Introduction:

Effective change management policies for information technology (IT) are critical for ensuring that changes are made in a controlled and consistent manner, minimizing the risk of errors, system failures, and security breaches. This policy will outline the steps that need to be taken to manage changes to IT systems manually.

Purpose:

The purpose of this policy is to establish a standard process for managing changes to IT systems manually. This policy ensures that any changes to IT systems are documented, tested, and approved before being implemented to reduce the risk of errors, outages, and data breaches.

Scope:

This policy applies to all personnel who are responsible for managing changes to IT systems manually.

Policy:

  1. Access Requests: All new employees who require access to university networks must submit an access request form to the IT department. The form should include the employee's name, job title, department, and reason for access.
    • Faculty - Network accounts may be established no earlier than 45 days before classes start by HR updating the current hire date in Banner PEAEMPL.  Future hires can be set up at any time in Banner but the network accounts will not be turned on earlier than 45 days before they actually start.   

An exception process for full-time faculty to obtain network access earlier than 45 days prior to their actual start date has been provided on a case by case basis by the CIO.  The Dean’s office will update SIAINST Faculty Status Validation field to “TM” for “Temporary Network Access”.  Access will be immediately granted within one business day after the SIAINST record has been updated.

  • Staff - Network accounts will be suspended on term date with the option for managerial review for a limited period not to exceed 30 days or anytime by management authorization by HR current hire date in Banner PEAEMPL.  If accounts are inactive after 90 days, the account will be suspended and will be turned on after contacting Computer Services.
  1. Access Approval: Access requests must be approved by the employee's supervisor and the IT department. The IT department will verify the employee's identity and confirm that the employee has a legitimate business need for network access.
  2. Access Levels: The IT department will grant network access based on the employee's job responsibilities. Access levels should be reviewed periodically and adjusted as necessary.
  3. Usernames and Passwords: The IT department will assign usernames and passwords to new employees for network access. Passwords must be strong and changed periodically. Employees should not share their usernames and passwords with anyone.
  4. Training: All new employees must receive training on network security policies and procedures before they are granted access.  Annual recurring training will be mandated to retain a network account.
  5. Termination: When an employee leaves the University, their network access must be terminated immediately and any university purchased laptops, cell phones, etc are to be returned to Computer Services for reimaging and reassignment after being retained for 30 days. The IT department must be notified of the employee's departure as soon as possible. Network access must also be terminated for employees who are transferred to another department or who no longer require access.  All network termination termination requests must be submitted via a ticket to the Rockhurst Help Desk.
    • Faculty - Network accounts will be suspended 50 days after termination in Banner or anytime by management authorization by HR updating the termination date in PEAEMPL.   If accounts are inactive after 90 days, the account will be suspended and will be turned on after contacting Computer Services.
    • Staff - Network accounts will be suspended on term date with the option for managerial review for a limited period not to exceed 30 days or anytime by management authorization by HR current hire date in Banner PEAEMPL.  If accounts are inactive after 90 days, the account will be suspended and will be turned on after contacting Computer Services.
  6. Data Removal: The IT department must remove all University data from the employee's devices when their network access is terminated. This includes laptops, mobile devices, and any other equipment provided by the University.
  7. Monitoring: The IT department will monitor network activity to ensure compliance with network security policies and to detect any unauthorized access attempts.
  8. Consequences of Violations: Violations of network security policies may result in disciplinary action, up to and including termination of employment.

Conclusion:

By implementing a Network Access Onboarding and Termination Policy, Rockhurst University can ensure the security of their networks and protect sensitive data from unauthorized access. It is important to review and update this policy periodically to ensure that it remains effective in meeting the University's needs.