Managing inactive accounts

Aug 5, 2024

Six months ago we implemented the disabling and/or deleting of inactive accounts – this is a “good practice” security measure recommended for all technology systems that care about security and data privacy.  The default policy is to disable inactive accounts after a period of six months, however each school can configure this period according to their own security policy.

What are Inactive Accounts?

Inactive accounts are user accounts that have not been used over a significant period of time.  When we say used we mean one of these actions:

  • Staff member has logged into SOBS
  • Staff member has a booking in the Parent Booking application
  • Staff member has a booking in the Resource Booking application

 

Why do we disable inactive accounts?

These accounts pose a potential security threat for several reasons:

1. Protecting personal and sensitive data: 

Even though the accounts are inactive they may still contain personal information such as parent and student contact data etc. By monitoring these accounts, we can promptly identify and deactivate this sensitive information, reducing the risk of exposure and identity theft.

2. Identifying suspicious activity or unauthorized access attempts: 

By keeping track of inactive accounts, we may detect unusual activity or unauthorized access attempts.   This allows us to quickly intervene and take action to prevent possible attempts to compromise security and protect other accounts and associated systems.

3. Resignation of a user: 

Monitoring inactive accounts becomes essential in the case of staff leaving the school.   Their inactive account can become a potential vulnerability.   We can identify inactive accounts associated with former employees and disable their access to prevent misuse of accounts and protect the school’s data and systems.

4. Account taken over by a hacker to use as the backdoor: 

An additional reason for monitoring inactive accounts is to identify and prevent accounts that have been taken over by hackers to use as a backdoor. Hackers can take over an inactive account (to not raise suspicions) and use this privileged access position to compromise to security of the school network.

 

Configure your account settings

You can adjust the period or disable this option if necessary.

  1. Log in to SOBS as a SOBS Administrator
  2. Click on your school name (bottom left) and then on “School configuration”
  3. In the top left menu select “Account settings”
  4. Use the “Edit” button to adjust the period or disable the option

 

Notification

SOBS will check for inactive accounts every day, and process them according to the configured settings.  An email is then sent to the main SOBS Administrator account for the school.

 

How to undo this action

To re-enable an account that has been disabled:

  1. Log in to SOBS as a SOBS Administrator
  2. Click on your school name (bottom left) and then on “Staff / Guests”
  3. Locate the staff member that has been disabled (there will be a red cross next to their name)
  4. Click on the red cross.  This will enable the staff record and set the last login date to today.

If you only enable the staff record and the staff member doesn’t log into SOBS, then SOBS will simply disable the account again as part of the overnight processing.