Approver(s):
Authorizes Release:
Responsible Area:
Review Cycle:
Last Review:
Related Policies and Additional References:
Introduction
In our commitment to ensuring the security, accessibility, and integrity of our University’s information systems, the Account Provisioning and Retention policy has been established to provide clear guidelines for the creation, management, and termination of user accounts. This policy aims to safeguard sensitive data, maintain compliance with regulatory requirements, and support the seamless operation of academic and administrative functions. By defining standardized procedures for account provisioning and retention, we seek to mitigate risks associated with unauthorized access and data breaches while ensuring that our university community has the appropriate access needed to fulfill their roles effectively.
Purpose
This policy establishes the standards and procedures governing the creation, retention, and deletion of user accounts for email and network access at St. Mary’s University. Its core objectives are:
- Facilitate secure and seamless communication and access to essential university systems for authorized individuals.
- Outline criteria and timelines for provisioning, retaining, and revoking user accounts based on affiliation status.
- Ensure proper allocation and management of the university’s email and network resources.
- Mitigate security risks associated with unauthorized or inactive accounts.
- Maintain compliance with relevant laws, regulations, and industry best practices related to information security and data privacy.
Procedure
St. Mary’s University leverages Microsoft 365 to provide email services, offering features such as email, calendaring, SharePoint, OneDrive, etc. Email accounts follow a structured naming convention: username@stmarytx.edu for employees, username@mail.stmarytx.edu for students, and username@alum.stmarytx.edu for alumni.
Network services encompass a broad spectrum, including access to select university-wide systems, wireless and wired networks, network drives, and other resources requiring St. Mary’s login credentials. The utilization of St. Mary’s email for university communications and the access provided by account credentials are integral to supporting employees and students in their work and academic pursuits. It is crucial to acknowledge that email and network services access is a finite resource, requiring meticulous management to strike a balance between necessary access, risk mitigation, and optimal allocation of staff and other resources.
This policy provides detailed charts that elucidate the timelines for account creation and deletion, along with highlighting retention requirements, ensuring a structured and secure approach to the lifecycle of user accounts.
Scope
This policy governs the creation, retention, and deletion of user accounts for email and network services at St. Mary’s University. It applies to all individuals who are granted access to the university’s email and network resources, including but not limited to students, faculty, staff, contractors, consultants, and volunteers.
Objectives
- Ensure secure and timely provisioning of user accounts for authorized individuals.
- Maintain proper access controls and account management procedures.
- Define clear guidelines for account retention and deletion based on user status and affiliation with the university.
- Protect the university’s information assets by promptly revoking access for individuals who no longer require it.
- Comply with relevant laws, regulations, and industry best practices related to information security and data privacy.
Account Creation
| Community group | Account and services access enabled |
| Students | New student accounts are created within one week of acceptance to the University. |
| Faculty, staff, and contingent faculty | New accounts for these groups will be initiated upon notification from the Office of Information Services, triggered by the start date information provided by Human Resources. Account credentials will be made available before the individual’s arrival whenever feasible. |
Account Retention and Deletion
The retention and deletion of user accounts will be handled according to the user’s affiliation and status with the university, as outlined in the detailed chart “Account Lifecycle” provided in this policy document.
Considerations:
- Accounts for terminated employees, disciplined students, and non-returning contingent faculty will be disabled immediately upon separation.
- Accounts for alumni, retired faculty/staff, and emeriti will be retained for a specified period or lifetime, subject to inactivity thresholds.
- Inactive accounts will be disabled after 180 days of inactivity and permanently deleted after an additional grace period.
| Account Lifecycle | ||
| Retention period | ||
| Category | Reason for separation | Email and Network Services |
| Applicants | 13 months from the semester they applied for. | |
| Students | Leave of Absence Non-Disciplinary | 13 months from the last semester attended. |
| Students | Disciplinary | None |
| Alumni | 13 months after graduation | |
| Faculty and staff | Voluntary | None ** |
| Faculty and staff | Termination | None ** |
| Contingent faculty | Returning | Disabled; enabled upon return; deleted after 9 months of inactivity. |
| Contingent faculty | Adjuncts, Visiting, Part-time | Disabled at the end of contract obligation |
| Contingent faculty | Non-returning | None |
| Faculty – Non-Emerita/Emeritus; staff < 25 years | Retirement | Lifetime; removed if inactive for 6 months. * |
| Faculty – Emerita/Emeritus; staff 25+ years | Retirement | Lifetime; removed if inactive for 6 months. * |
| Volunteer | End of service | Monthly Review Disabled after 13 months. |
| Consultants / Contractors *** | End of Contract | None |
| Library privileges at the Blume Library for emeriti faculty include reference support, access to physical and electronic resources, and borrowing privileges including interlibrary loan. |
| * Inactive email accounts will be disabled after 180 days without an active login by the account owner (an account is not considered active if it is only used to forward email to another account). An email notification will be sent, and the account owner will have 30 days to access the account at which point the account will be deactivated. The account will be fully removed from the system 90 days later and the contents will be unrecoverable. ** Accounts will remain active under management supervision for business continuity, but no network access will be provided for these accounts. *** Consultants must adhere to the Third-Party Vendor Access Policy |
Non-Employee Categories Privileges
Access privileges for non-employees, such as contractors, volunteers, and visitors, will be granted on a case-by-case basis, based on their role and the specific requirements of their engagement with the university. The policy outlines the various categories of non-employees and their corresponding access levels.
| Category | Gateway Portal Access | Library Privileges | Athletic Facilities Access | Entitlements |
| Aramark | No | No | No | Parking Permit |
| Barnes and Noble | No | No | No | Parking Permit |
| Marianist (religious) | Yes | Yes | Yes | ID Card, Email |
| Marianist (staff) | No | No | No | Parking Permit |
| Temp Agency Employee | Per department pending job duties | No | No | Parking Permit |
| Military Science, ROTC | Approval of Work Study timesheets only | Yes | Yes | ID Card, Email, Parking Permit |
| Volunteers | No | No | No | ID Card, Parking Permit |
| Law Scholars / Visiting Student | Per department needs | Yes, Law Library only | Yes | ID Card, Email |
| Retiree | No | No | Yes | ID Card, Email, Parking Permit |
| Law School: Sr. Professors (Retired with part-time pay) | Yes | Yes | Yes | ID Card, Email, Parking Permit |
| Law School: Sr. Professors or Emeritus (Retired, but volunteering – unpaid) | No | Yes | Yes | ID Card, Email, Parking Permit |
| Library privileges at the Blume Library include reference support, access to physical and electronic resources, and borrowing privileges including interlibrary loan. Off-campus access to databases is not permitted for non-employees and non-students. | ||||
Definitions
Account Deletion: The process of permanently removing a user account and revoking all associated access privileges.
Account Owner: The individual authorized to use a particular user account and responsible for maintaining the confidentiality of their account credentials.
Account Provisioning: The process of creating and granting access to user accounts for email and network services.
Account Retention: The practice of maintaining active user accounts for a specified period based on the individual’s affiliation with the university.
Contingent Faculty: Faculty members employed on a temporary or contract basis, such as adjuncts, visiting professors, or part-time instructors.
Emeriti: Retired faculty members who have been granted emeritus status, typically in recognition of their distinguished service to the university.
Inactivity Threshold: The period of inactivity after which an account is considered inactive and subject to disabling or deletion.
Library Privileges: University patron privileges at the Blume Library include reference support, access to physical and electronic resources, and borrowing privileges including interlibrary loan.
Non-Employee: Individuals who are not directly employed by the university but may require access to specific resources or facilities, such as contractors, consultants, volunteers, or visitors.