Contents
1 INTRODUCTION
1.1 Purpose
1.2 Scope
2 ROLES AND RESPONSIBILITIES
2.1 Campus Support Services (CSS)
2.2 Director of CSS
2.3 User Support Services
2.4 Problem and Endpoint Management
2.5 Separating Supervisor
2.6 Office of Information Security
2.7 Director of Administrative Systems
2.8 Manager of User Services
2.9 Identity and Access Manager
3 ACCOUNTABILITY
3.1 Enforcement
4 PROCESS
4.1 Alignment
4.2 Voluntary Separation Process
4.2.1 Human Resources
4.2.2 Automated Identity system
4.2.3 Supervisor of leaving Employee
4.2.4 User Services Specialists
4.2.5 Campus Support Services
4.3 Involuntary Separation Process
4.3.1 Separating Supervisor
4.3.2 Manager of User Services or Director of Administrative Systems
4.3.3 Separating Supervisor
4.3.4 Campus Support Services
4.4 Unretrievable devices
4.4.1 Campus Coordinators
4.4.2 The Director of CSS
4.4.3 Problem and Endpoint Management
5. REVIEW, APPROVAL AND REVISION HISTORY
5.1 Review and Approval
5.2 Revision History
Appendix 1 Device Recovery Email
Abbreviations
- TCC: Tarrant County College
- ISSC: Information Security Steering Committee
- ITBA: Information Technology Business administration
- CSS: Campus Support Services
- PE/M: Problem and Endpoint Management
- UAC: User Acceptance Agreement
- AUG: Acceptable Use Guide
- ERP: Enterprise Resource Planning
Definitions
- XTRM: A report run in TCCs Colleague System that tracks all employees with an end of employment date.
Referenced Documents
- Texas TAC 202
- Texas Cybersecurity Framework
- Texas State Security Controls Catalog
1 INTRODUCTION
1.1 Purpose
The importance of fiscal stewardship and necessity to protect the Tarrant County College network, a process is needed to recover devices and de-provision accounts from employees leaving the college.
1.2 Scope
This standard applies to all devices and accounts issued by TCC.
2 ROLES AND RESPONSIBILITIES
2.1 Campus Support Services (CSS) – responsible for recovering and resetting devices
2.2 Director of CSS – will help with unrecovered devices
2.3 User Support Services – responsible for creating the XTRM list and informing Campus Support and deprovisioning non automated accounts
2.4 Problem and Endpoint Management – Responsible for deactivating unrecovered devices
2.5 Separating Supervisor – Responsible for retrieving TCC property and informing IT and Access control of involuntary separation in a timely manner
2.6 Office of Information Security – Responsible for forensic review and chain of custody of devices and accounts as applicable
2.7 Director of Administrative Systems – Responsible for deactivating accounts in absence of Manager of User Services and overseeing the automated deactivation processes
2.8 Manager of User Services – Responsible for deactivating accounts during involuntary separation and overseeing the ERP deactivation process
2.9 Identity and Access Manager – responsible for enforcement and management of the separation process
3 ACCOUNTABILITY
3.1 Enforcement
This standard is validated and approved by the Chief Information Officer, and is enforced by the Identity and Access Manager. This procedure is created in accordance with TAC202, the Texas Cybersecurity Framework section AC-2 and PS-4, and Texas State Security Controls Catalog.
4 PROCESS
4.1 Alignment
This process aligns with User Acceptance Agreement and Acceptable Use Guidelines as agreed to by all TCC employees.
4.2 Voluntary Separation Process
4.2.1 Human Resources enters the XTRM date in Colleague system
4.2.2 Automated Identity system- convert accounts to non-employee and remove key system access
4.2.3 Supervisor of leaving Employee retrieves all devices, access badges and keys
4.2.4 User Services Specialists take the following actions:
- Run the “Termination for Access Control” report in Orbit system
- Colleague system access is terminated
- The list of “XTRMed” employees is sent to the “Term.Notify”
- Create one ticket per campus with termed employees and assign the ticket to the relevant campus coordinator.
4.2.5 Campus Support Services will take the following actions:
- Identify the devices assigned to termed employees using the InTune, Sassafrass and Laserfiche systems
- Create a ticket for each “XTRM” to retrieve the devices
- E-mail all necessary parties informing them of the attempted device recovery
- Arrange retrieval of the device(s)
- Remove the device from the termed employee in the Laserfiche system
- Inform Inventory control of the device’s new location
- Evaluate the device for reset, retiring devices appropriately
- Reset the Device
- Place device in inventory management system and store it for reuse
4.3 Involuntary Separation Process
4.3.1 Separating Supervisor
The separating supervisor will contact the Manager of User Services and/or the Director of Administrative Systems, or designate as needed, at least 1 hour prior to the meeting in which separation will take place and request that access be terminated at the time of the meeting. The supervisor will also indicate whether and to whom the employees’ email should be forwarded and/or data access given.
4.3.2 Manager of User Services or Director of Administrative Systems
The Manager of User Services (or the Director of Administrative Systems) will at the time of the separation meeting move the separating employee’s accounts to be blocked from logging in via Azure and Active Directory, arrange for separating employee’s access to the ERP system to be blocked, providing access to employee’s job-related data, and forward separating employee’s emails as needed. IT support will then review non-Azure/single sign-on systems separating employee has access to and arrange to have their accounts deactivated.
4.3.3 Separating Supervisor
The supervisor will collect access badges, keys, and issued devices from the separating employee. Supervisor will contact access control to have badges deactivated and business services to return keys. The supervisor will contact Campus Support Services to retrieve all issued devices.
4.3.4 Campus Support Services
CSS will contact the Information Security Office for forensic evaluation as needed. Information Security Office will return devices to CSS for return to inventory when available.
4.4 Unretrievable devices
For devices that CSS is unable to retrieve, the following process will be implemented:
4.4.1 Campus Coordinators will inform the Director of Campus Support Services and Problem and Endpoint Management.
4.4.2 The Director of CSS will reach out to the appropriate department chairs, deans, or directors to get assistance in finding the devices.
4.4.3 Problem and Endpoint Management will disable the device until it can be recovered.
5. REVIEW, APPROVAL AND REVISION HISTORY
This document must be reviewed and updated at least annually or when significant changes occur.
5.1 Review and Approval
Responsible Name Date
Prepared by: Homer Hensley
Reviewed by:
Validated by:
Approved by:
5.2 Revision History
Version Date Author Reviewed By Brief Description of Change
0.2 9/26/2023 Homer Hensley - Added rest of roles, inserted automated process,
1.0 10/17/2023 Homer Hensley Final draft version to be sent for approval
Appendix 1 Device Recovery Email:
Hi #######,
You are receiving this email because you have been identified as the Supervisor of Term Employee. Term Employee is no longer with TCC
but was assigned a TCC device during employment. A member of CSS will be around to pick this device up. If possible, could you collect the device and store it in a safe location?
Location:
Device Name: