IT Account Management
Inactive MKUH accounts
Inactive accounts or accounts that have never logged in to a machine pose a security risk to organisations. Each one of these accounts offers a malicious actor (hacker) an opportunity to gain access to resources. When inactive accounts are not monitored, a malicious actor can compromise one and remain hidden from IT staff. Best practices and standards require that these accounts are removed or disabled within a set amount of time.
MKUH IT run weekly reports on accounts that have been inactive for 40 days* or more and blocks these accounts. If the staff member is still active in ESR, then the account is just blocked until the staff member requires access. If the staff member has left MKUH, then we would follow the Leaver process and the account would be retained for a further 90 days and then purged.
Think of it this way; imagine MKUH is a kingdom in medieval times. Each account that is given out or created is a member of our kingdom that has keys to the city. A key (or account) could topple the entire kingdom, as other kingdoms, or bandits (malicious actors) want to get into our kingdom to steal anything of value. The more keys (or accounts) we can remove from circulation, the more secure our kingdom is.
🔐🏰🔐
How do I get an account enabled?
If you have an MKUH staff member whose account has been blocked, please log the following SR asking for the account to be re-enabled : Extend / Enable Account
For Agency**, Locum or Contractors** - Please speak with HR in the first instance, who will raise the extension directly with us in IT. This way we can be sure that the worker is compliant.
Important information about leavers
Leaving a substantive role, but remaining on bank : all permissions on the account will be stripped and replaced with a default setup. If bank staff start in your department, it is the managers responsibility to let IT know of the change in job role and any required permissions.
Leaving Bank but remaining as a Student, or Agency, Locum or Honorary Contract: This requires an IT Access Request form to be completed, so we have a record of the new contract type. You can add any Smartcard changes required at the same time, under the additional Items section.
Leaving the trust entirely: It is the manager's responsibility to ensure all work-related data is handed over to a communal access area (MS Teams / SharePoint Site / MS Forms) before an employee leaves their role.
Leaver's accounts and ALL data is purged, 60 days after their leave date. Requests to restore accounts or data will not be possible once an account has been deleted.
*As of July 2022, the inactive account process was changed from 90 to 40 days, as we are at a higher risk of cyber attack.
**Agency and contractor accounts are only valid for a 90-day period from the request date. If no extend / enable request is received within a timely manner, the MS Office license will be revoked, meaning the mailbox will be deleted until such time as the person returns or the account is purged.