SEC-037: Networks, Systems, and Facilities Access & Revocation and the Issue & Return of Tangible Personal Property

Date: 02/05/2016 Status: Final
Last Revised: 02/21/2020
Policy Type: University
Oversight Executive: Vice President and Chief Human Resources Officer
Applies To: Academic Division and the College at Wise.
Reason for Policy:

The University is committed to protecting the safety, security, privacy, and property of the institution. This policy sets forth responsibilities for authorization and revocation of access to University systems and networks and the use and return of University tangible property upon transfer or separation.

Definition of Terms in Statement:
  • Supervisor:

    Any person who has authority to undertake or recommend tangible employment decisions affecting an employee or academic decisions affecting a student; or to direct an employee’s work activities or a student’s academic activities. Examples include faculty members to whom work-study students report and team lead workers who, from time to time, monitor other employees’ performance or direct their work.

  • Tangible Personal Property:

    Property, other than real property, which may be seen, weighed, measured, felt, or touched, or is in any other manner perceptible to the senses. The term "tangible personal property" shall not include stocks, bonds, notes, insurance or other obligations or securities (as defined in VA Code § 58.1-602).

  • Unaffiliated Persons:

    Any person or party who is not an affiliated person (e.g., businesses, non-profit organizations, independent contractors).

  • University Equipment:

    University owned or leased property used to assist in performing an activity or function (e.g., hand tools, power tools, audio-visual equipment, etc.). University equipment does not include University infrastructure (e.g., networks, buildings, etc.); office furnishings that remain in the location designated for their use (e.g., desks, file cabinets, bookcases, etc.); or telephone and computing resources that are covered by other specific policies.

  • University Facility:

    Any defined space of the University, including a room, lab, series of labs, building, or controlled outdoor area.

  • University-Associated Organization (UAO):

    An independent and separately incorporated legal entity, officially recognized by the University, subject to an executed UAO- Memorandum of Understanding (MOU), and meeting all the following criteria:

    • Organized and exists under Virginia law and in good standing with the State Corporation Commission;
    • Qualifies as a tax-exempt organization;
    • Exists and operates for the benefit of the University or one or more of its units by providing one or more of the following support functions: fundraising, asset management, programs and services; and
    • Not an agency, organization, corporation, or unit of the University or the Commonwealth of Virginia.
  • Volunteer:

    An individual permitted under specific conditions to perform activities on behalf of the University, but who is not an employee of the University of Virginia and, therefore, is not generally entitled to the benefits granted to employees.

Policy Statement:

Upon hire, transfer, or termination of an individual, the supervisor (or sponsor) must:

  • Initiate authorization for appropriate access privileges to University networks, systems, and facilities for the employee based upon the employee’s job duties;
  • Authorize issuance of University property to the employee based upon the employee’s job duties;
  • Initiate revocation of access privileges to University networks, systems, and facilities for the employee; and
  • Facilitate the return of tangible personal property (which for this policy, includes University equipment) belonging to the University.

These same requirements apply when utilizing an employee of a University-affiliated organization, an unaffiliated person, or volunteer. (See Section 5 below.)

  1. Authorization for Access Privileges to University Networks, Systems, and Facilities:
    When an individual is hired at the University, whether a new hire or transfer, that individual’s supervisor (or sponsor) is responsible for initiating authorization for appropriate access to:

    1. Networks and Systems:
      Examples of these privileges include access to University IT services, systems and accounts, as well as other University networks. Information Technology Services (ITS) automatically provisions all University employees with access to certain University systems to enable them to perform basic self-service functions (e.g., time reporting and leave requests, reimbursement requests).

      All users of University information technology (IT) resources are required to use them in an ethical, professional, legal, and appropriate manner as required in policy IRM-002: Acceptable Use of the University’s Information Technology Resources.

    2. Facilities:
      Examples of these privileges include the provision of a photo identification (ID) card, building and/or office key(s) (includes a physical key or a key card), a parking permit, etc.

  2. Initiating Revocation of Access Privileges to University Networks, Systems, and Facilities:
    1. Access privileges must be revoked under the following conditions:
      1. Transfer: When an individual transfers within the University, it is the responsibility of the former supervisor (or sponsor) to initiate revocation of access privileges to University networks, systems, and facilities. This includes access to applicable networks (e.g., High Security VPN) and systems, collecting building and/or office key(s), etc.

        [Note: Supervisor action is not typically required to update automatically provisioned access privileges such as basic employee self-service functions like email, human resources and payroll system, etc.]

      2. Separation: When an individual separates from the University, it is the responsibility of the supervisor (or sponsor) to initiate revocation of access privileges to University networks, systems, and facilities and to initiate termination in the appropriate system of record.

        [Note: Separation includes a voluntary or involuntary cessation of employment or engagement of the individual with the University. Examples include, but are not limited to, resignation, retirement, dismissal, expiration of a fixed-term contract, completion of a third-party contract for services, discontinuation of services by a student or temporary employee, and layoff.]

    2. Revocation of access to networks, systems, and facilities should generally be initiated on the day of separation but no later than the day after the effective date of an individual’s transfer or the last day of employment/commitment for separations. The supervisor (or sponsor) is responsible for notifying a privilege-granting department(s) of necessary revocations in advance of the separation date to allow the department(s) to process the revocation request in a timely manner. A select few privileges may extend beyond the employee’s commitment to the University. For example, an ex-employee will be allowed to access and download their own W-2, Wage and Tax Statement.

      The supervisor (o sponsor) should also know the grace periods associated with an individual’s role and take that into consideration in initiation of revocation of access. An individual terminated for cause or other involuntary separation should be discussed with HR in advance of an individual’s separation.

  3. Authorization for Issuance of Tangible Personal Property belonging to the University:
    When an individual starts work at the University, whether a new hire or transfer, that individual’s supervisor (or sponsor) is responsible for facilitating the issuance of tangible personal property belonging to the University that is necessary for the individual to perform their duties. This includes, but is not limited to, electronics such as a laptop, tablet, hard drive, or digital planner; office equipment; mobile phone; Travel & Expense Card; etc.

  4. Facilitating the Return of Tangible Personal Property belonging to the University:
    Supervisors (or sponsors) must facilitate the return of tangible personal property (including University equipment) belonging to the University. Such property must be collected when the individual no longer needs it to perform their duties but no later than the day after transfer or separation. (For information on return of the Travel and Expense Card, refer to policy FIN-044: Use of the University Travel and Expense Card.)

    All property must be returned in the same condition in which it was issued except for normal wear-and-tear. The value of any damaged, lost, or broken property (or the cost of repairs) will be borne by the individual to whom it was issued.

  5. University-Affiliated Organizations (UAOs), Unaffiliated Persons, and Volunteers:
    The requirements noted above must be adhered to when utilizing an employee of a University-affiliated organization, an unaffiliated person (this includes contractors, consultants, visiting faculty, research collaborators, government officials, or other sponsored individuals, etc.), or volunteer who require access to networks, systems, and facilities and/or use of University tangible personal property (including University equipment) to fulfill their commitment to the University.

    The supervisor (or sponsor) has the responsibility of communicating to these individuals that all applicable University policies, standards, and procedures must be adhered to as well as federal, state, and local laws.

    A select few privileges may extend beyond the UAO employee’s, unaffiliated person’s, or volunteer’s commitment to the University.

  6. Supervisor Responsibility for Identifying Segregation of Duty and Appropriate Access:
    Supervisors (or sponsors) are responsible for identifying segregation-of-duty conflicts in technology-related responsibilities to prevent potential systems misuse. (See policy GOV-002: Reporting Fraudulent Transactions.)

    Upon initial determination that a conflict exists and at least annually thereafter, the supervisor (or sponsor) must take appropriate action to prevent, mitigate, or manage the risk of inappropriate access or actions.

    Supervisors (or sponsors) must remind the individual annually of the obligation to report potential conflicts.

  7. Employee Responsibility to Disclose and Manage Conflicts of Interest:
    Individuals with access to University systems must disclose to their supervisor (or sponsor) any potential conflicts related to their access to information or ability to transact in a University system containing sensitive or highly sensitive data. For example, an individual who has access to a University system that records grades or student financial information and is also a parent of an enrolled student must disclose that potential conflict.

  8. Annual Audit and Review:
    User access to all University systems of record and any system used to process, store, transfer, or access highly sensitive data must be re-verified annually. (See policy IRM-003: Data Protection of University Information for the definition of highly sensitive data.) This includes but is not limited to current systems in use such as: Workday, the Student Information System (SIS), and Oracle.

  9. Compliance with Policy:
    Failure to comply with requirements of this policy may result in disciplinary action up to and including termination in accordance with relevant University policies. Any misuse of data or IT resources may result in limitation or revocation of access to University IT resources.

    Violation of this policy may also violate federal, state, or local laws.

    Questions about this policy should be directed to Compliance (UVA HR) or UVA Human Resources.

Procedures:

Salaried Staff and Wage Employees: Offboarding Toolkit
Faculty: Faculty Departure Checklist
IT Checklist for Leaving UVA

Related Information:

FIN-044: Use of the University Travel and Expense Card
FIN-054: Employee Obligation to Report Potential Conflicts of Interest
GOV-002: Reporting Fraudulent Transactions
HRM-002: Issuance and Use of University Identification Cards
IRM-002: Acceptable Use of the University’s Information Technology Resources
IRM-003: Data Protection of University Information
SEC-038: Management of the University Keyed System (Key and Lock Policy)

Information on Sponsored Accounts
Information on User Roles and Descriptions [link to be added]
Parking & Transportation – for parking permits, including service vehicle parking.
University ID Card Office

ACC-002: Health System Identification
ACC-402: Access Control to Health System Facilities
HR405: Separation from Employment

Major Category: Safety, Security and Environmental Quality
Next Scheduled Review: 02/21/2023
Approved by, Date: Policy Review Committee, 02/05/2016
Revision History: Edited Section 7 4/15/20; Revised 2/21/20; Updated definition 5/15/19.
Supersedes (previous policy):
SEC-037: Access Priviledges and Return of University Property; Responsibility of Managers and Other UVa Officials for Access Privileges