azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adb4b9e92ffc19ce4dec4b79c180695ee4549ef
claudetools/clients/cascades-tucson/docs/security/termination-procedures.md
Howard Enos 5019db4558 sync: auto-sync from HOWARD-HOME at 2026-04-24 14:31:14 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-04-24 14:31:14
2026-04-24 14:31:17 -07:00

7.2 KiB
Raw Blame History

Cascades of Tucson — Workforce Termination Procedures

Built: 2026-04-24 by Howard (ClaudeTools session) — closes Track B B4 in PLAN-AND-QUESTIONS-2026-04-24.md Owner: Security Official (Mike Swanson / Howard Enos) + CE leadership (Meredith Kuhn) Review cycle: Annual, or when a named system changes HIPAA reference: 45 CFR §164.308(a)(3)(ii)(C) Termination Procedures (Required) + §164.316(b)(2) Documentation Retention (Required, 6 years — Cascades posture: 7 years)

Policy statement

When a Cascades workforce member separates (voluntary or involuntary), their access to ePHI and Cascades systems must be promptly revoked, and their employment-period records must be preserved for at least 7 years from the date of their last activity or creation (whichever is later). No workforce member's mail, file-share presence, or audit trail may be destroyed prior to the end of the retention clock.

Why 7 years (HIPAA + 1)

HIPAA §164.316(b)(2) requires 6 years minimum. Cascades adopts 7 years to (a) buffer against state-law retention overlays (AZ medical records = 7 years post-last-encounter), (b) accommodate civil statute-of-limitations carry-over, and (c) provide a safety margin before any irreversible destruction.

Procedure — at termination

Follow this sequence on the last day of work (or as soon as termination is confirmed for involuntary cases):

Step 1 — Disable sign-in (day-of)

  • Active Directory: Disable user account (Disable-ADAccount -Identity <user>). Move to OU=Excluded-From-Sync if they were previously synced, so Entra Connect drops the hybrid mapping.
  • Microsoft 365: Block sign-in (Set-MsolUser -UserPrincipalName <upn> -BlockCredential $true or equivalent Graph call). Revoke active sessions (Revoke-MgUserSignInSession).
  • ALIS: In ALIS admin, disable staff profile. If they were linked via Entra SSO, the SSO tie is severed automatically when their M365 sign-in is blocked, but the ALIS staff record stays for audit.
  • File shares / VPN / ScreenConnect / anything else: Revoke per the access matrix in docs/security/implementation-register.md.
  • Remove from distribution groups, shared-mailbox delegations, shared-phone MSDM roster.

Step 2 — Preserve (within 24 hours)

  • M365 mailbox: Convert to Shared Mailbox (Set-Mailbox -Identity <upn> -Type Shared). Shared mailboxes do not require a license under 50 GB and are not at risk of default-retention deletion.
  • Remove M365 licenses after shared-mailbox conversion. Free the seat.
  • Apply Litigation Hold if the tenant has Exchange Online Plan 2 (comes with Business Premium):
    • Set-Mailbox -Identity <upn> -LitigationHoldEnabled $true -LitigationHoldDuration 2557 -LitigationHoldDate (Get-Date)
    • 2557 days = 7 years.
    • Cascades currently on Business Standard → Litigation Hold not available until tenant-wide Business Premium purchase (see Q21 in master plan). Interim posture: shared-mailbox conversion + zero deletion = functionally preserves records under default MRM retention.
  • Hide from Global Address List (Set-Mailbox -HiddenFromAddressListsEnabled $true). Active staff shouldn't see former-employee addresses in autocomplete.
  • Configure forwarding to successor(s) if there is ongoing external correspondence (vendor invoices, client relationships). Forwarding does NOT satisfy retention on its own — the original mailbox must still exist.

Step 3 — Document (within 7 days)

  • Update the employee record in Cascades HR with termination date, reason (voluntary/involuntary), access revocation confirmation, mailbox preservation status.
  • Entry in docs/issues/log.md or termination ledger: user, date, systems cleaned, who performed the work.
  • Add to the 7-year retention tracker (spreadsheet or doc listing preserved mailboxes + deletion-eligible date): retention-eligible = termination_date + 7 years.

Step 4 — Annual review (every anniversary of their termination)

  • Verify the shared mailbox still exists (no accidental delete)
  • Verify Litigation Hold is still enabled (if applicable) and not near expiry
  • For employees whose retention window has elapsed:
    • Privacy Officer review: any pending subpoena, audit, or litigation? If yes, extend hold.
    • If clean: formal decision to either (a) export to offline archive (PST → immutable storage) and then delete, or (b) delete in place.
    • Document the destruction decision in the retention tracker.

What NOT to do

  • Do not delete a workforce member's M365 user object directly. Deletion puts the mailbox in a 30-day soft-delete window — if not recovered within that window, all content is permanently destroyed. For a covered entity handling PHI, that is a §164.316(b)(2) violation and potentially §164.308(a)(1)(ii)(A) Risk Analysis failure to have identified.
  • Do not rely on default MRM retention alone without converting to shared. A licensed user mailbox whose license is removed can have content auto-deleted by default Exchange policies. Shared mailboxes are safer.
  • Do not allow the 30-day soft-delete window to lapse after an inadvertent delete — restore and remediate before day 30.
  • Do not skip Step 2 preservation even for "short-tenure" or "never-logged-in" accounts. If the account existed in production long enough to have any ePHI touch, the retention clock applies.

Incident documentation

Incident IR-2026-04-24-001 — Improper deletion of 7 orphan mailboxes

What happened: On 2026-04-22 as part of a pre-Entra-Connect orphan cleanup, 7 M365 user mailboxes were deleted: ann.dery, anna.pitzlin, jeff.bristol, jodi.ramstack, kristiana.dowse, nela.durut-azizi, nick.pavloff. The deletion was HR-confirmed at the time but did not follow the preservation-first procedure described above.

Why it was wrong: The 7 mailboxes contained (or plausibly contained, given their roles) ePHI or operationally-relevant correspondence. Deleting them without Litigation Hold, retention policy, or shared-mailbox conversion placed them at risk of permanent destruction at day 30.

Recovery: On 2026-04-24 at day 2 of the 30-day soft-delete window, all 7 were restored via Graph API (Restore-MgDirectoryDeletedItem). Evidence: reports/2026-04-24-jeff-restore-ashley-access.md and follow-on retention report.

Post-recovery actions (in progress at time of writing): Convert each to shared mailbox, remove Jodi Ramstack's unnecessary Business Standard license ($12.50/mo recurring), hide all from Global Address List, place on Litigation Hold when Business Premium is live, enroll all 7 in the 7-year retention tracker with source-date = their original 2026-04-22 deletion date.

Preventive control: This document (termination-procedures.md) and training on it. Future orphan cleanups must follow the preservation-first procedure.

Signed-off: [Security Official signature + date] / [CE leadership signature + date]

References

  • PLAN-AND-QUESTIONS-2026-04-24.md Track B (B4)
  • docs/security/hipaa-review-2026-04-22.md
  • docs/security/risk-analysis-2026-04.md
  • reports/2026-04-22-m365-orphan-deletes.md (the flawed action this doc remediates)
  • reports/2026-04-24-jeff-restore-ashley-access.md + follow-on retention report
Reference in New Issue View Git Blame Copy Permalink