Process Improvement Procedure 2010-011 3 of 9

Security Review Version .1.0

101. INITIATE CIT DEPROVISIONING PROCESS

102. ADVISE DIRECTOR, DEPROVISIONING OWNER AND ALL DIVISION SECURITY OFFICERS 104. MANAGE CITWIDE PRIVLEGE DEPROVISION 105. MANAGE DEPROVISIONING OF PHYSICAL ASSETS AND ACCESS. 118. DOCUMENT DEPROVISIONING

103. AS APPROPRIATE, NOTIFY SRM+ OF THE CHANGE OM THE STAFF MEMBERS STATUS.

STOP

START

111. ENSURE DEPROVISIONING OCCURS WITHIN REQUIRED TIME FRAME

YES 109. LACK OF RESPONSE? 110. ESCALATE TO DIRECTOR

CIT IT Process Improvement Procedure 2010-011 4 of 9


106. SEND REQUEST TO PROVISIONING POINTS TO REMOVE PRIVLEGES NO 112. COMMUNICATE RESULTS TO OWNER 107. REMOVE PRIVLEGES 108. COMMUNICATE RESULTS TO DIVISION SECURITY OFFICER 113. DELEGATE TASKS 116. VALIDATE THAT PROCESS STEPS ARE COMPLETED 117. REPORT RESULTS TO CIT ADMIN AND DEPROVISIONING DIRECTOR 114. MANAGE LOCAL PRIVLEGES WITHIN WORK GROUP 115. COMMUNICATE RESULTS TO OWNER

Cornell Information Technology IT Process Improvement

Security Review Version .1.0

Cornell Information Technology IT Process Improvement `

101.

The CIT Administration Division will initiate the CIT deprovisioning procedure. Where applicable, it is assumed that Human Resources has authorized the deprovisioning. The CIT Administration Division will advise the Director, the Deprovisioning Owner and all CIT Divisional Security Officers of the individual being deprovisioned. Communication will be via e-mail and will state that the deprovisioning process is being initiated for the individual named.

102.

103.

As appropriate, notify SRM+ of the change in the staff members status. This step will be executed for all separations. The CIT Administration Division will manage CIT-wide privilege deprovisioning. As appropriate, they will also manage the deprovisioning of campus privileges. The CIT Administration Division will manage the deprovisioning of physical assets and access using procedures which do not form part of the scope of this document. The Division Security Officers will send requests to provisioning points to remove privileges. Divisions will manage Deprovisioning Points in a manner determined by that Division.

104.

105.

106.

107. 108. 109.

Deprovisioning Points will remove privileges. Deprovisioning Points will report results to their Division Security Officer. If the Division Security Officers are not receiving the appropriate level of response from any provisioning point, then 110. The Division Security Officer will escalate the request for deprovisioning to their Director. The Division Security Officers Director will ensure that the deprovisioning occurs within the required time frame.

111.

112.

The Division Security Officers will communicate results to the Deprovisioning Owner. This will be a status of positive results and should be in e-mail format. The Division Security Officers will communicate results as they come in; the Deprovisioning Owner will compile them.

113.

The Deprovisioning Owner will delegate tasks as appropriate to the Immediate Supervisor of the individual being deprovisioned. The Immediate Supervisor will manage local privileges within the work group.

114.

CIT IT Process Improvement Procedure 2010-011 5 of 9

Security Review Version .1.0

Cornell Information Technology IT Process Improvement `

The Immediate Supervisor will need to consider strictly local privileges that may have been granted by functional supervisors outside of the supervisor or records workgroup (including projects). 115. The Immediate Supervisor will communicate positive results to the Deprovisioning Owner. This will include local deprovisioning and deprovisioning outside of the functional area. The Deprovisioning Owner will validate that deprovisioning process steps are completed (that is, verify that positive results have been obtained for all required deprovisioning). The Deprovisioning Owner will report results to CIT Administration and the Deprovisioning Director (that is, the Director whose Division is where the deprovisioning is occurring). CIT Administration will document the deprovisioning.

116.

117.

118.

Normal Deprovisioning should occur by close-of-business on the last day that the employee being deprovisioned is part of the CIT Organization.

Deprovisioning for Individuals who Change Roles within CIT By default, when someone moves to a different role in CIT, all role-based privileges should be removed. o o o o The trigger is moving to another group where the nature or scope of the work is different. Role-based privileges can be carried over only with the agreement of both the old and the new supervisors, with a time limit set if retaining privileges are only for transition. For a new role or assignment within a workgroup, whether or not all current role-based privileges need to be removed is a management decision. Care must always be taken that any retained privileges do not violate separation of duties.

Special caution must be taken to ensure that any privileges that are retained for a period of time to facilitate transition of responsibilities are revoked when no longer needed. Based on input from Provisioning Points, the Deprovisioning Owner is responsible for ensuring these privileges are revoked. Deprovisioning for individuals who change roles within CIT should occur as quickly as practical.

Rapid Deprovisioning Rapid Deprovisioning is the accelerated and carefully-timed process needed for a hostile separation (for example, termination). . Access to and rights on all high-risk infrastructure and services need to be cut off with the utmost of urgency.

CIT IT Process Improvement Procedure 2010-011 6 of 9

Security Review Version .1.0

Cornell Information Technology IT Process Improvement `

The procedure for Rapid Deprovisioning will be the same as that for normal deprovisioning with the following variations: Rapid Deprovisioning will be coordinated by the first available of: o o o CIT Chief Security Officer Director of CIT Administration Director of Employees Division

Although a sensitive matter, all provisioning points need to be involved. All high-risk access must be removed at the time of the event. Authorization from Human Resources is needed for immediate NetID deactivation. Where disabling authentication is sufficient to block access, removal of authorization can wait. Rapid deprovisioning will generally be scheduled with relevant Deprovisioning Points in advance. If separation is unforeseen, communication may be via telephone; however, confirming e-mail needs to be sent afterwards. CIT Technical Support will have the task of security the employee(s) workstation. Sensitive rapid deprovisioning may be partial at the time of the event. at the inception of a product or service development effort.

PEOPLE
CIT Administration Division division within CIT that is responsible for administration. Initiates the deprovisioning process, including, as appropriate, campus-level privileges. Manages CIT-wide privileges, in conjunction with CIT Technical Support. Ensures Deprovisioning Owner reports results. Retains documentation of the deprovisioning.

CIT Director the Divisional lead within the CIT management chain. Accountable for ensuring: Appointment of a Division Security Officer and a back-up

CIT IT Process Improvement Procedure 2010-011 7 of 9

Security Review Version .1.0

Cornell Information Technology IT Process Improvement `

Operation of provisioning points in their respective divisions. Their managers awareness of processes.

Deprovisioning Director the Director whose Division is where the deprovisioning is occurring. Deprovisioning Owner the manager in the employees management chain who reports directly to the Deprovisioning Director (thus, a member of SRM+). In the event that a member of SRM+ is being deprovisioned, the Director will act as the deprovisioning owner. Accountable for the deprovisioning of employees in their area. o Specific tasks can be delegated to immediate supervisors but not overall accountability. Validate that all steps of the process are completed. Consolidate and report results of deprovisioning process.

Deprovisioning Points any point within CIT where the process happens for creating or removing an IT access privilege. Develops process for fulfilling deprovisioning requests. Ensures redundancy of personnel, e-mail and phone contact. Provisioning points must have redundant personnel. Supplies required Provisioning Point Catalog information to the Divisional Security Officer and informs of any changes. Reviews access lists at least once every six months and reports such to the Division Security Officer.

By default, the Deprovisioning Points will assign any orphaned roles (process or IT access-based) of the individual being deprovisioned to the Deprovisioning Owner. Division Security Officer individual appointed by their Director to coordinate their Divisions security program. Develops and maintains the Provisioning Point Catalog of role-based provisioning points, including strictly local ones. Ensures each provisioning point (except strictly local) maintains redundancy of both phone and email contacts. For any deprovisioning event, sends all provisioning points in the division (except strictly local ones) a request to remove any privileges granted to the employee. Escalates any lack of response to the Division Director. Communicates results to Deprovisioning Owner.

CIT IT Process Improvement Procedure 2010-011 8 of 9

Security Review Version .1.0

Cornell Information Technology IT Process Improvement `

Division Security Officers Director the Director who an individual Divisional Security Officer reports through. Immediate Supervisor line manager of record. Manage strictly local privileges within their work group.

The owner of this procedure is the Chief CIT Security Officer.

CIT IT Process Improvement Procedure 2010-011 9 of 9

Security Review Version .1.0