Removing system access when employees or former employees no
longer need that access is a fundamental internal control protecting our enterprise
applications and data. Annual audits by the State of Illinois Office of the
Auditor General (OAG), as well as federal granting agencies, support the
expectation that the University will remove access to enterprise systems in a
timely manner.
We ask your assistance to educate and remind staff of the
importance of timely removing access in order to ensure strong cybersecurity
controls.
Please note:
- Best practice is to remove access to enterprise systems within one business day, but no later than seven business days, following an employee’s separation, job change, taking extended leave, or otherwise no longer needing the system access. It is critical to ensure that this is followed consistently for access to systems such as Banner, iBuy, Emburse, Epic, HR Front End, and the Enterprise Data Warehouse. Late access removal could present significant risks and data security concerns. Additionally, persistent audit findings could result in the loss of critical funding and grant opportunities.
- In certain circumstances, it may be appropriate to request that a former employee maintain system access for a limited amount of time after separation. At your direction, your Unit Security Contact (USC) can submit a “Keep Access Request.” Remember to also inform your USC when the access is no longer needed. The Keep Access Request remains in effect until the USC submits a “Remove All Access” request.
- Questions about removing access may be directed to AITS System Access Management at aazsecu@uillinois.edu. For Epic, call 312-413-7717 or email ishelp@uic.edu.
Please share this reminder with your managers, Unit Security
Contacts, and staff with employment processing responsibilities in your
department.
Thank you for your assistance in reinforcing this priority.
Jami Painter
Senior
Associate Vice President and Chief Human Resources Officer