Colleague System Access and Security Review Policy

To safeguard University data and ensure it is only accessible to individuals with a legitimate business need, the University is establishing a formal process for periodic review of user access within the Colleague ERP/SIS system. Colleague provides access to sensitive institutional data, including student, financial, and human resources information. Over time, employees may change roles, take on new responsibilities, or no longer require access previously granted. Without regular review, access can accumulate beyond what is necessary, increasing the risk of unauthorized access, data exposure, or audit findings.

Principles

This policy describes a structured, leadership-driven review process to confirm that each employee’s system access remains appropriate. This is not intended to be a technical exercise, but rather a practical and proactive business control that helps:

• Protect confidential University data

• Reduce risk of inappropriate access or misuse

• Ensure compliance with audit and regulatory expectations

• Maintain alignment between job responsibilities and system permissions

Managers, directors and other key University leaders play a critical role in this process because they are best positioned to determine what access their staff need to perform their job functions.

All user access to Colleague screens must be reviewed on a periodic basis by the appropriate manager or other leader to ensure that access is:

• Relevant to the employee’s current job responsibilities

• Limited to what is necessary to perform assigned duties

• Removed or adjusted promptly when no longer required

Review Frequency

• Access reviews will be conducted at least annually

• Additional reviews may be required:

  • Following significant role changes

  • Upon transfer between departments

  • As part of audit or compliance activities

Role and Responsibilities

Managers / Supervisors

• Review the list of Colleague screens accessible by each direct report
• Confirm that access is appropriate based on current job duties
• Identify any access that should be removed or modified
• Complete the review within the designated timeframe

Office of Information Technology

• Provide managers with access review reports
• Offer guidance on interpreting screen access where needed
• Process approved access changes in a timely manner
• Maintain records of completed reviews for audit purposes

Employees

• Use system access only for legitimate University business
• Notify their manager of any access that appears unnecessary or excessive

Enforcement

Failure to complete required access reviews in a timely manner may result in:

• Escalation to senior leadership

• Temporary suspension of user access where appropriate

• Increased audit scrutiny