|One Step Ahead
November 14, 2006, Volume 53, No. 12
Another tip in a series provided by the Offices of Information Systems & Computing and Audit, Compliance & Privacy.
Who Has Access to Systems? Think about it!
Many—maybe most—people at Penn have a need for access to information systems with some sort of confidential data. But think about who, in most cases, doesn’t need and shouldn’t have that access:
• Terminated employees
• Employees who haven’t used the system in a very long time
• Employees who have changed job functions and no longer need access for their new role
Shutting down an account that is no longer needed goes very far in protecting the privacy of the data in that system.
System owners should periodically—at least quarterly—review access privileges and eliminate unnecessary accounts. In addition, supervisors should ensure that as employees leave the University or change jobs, system access for those employees is reviewed and, where appropriate, terminated.
For assistance, contact:
Data Administration, Amy Miller at firstname.lastname@example.org
Human Resources, Gary Truhlar at email@example.com
For additional tips, see the One Step Ahead link on the Information Security website: www.upenn.edu/computing/security/.