In response to an audit performed by PricewaterhouseCoopers LLP, opportunities were identified to strengthen information system controls at the University of Missouri-St. Louis. The auditors identified a need to develop procedures for the timely removal of user IDs for terminated employees.
Information Technology staff members propose the following procedures:
Step 1: On the first business day of each month, the Exchange Email Administrator will run a report of staff employees shown as terminated during the previous month.
On the first business day of April and October, the Exchange Email Administrator will run a report of faculty shown as terminated since the previous list was run.
Step 2: The Exchange Email Administration will compare the terminated employee list to the list of known exceptions. This will result in the creation of a third list containing the names and email addresses of those individuals no longer employed nor currently covered by an exception letter.
Step 3: The Exchange Email Administrator will then send an email to each terminated employee's Exchange mailbox or global address book entry and copy the head of that employee's department. This email will notify them that the terminated employee's computer accounts will be deleted on the first business day of the following month. Employee computer accounts include but are not limited to Unix, Exchange, NT, Novell, CBT and dialup accounts.
Department heads may apply for exception status for terminated employees. The request should be made in writing to the Associate Vice Chancellor for Information Technology Services. The letter must contain the terminated employee's name as it appears in the payroll/personnel system, the length of the requested continuance, a statement reflecting the nature of the relationship between the employee and the university, and the department chair's signature. The continuance is defined as a grace period. At the end of this grace period, the computer accounts will be deleted unless the department head again requests a continuance.
A Professor with Emeritus status can request continued computer account access without a letter from a department chair. An Emeritus Professor should write a letter to the Associate Vice Chancellor for Information Technology Services directly. No time limit is associated with such a request
Step 4: The letters are filed in alphabetical order in the Exchange Administrator's office. During the next audit, the letters are provided to the auditors to use for reconciling the computer accounts belonging to individuals whose information cannot be found in the payroll/personnel system.
Step 5: On the first business day of the following month, the Administrator will then delete Exchange and NT accounts. The Administration will provide the list to the all of the other Information Technology Services computer account administrators. The pertinent accounts are deleted.
This process will occur monthly for staff members, but only twice a year for faculty members. This difference occurs because the large number of contract faculty members.