Policy Manual


Termination of Access to Electronic Information      

Type: Procedure                 Category: Information Technology                 Level: Community Care 

Parties: Community Care employees, contractees, volunteers and interns.

Printer Friendly Version: http://apps.comcareme.org/policymanual/default.aspx?code=6.MEP.10&nonav=yes

Supporting References: HIPAA Security 164.308(a)(3); Generally accepted Principles and Practices for Securing Information Technology Systems (NIST)

Parent Effective Date Approval Level Revision Dates Last Reviewed
6.ME.31  1-31-2005  Department Head  10/3/03  1-31-2005
Related Document Code Related Document Name Type
6.MEP.13 Data Storage and Retention Procedure

Procedure:  .

1.0            Responsibilities and Authority - Administrative Services Manager, Information Technology Department

2.0            Definitions -

2.1            SMTP (Internet) - e-mail address

2.2            .pst - type of archive file used within MS Outlook

3.0            Procedure -

3.1            HR will notify IT of employment or contract terminations in writing. Team Management/Supervision will notify IT of the departure of all interns/volunteers. FCDs are responsible for the maintenance of the Homes database, which will trigger an automated notification to IT of a home leaving the Agency. Information will include:

3.1.1       Full name of terminated person/intern.

3.1.2       Last date of contract or employment.

3.1.3       Any special handling required.

3.2            Upon receipt of termination notice IT staff will do the following:

3.2.1       Set the network account to expire on the last date of employment or contract or immediately, as required.

3.2.2       Disable the account the day after the last date of employment or contract or immediately, as required.

3.2.3       Move account's primary SMTP (Internet) address to the supervisor's account.  Remove and delete account 90 days after termination.

3.2.4       Move any extraneous SMTP (Internet) addresses (e.g., info@caredev.org) to appropriate users. If not known, contact HR for further instruction.

3.2.5       Hide email account from Exchange address book.

3.2.6       Delete User's Profile from terminal servers.

3.3            Special Circumstances

3.3.1       In the event special circumstances exist, additional precautions will be made.  If the user is terminating under unfriendly conditions particular attention will be paid to verifying all privileges have been removed effective immediately following the termination. HR will work with IT in ensuring electronic and physical access has been removed.  If the user is a super-user or administrator possessing elevated privileges:       Those privileges will be identified.       Passwords/accounts to which the user had access or knowledge will be changed immediately or at the earliest practical time.       Physical access to sensitive items or locations will be removed.

3.4             On a monthly basis, IT system administrators will audit all cases of account terminations, performing the deletions required of and 3.2.7.