Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• Review created accounts and assigned permissions to ensure<br />
they meet the specifications as per the role.<br />
11.2.3. Transfer Employees in a Structured Fashion<br />
Employees that change positions should be reviewed according to their new<br />
position and have their system accounts and permissions reviewed:<br />
11.2.3.1 Conduct Employee Screening<br />
Should an existing employee transfer to a position that carries a<br />
higher risk categorization, additional background screening is<br />
required. Additional screening is not required for transfer to a<br />
position with either an equivalent or lower risk categorization:<br />
• Review the risk level <strong>of</strong> the old and new roles and determine<br />
whether the risk categorization increases or decreases.<br />
• If risk categorization increases, conduct the appropriate<br />
screening for a role <strong>of</strong> that risk categorization.<br />
11.2.3.2 Review Assigned and Required Accounts and Permissions<br />
Cross reference the accounts and permissions <strong>of</strong> the pre and posttransfer<br />
roles, documenting where adjustments need to be made:<br />
• Review positional role(s) to which the transferred employee<br />
had been assigned and catalogue accounts and permissions.<br />
• Review positional role(s) to which the transferred employee<br />
will be assigned and catalogue accounts and permissions.<br />
• Cross-reference the catalogued accounts an permissions,<br />
noting which account(s) and permissions need to be<br />
revoked/reduced, provisioning/enhanced, do not need to be<br />
adjusted.<br />
11.2.3.3 Revoke Accounts and Permissions that are no Longer Valid<br />
The accounts <strong>of</strong> transferred employees that are no longer necessary<br />
must be revoked to eliminate the possibility <strong>of</strong> illicit system access,<br />
however the data the transferred employee may have created must<br />
be preserved:<br />
• Revoke access to and eliminate permissions within all<br />
accounts assigned to the terminated employee.<br />
• Assign access with review only privileges for all accounts<br />
assigned to the transferred employee to that employee’s pretransfer<br />
immediate manager for a pre-defined period <strong>of</strong> time.<br />
• During this time and at the request <strong>of</strong> the account assignee,<br />
provide copies <strong>of</strong> any data originally owned exclusively by the<br />
transferred employee to the account assignee.<br />
• Upon expiry <strong>of</strong> this time and at the direction <strong>of</strong> the Human<br />
Resources department <strong>of</strong> the transferred employee,<br />
permanently delete all accounts <strong>of</strong> the transferred employee.<br />
39