Departmental access to university data must be ensured throughout the employee lifecycle. NIU Employees may change positions, retire, or leave the university for any number of reasons; and it is the responsibility of the department to continue operations throughout these changes by making sure all university data remains accessible to the department.
It is important for departments to know that, based on the employee account type and schedule of access defined by the NIU Account Lifecycle, employees that separate from the university will automatically lose access to their NIU email and files. In addition, a short period after their separation, all the data in their individual email box and file folders will be permanently deleted. The deleted data could include vital documents that may not have been transferred to the department during an exit interview.
Following these guidelines will help departments maintain university data availability through all types of employee events and changes.
Using Shared Resources
It is recommended that the department determine which university email and files should be stored and used from shared resources in O365 or in NIU managed departmental servers; and which can be stored and conducted from an employee’s individual resources such as their individual email box, individual OneDrive, or individual local computer.
The benefits of using shared resources are:
- All university data remains available after employees separate from the university without there having to be an extra transfer step during an exit interview.
- There is transparency to activities within that resource which helps enforce individual accountability for job performance and prevent potential misuse of resources.
Important items to note when using shared resources:
- The department is responsible for carefully managing access to these resources. Access to shared email or file resources is NOT automatically removed when an employee changes duties or positions within the university. It is recommended that the department review and document access to the shared resources whenever:
- A new employee is on-boarded into the department
- A current employee changes duties or leaves the department.
- The department conducts exit interviews.
- On a regular schedule as determined by the needs of the department
- There could be more risk to these shared resources due to compromised accounts and malware. The more people that have access to a resource, the higher the likelihood that any individual could compromise that resource. The department should carefully balance the need for access and the need for security by:
- only granting access to the minimum number of accounts needed for the resource
- only granting the minimum access needed to those resources.
- emphasizing the need for employees to stay safe online, report unusual email requests and account activities
- engaging information security for additional guidance on keeping safe and secure
Setting employee expectations
It is recommended that the departments take the time to set employee expectations on university data management. This is especially helpful when onboarding a new employee. This includes but is not limited to:
- What university data is required to be shared within the department?
- Consider official university records
- Consider all files and data that are critical for the continued operation of the department, such as agreements, contracts, etc.
- How university data will be shared and stored, for example:
- A Departmental Teams site
- A Departmental SharePoint
- A Departmental OneDrive location
- A Departmental file server
- Who will have access to the data?
- What are the other information security requirements of that data?
- How will data that resides in the employees’ individual email box or file locations be transferred exclusively to the department if the employee ever changes roles, leaves the department, or separates from the university.
- Lastly it is important to explain, especially to new employees, that all file and email resources are property of the university, and in case of emergency, temporary access to an individual’s email or files may be granted based on the privacy policy and procedures.
Having a documented plan
It is recommended that the department develop and document a plan for common but unpredictable life events that may prevent an employee from continuing their work with a department. Examples of this could be a sudden illness or accident.
Unfortunately, another unpredictable event could be that an employee became the victim of a hacking attack or ransomware that makes university data unavailable.
Other common issues are more predictable such as an employee leaving the department for any number of reasons. The department should have a thorough checklist of data and knowledge to transfer to the department prior to the planned exit of an employee. This should be implemented as far in advance of the employee’s last day with the department as possible.