Supervisor's Guide to Information Security & Policy

Employees' accounts, data, and access

Can I restrict my employees' personal use of their computers while at work?

IU policy allows employees some incidental personal use in the course of their work duties. However, that personal use must be appropriate; it must not violate the law, interfere with the employee's work responsibilities, or conflict with the university's mission of providing education through teaching, research, and public service. Additionally, employees may not use university resources for commercial or private gain, or for activities that are inconsistent with the university's tax-exempt status (such as political campaigning).

Supervisors are authorized to require employees to cease or limit any incidental personal use that interferes with job performance or violates university policy. If you feel that your employees may be neglecting work due to incidental personal use, you can address their behavior using progressive discipline, but be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office. Be careful to address the job duties being neglected, not the personal use.

If you are unsure of the relationship of the incidental personal use to the university's mission, you can contact the University Information Policy Office (UIPO) or your regional campus Chief Information Officer (CIO) to help you determine whether the use is appropriate.

Investigations of Misconduct

An employee's access to computers or accounts may be disabled or limited while an investigation is being conducted into alleged misconduct, even if the person is still employed by IU.

Reasons for restricting employees' use of computers or accounts while at work include, but aren't limited to, the following:

  • Concern for safety of departmental or other systems and data
  • Reasonable belief that the employee is involved in illegal activities
  • Reasonable belief that the employee has violated university policy

If you feel that an active employee's use of computers or accounts needs to be disabled or restricted, be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office BEFORE taking any action.

Tips

To avoid the problem altogether, your department can publish a local policy that defines the acceptable level and nature of incidental personal use. When writing departmental policies, be careful to avoid targeting individuals.

More Information

This information is based on the university's IT policy IT-01 and IT policy IT-03.

For consultation in handling particular situations (preferably before taking action), contact your campus human resources office (contact information is available at http://kb.iu.edu/data/akwe.html), your campus employee relations office (812-856-5572 at IU Bloomington, 317-274-8931 at IUPUI), and/or the UIPO for all campuses.

top

Can I access my employees' computer data, email, or voice mail?

In order to promote free discourse and maintain the environment appropriate to a learning institution, and because the university does allow incidental personal use, university policies protect the right to privacy of computer data whenever possible. There are however, times when a legitimate need arises for which you as a supervisor require access to an employee's computer data:

  • If you need access to proceed with work and the employee is unavailable to access the data for you, obtain written (email or paper) permission from the employee granting access to the content.
  • If the employee can't grant permission (e.g., has been terminated, is deceased or incapacitated), get written permission from your department's senior executive officer.
  • If you think the employee is engaged in illegal activities using university accounts or resources, or if you believe the individual is violating university policy, get written authorization from the appropriate campus chancellor.
  • In an emergency situation where you believe processes active in an employee's account or on an employee's device can or is causing system degradation or damage to other data, a technician or administrator can permit immediate access.
  • If the employee is involved in fiscal misconduct, you will need a directive from the Director of Internal Audit.
  • For other legal matters, you may need a court order or other legal documents and further direction from University Counsel.

Unless it's inappropriate or impossible, you should notify the employee before you access the data. Otherwise, you should notify the employee as soon as possible after the access.

Without specific authorization, you may use system-generated, content-neutral information (i.e., system logs, login records, connection logs, network activity logs, email logs, and auditing logs) to:

  • Monitor system and storage usage
  • Troubleshoot
  • Secure departmental systems
  • Investigate technology abuse or misuse
  • Support formal audits

When you contact a technician for access to an employee's data, that technician is required, where possible, to consult with the appropriate campus Chief Information Officer (CIO), who ensures that the appropriate authorization or permission has been granted. In doing so, the campus CIO is encouraged to consult with a university Information Technology Policy Officer, who can provide advice and policy interpretation to not only the CIOs, but also to you directly.

Tips

To ensure uninterrupted access to office communications, consider creating a departmental email account, which you can then publish as your contact point instead of publishing an individual's email account. Departmental account access can be assigned to different individuals depending on who is working at the time. Information about getting departmental accounts is available at http://kb.iu.edu/data/acyi.html.

To ensure uninterrupted access to shared data, you can name folders something generic, e.g., "Project X". Folders that are named with an employee's username or name are considered assigned to that user and require the authorization provisions above.

For access to email data that requires frequent sharing, consider using Folder Permissions or the Delegate feature in Microsoft Outlook. The owner of the account sets up the permissions or delegate access, thereby authorizing it. For instructions on how to do this within Outlook, see In Outlook for Windows, how do I allow other users to view my Calendar or other folders in my Exchange mailbox?

More Information

This information is based on the university's IT policy IT-07.

For consultation in handling particular situations (preferably before taking action), contact your campus human resources office (contact information is available at How do I contact the human resources office at each IU campus?), your campus employee relations office (812-856-5572 at IU Bloomington, 317-274-8931 at IUPUI), and/or the University Information Policy Office (UIPO) for all campuses.

For instructions for sharing folders, visit In Windows, how do I share a folder, drive, or printer on the network?.

top

What should I do if I have a suspected security breach?

You are legally required to report security breaches and notify the individuals involved, if the security breach disclosed or exposed a Social Security number (SSN), or any of the following in combination with a first name/initial and a last name:

  • Credit card, debit card, or any other financial account numbers
  • Access or security codes, or any passwords
  • Drivers license or state identification card numbers

You can find detailed steps for reporting a suspected breach on the UIPO security incident response pages.

Notification to affected individuals usually comes from the unit associated with the breach, but be sure to coordinate with the IIA incident response team. They will make sure the appropriate forensic steps have taken place and appropriate notification procedure is followed.

More information

The breach notification law is available at http://www.in.gov/legislative/ic/code/title4/ar1/ch11.html.

For information about protecting sensitive data and data protection laws, see the UIPO Data Protection pages.

Feel free to contact the UIPO if you would like more information.

top

What should I do if I suspect an employee is misusing or abusing information or information technology at IU?

If you suspect that an employee may be misusing or abusing information or information technology at IU, first try to identify specifically what policy or law may have been violated. If you need assistance finding or interpreting applicable policies or laws, you can consult with any of the following:

  • Your departmental, campus, or University Human Resources office (if the employee in question is a staff member)
  • Your departmental, campus, or University Dean of Faculties Office (if the employee in question is a faculty member)
  • The University Information Policy Office
  • University Counsel (812-855-9739 for all campuses other than IUPUI; 317-274-7460 for IUPUI)

Once you have identified the applicable policy or law, you can address the behavior using progressive discipline, but be sure to consult with your departmental human resources person, the central human resources office, or the employee relations office before taking any action.

If you need to gather technical evidence or need a technical investigation or forensics expert, please contact the UIPO Incident Response team. Usually, results from the technical investigation or forensics study will be provided to the central administrative office for the category of employee (UHRS Employee Relations for staff, and Dean of Faculties for faculty), rather than the supervisor. That administrative office will coordinate next steps.

If you wish to remain anonymous while reporting a suspected abuse or misuse of information or information technology, Indiana University has a Whistleblower policy which protects your identity. You can read this policy at: http://www.iu.edu/~policies/Whistleblower.html

To use IU's anonymous reporting hotline

Visit reportfraud.iu.edu or call 888-236-7542.

top

When employees leave

What if an employee is leaving the university or changing departments?

Before an employee leaves

While employees do transfer to other departments or leave the university outright, the business of your department and the university must progress. If you have a single employee serving as the point of contact for one or multiple departments, without proper preparation, transitioning to new staff can be difficult. Here are some things to consider doing to make staff transitions easier before you have a problem:

Use a departmental group account for email

To ensure uninterrupted access to office communications, consider creating a departmental email account, which you can then publish as your contact point instead of publishing an individual's email account. Departmental account access can be assigned to different individuals depending on who is working at the time.

Does your department have a web site?

Ensure that your unit has a public Web site that is easily searchable by your department's name and appears near the top of the results list in common search engines such as Google.

Be sure to keep an updated list of contact information (including telephone, email, postal mail address, and fax) on your public web site.

Utilize shared files and use generic names

To ensure uninterrupted access to shared data, you can name folders something generic, e.g., "Project X". Folders that are named with an employee's username or name are considered assigned to that user and require the authorization provisions above.

For access to email data that requires frequent sharing, consider using Folder Permissions or the Delegate feature in Microsoft Outlook. The owner of the account sets up the permissions or delegate access, thereby authorizing it. For instructions on how to do this within Outlook, see In Outlook for Windows, how do I allow other users to view my Calendar or other folders in my Exchange mailbox?

As soon as you know an employee is leaving or changing departments:

  • Collect written resignation letter from the departing employee
  • Have the departing employee enable his or her out-of-office auto-reply with relevant information about the departure date and the new contact information. This will not limit the departing employee's ability to receive/send mail, but will begin to let others know of the upcoming transition

    NOTE: If the departing employee is also a student, this may not be feasible, or, the content of the auto-reply may need to be worded to address only the work-related emails.
  • Have the employee gather his or her list of external contacts, and begin emailing each of them to inform them of the transition. The email message should provide the name/email of the new contact or temporary contact until a new employee is hired
  • Update the contact information on your department's public Web site to reflect the new contact or temporary contact until a new employee is hired
  • Ask departing employee to begin moving all critical office documents from his or her personal folders to shared departmental locations. This includes all IU locations, both electronic (email, departmental file server, OnCourse sites, etc.) and paper. This ALSO includes all personal locations, both electronic (home computer, personal laptop, cell phone/PDA, etc.) and paper (home office, briefcase, etc.)
  • Ask departing employee to begin removing all personal files and belongings from all IU locations, both electronic and paper

On the employee's last day:

  • Conduct an exit interview with the departing employee
  • Ensure departing employee has moved all critical office documents from his or her personal folders to shared departmental locations. This includes all IU locations, both electronic (email, departmental file server, etc.) and paper. This ALSO includes all personal locations, both electronic (home computer, personal laptop, cell phone/PDA, etc.) and paper (home office, briefcase, etc.)
  • Ensure departing employee has removed all personal files and belongings from all IU locations, both electronic and paper
  • Determine and implement email transition plan:
    • Departing employee manually forwards work emails to the department until the account is disabled (seven days after termination date), or
    • Set the auto forward to send all of the departing employee's emails to the department until the account is disabled. NOTE: If the departing employee expects to work in another department at IU or become an IU student, this option is not appropriate, because the email account will begin to be used for the departing employee's new role
  • Determine and implement telephone transition plan:
    • Change greeting message
    • Forward telephone calls to another employee in the department
    • Cancel departing employee's long distance authorization number.
  • Request disabling of all non-centrally maintained accounts. This could include departmental servers and services, special research services, external services, and some institutional data systems such as HRMS and SIS.
  • Collect university-issued items, if they were issued to departing employee:
    • Employee ID card
    • Building entry card
    • University credit card
    • Long distance telephone card
    • SafeWord card
    • Building, door and desk keys
    • Computer equipment on loan to use remotely or at home
    • Cellular phone
    • Pager
    • Personal Digital Assistant (PDA)
    • Locker
  • Ensure the departing employee's final timecard is completed
  • Collect departing employee's forwarding address and contact information in case you need to contact them.
  • Remind departing employee to return parking permit to appropriate campus office (Parking Services at IUPUI, Parking Operations at IUB)
  • Inform departing employee that accounts are disabled seven days after separation from the university, however, some access to self-service information in OneStart remains available. Pay advices and tax forms remain available via the Employee Center until October of the year following termination from the university. Health and dental benefits are discontinued immediately following separation from the university. Remind departing employee to visit the Benefits Office, if needed.

After the employee's last day:

  • When the HRMS e-Doc processing the separation of the employee from IU is completed, on the date indicated as the separation date, the departing employee will receive a courtesy email message indicating that accounts will be disabled in seven (7) days. All centrally-maintained accounts and their contents are then deleted permanently 180 days later. However, if the employee is also an active student, centrally-maintained accounts will remain active due to the individual's student status. Departmentally-maintained accounts may have different policies.

More Information

More information about the eligibility to use information technology resources at IU can be found on IU policy IT-03.

top

Can I immediately disable a terminated employee's accounts?

Upon terminating an employee, you can have the employee's accounts immediately disabled with a written request to the managers of those accounts. Reasons for immediate disabling include, but aren't limited to, the following:

  • Concern for safety of departmental or other systems and data
  • Reasonable belief that the terminated employee is involved in illegal activities
  • Reasonable belief that the employee has violated university policy

Written requests to immediately disable accounts managed by UITS are directed to valid@indiana.edu. Before requesting removal of access for staff or faculty who are also students, the department should also consult with the appropriate Dean of Students or equivalent.  Don't forget to also notify local department account managers, and account managers for institutional data systems such as HRMS, SIS, FIS, and IUIE.

If the employee is being terminated for cause, you may wish to schedule the disable to occur during the termination meeting with the employee so that accounts are disabled by the time the meeting is over. To arrange for this situation with UITS Accounts Administration, call 812-855-2843 or 317-278-3305. Don't forget to also notify local department account managers. The disable of the UITS netid will also make access to institutional data immediately disabled, but, you will need to follow up with those institutional data systems after the meeting to complete the disable process for those systems.

Under normal circumstances, employee accounts are disabled seven days after official university records (e.g., campus HR data) indicate that the employee has resigned or been terminated. For 180 days after disabling, files associated with the accounts exist, in the event someone would need to recover content.

Tips

To avoid the problem altogether, your department can publish a local policy that defines the acceptable level and nature of incidental personal use. When writing departmental policies, be careful to avoid targeting individuals.

More Information

This information is based on the university's IT policy IT-03.

For consultation in handling particular situations (preferably before taking action), contact your campus human resources office (contact information is available at http://kb.iu.edu/data/akwe.html), your campus employee relations office (812-856-5572 at IU Bloomington, 317-274-8931 at IUPUI), and/or the University Information Policy Office (UIPO) for all campuses.

top

How can I ensure departing hourly employees no longer have access to departmental resources?

Upon the resignation or termination of hourly positions, you must complete the paperwork that terminates the employment. Otherwise, ex-employees will continue to have access to university and departmental resources (e.g., email, departmental or university computing accounts). If you need help, contact your departmental or campus Human Resources office (for contact information, see http://kb.iu.edu/data/akwe.html).

Under normal circumstances, employees’ accounts are disabled once official records (e.g., campus HR data) indicate that employment