R

Data Security & Privacy

On/Off-boarding Process

Medtronic Account

Version: 4.5
Date: 13 Dec, 2019
Status: Approved

This document contains proprietary information. ALL INFORMATION CONTAINED HEREIN

SHALL BE KEPT IN CONFIDENCE. None of this information shall be divulged to persons other
than IBM employees authorized by the nature of their duties to receive such information, or
individuals or organizations authorized by IBM in accordance with existing policy regarding
release of company information

1
TABLE OF CONTENTS
1. DOCUMENT CONTROL.....................................................................................................................3
Document Change Approvers..................................................................................................................5
Document Approvals................................................................................................................................5
Document Review Plans...........................................................................................................................5
Document Distribution.............................................................................................................................5
Security Classification.............................................................................................................................5
2. ABOUT THIS DOCUMENT.................................................................................................................5
Document Structure..................................................................................................................................5
Document Interdependencies...................................................................................................................5
Reference Documents:..............................................................................................................................6
3. INTRODUCTION..................................................................................................................................6
Objectives.................................................................................................................................................6
4. GUIDELINES.........................................................................................................................................8
4.1. ROLES AND RESPONSIBILITIES........................................................................................................10
5. ON/OFF-BOARDING..........................................................................................................................11
5.1. ON-BOARDING PROCESS DESCRIPTION...........................................................................................11
5.2. HIPAA 2-YEAR DOCUMENT RETENTION FOR ACCESS-RELATED ARTIFACTS....................................13
5.3. ON-BOARDING PROCESS AND USER ACCOUNT REQUEST PROCESS................................................13
5.4. OFF-BOARDING PROCESS................................................................................................................14
5.5. OFF-BOARDING PROCESS DESCRIPTION..........................................................................................15
5.6. VERIFICATION AND QUALITY ASSURANCE OF PROCESS.................................................................16
6. APPENDIX – WELCOME AND DATA REMOVAL NOTES.........................................................17
6.1. ON-BOARDING AND PERCOLATOR...................................................................................................17
6.1.1. WELCOME LETTER..................................................................................................................17
6.1.2. TRAINING................................................................................................................................17
6.1.3. PERCOLATOR ACCESS NOTIFICATION (TUI BASED)................................................................18
6.2. REQUEST FOR DATA REMOVAL, UPON OFF-BOARDING AND PERCOLATOR.......................................18
7. APPENDIX – ADAPTIVE AUTHENTICATION & DATA REMOVAL ARTIFACTS.................19
7.1. STEPS TO CONNECT USING ADAPTIVE AUTHENTICATION................................................................19
7.2. STEPS TO PURGE DATA AND CERTIFY DATA REMOVAL..................................................................19

IBM Confidential 2
1. Document Control
Summary of Changes

Version # Version Date Author Nature of Change

1.0 21 June 2011 Chris Hutcherson Initial draft
1.0 23 June 2011 Chris Hutcherson Changed status to Approved and added approved date to
document. Approved by Ed Pierce AL PM.
1.1 29 June 2011 Chris Hutcherson Updated client on/off boarding contact and off boarding
requirements
1.2 30 June 2011 Chris Hutcherson Updated on-boarding initiation process (step one).
1.3 13 July 2011 Chris Hutcherson Updated on boarding process and required training with
client requested changes
1.4 21 July 2011 Chris Hutcherson Document approved and added approved date to
document. Approved by Matt Goldsmith, Project Office
Manager (delegate for Anthony Lawrence, DPE).
1.5 22 August Chris Hutcherson Updated section 4.1
1.6 14 Sept. 2011 Chris Hutcherson Added additional MDT requested procedures to on-
boarding process
1.7a 12 Oct. 2011 Chris Hutcherson Added additional changes from Medtronic On/Off
boarding Coordinator to sections 4.1 and 5.1 steps 2 & 4.
Updated the on-boarding checklist form.
1.8 06 Dec 2011 Chris Hutcherson Update approval from US PM to BAMs and update role
of US PM
1.9 06 Jan. 2012 Chris Hutcherson Update to section 5.1 steps 2 and 3 – issuance of RSA
tokens.
2.0 05 Oct 2012 Barrett Roshak Updated additional procedure details
3.0 05 Nov 2012 Chris Hutcherson DPE Approval
3.1 21 Feb 2013 Chris Hutcherson Update to access revocation section. Adaptive
Authentication replacing RSA tokens – process to be
documented once finalized. RSA sections marked with
strikethrough (to be deleted) when RSA tokens finally
collected and returned to MDT.
3.2 29 Apr 2013 Bragadeesh Updated sec 2 on ASD, 4 for on boarding timelines, 5.2,
Venkataramani 5.5 for on/off boarding process change (Workday);
Removed Appendix A, B, F, G and on Data removal
certificate
3.3 21 May 2013 Bragadeesh Amended section 5.1 and 5.2; Included section 6.1, 6.2
Venkataramani and 7.1; Removed Line Item and RSA Token instructions
3.4 7 July 2013 R.Njoba Updated Sec. 5.1.1 On-Boarding Process Under
Workday Application and Sec. 5.3.1 Off-Boarding
Process Under Workday Application, Added Processes
and steps to on-boarding; Removed names in place of
roles
3.5 25 July 2013 Saurabh Jain Updated sec 4 A - the on boarding guidelines, Sec 5.1
and 5.4 the process steps of on and off boarding
3.6 16 September Saurabh Jain Updated sec 4 A - the off boarding guidelines, Sec 5.4 the
2013 process steps of off boarding. Added Return of assets
steps in off boarding
3.7 8 December R. Njoba Updated Sections 4, 4,1, 5.1, 5.2, 5.4, 6.2 – Revised
2013 user access request/approval/granting process; Added
HIPAA on-boarding and off-boarding requirements, now
applicable
3.8 10 July 2014 Michael T. Clark Updating DPE and Scope
3.9 16 April 2015 Swati Jain Updated scope. Added new work numbers.
3
IBM Confidential
 4.0 14 July 2015 David Kalavity Removed closed work numbers
4.0 14 July 2015 David Kalavity Removed embedded documents and save to the Project
Control Book
4.1 10 May 2016 Swati Jain Updated Work#, Added Percolator based OOB process
4.2 29 Sep 2016 Michael Via Updated Work#s
4.3 7 Nov 2017 Swati Jain New section on Mandatory Breaks added, Access
Creation and revocation process updated
4.4 9 Aug 2018 Michael Via Client-specified, Industry and Regulations Requirements
added under section 4
4.5 13 Dec 2019 Michael Via Updated access revocation requirements

4
IBM Confidential
Document Change Approvers
Function Name Approval
Date
Delivery Project Executive Claudia Corino, DPE 13 Dec 2019

Document Approvals
Document approvals for this document are stored in the DS&P Folder of the Medtronic IPWC Teamroom.

Document Review Plans

This document will be reviewed and updated as defined below:

 As required to correct or enhance information content

 Following any organizational changes or restructuring
 Following an annual review

Document Distribution
This document will be distributed to all change approvers and upon request.

Security Classification
The security classification (IBM Confidential) and the handling of this document complies with IBM
‘Classification and Control of IBM Information’, Publication numbers CI-116A & CS-216.

2. About this Document

This document does not cover the process IBM uses to orient new employees to IBM. This document specifically
addresses the Data Security and Privacy elements of On-Boarding and Off-Boarding GBS Workforce Members
onto a project and should be used in addition to the IBM new-hire orientation program. These base elements are
essential for ensuring proper requirements are implemented during the on-boarding and off-boarding activities.

Document Structure
Within the body of this document, a high-level process flow, roles and responsibilities for the process.

This process document will be updated when the client or IBM changes its processes, tools used, or requires
additional on- or off-boarding activities for project resources.

Document Interdependencies
A major interdependency this process has, is with the Access Management Process, which addresses the job-
specific accesses (accounts and permissions) to select Medtronic and IBM IT-Assets network, servers, databases,
applications in various support environments, tools (web sites, repositories, Share Points, and the like).

The On-Off Boarding process document addresses the activities required for on-boarding of new members into the
Medtronic account, and the activities required for off-boarding of existing members from the Medtronic account.
When a workforce member departs the Medtronic account, they must be off-boarded, and if they return, they will
undergo a new on-boarding cycle.

These processes described in this document, address controls at the account level. The work numbers, systems,
and work sites included under this document include the following:

This document covers the following active work numbers:

WN # TYPE PCR Name Description Contract Number

WNMHT AMS CCR095 CFTNQ2R
5
IBM Confidential
 WNMQT AMS CCR095 CFTNQ2R
WNMST AMS CCR098 CFTNQ2R
WC81V AMS CCR098 CFTNQ2R
WN2GV AMS CCR098 CFTNQ2R
WN2KV AMS CCR098 CFTNQ2R
W559U AMS CCR096 LATAM SUPPORT CFT4DRR
WDSDU AMS 193, 203 & 207 Digital Diabetes App CFTBKFC
WCH2V AMS 221 SFDC optimization and development CFTBKFC
Diabetes Reporting and Analytics
WFNTV AMS 230 Project CFTBKFC
WNJLV AMS A203 EXT MDT Diabetes SOW CFTBKFC
WC1SV AMS B001 MDT SAP ROLES CFTBKFC
WN0CV AMS CCR097 Testing WN's CFTNQ2R
WN0GV AMS CCR097 Testing WN's CFTNQ2R
WN0JV AMS CCR097 Testing WN's CFTNQ2R
WN0MV AMS CCR097 Testing WN's CFTNQ2R

When on-boarding, the accesses a person may need (such as Medtronic network access, in order to obtain
training) is addressed by the On-Off Boarding Process, as this is common to each person. The Access
Management Process is invoked to provide them the access they need to specific IT assets, based on their first
assigned role (which can happen multiple times during their tenure at Medtronic). When they off-board from the
Medtronic account, the Access Management Process is again invoked as necessary, to terminate those accesses.

The requests for access to, terminate access, and request changes to accesses (accounts and permissions to
Medtronic resources, is addressed in the Risk Management Process. It is referred to during both on-boarding and
off-boarding, but can also be executed independently as the person changes their functional job roles.

Reference Documents:
o Medtronic User ID Access Management Process Document located in Medtronic IPWC
o Medtronic Percolator Tool >>On-Off boarding
o Medtronic IBM On-boarding form

3. Introduction
This document specifically addresses the Data Security and Privacy elements of On-Boarding and Off-Boarding.
This process applies to all GBS Workforce Members joining Medtronic-.

An On/Off-boarding Process is vital to overall contract performance and containment of Data Security & Privacy
(DS&P) risks. It provides for the movement of GBS Workforce Members into and out of the project in a consistent
manner, while ensuring compliance with DS&P requirements.

This process defines the formal communications and education for GBS Workforce Members joining or leaving
Medtronic. It covers areas such as how to treat Medtronic information, handle data on laptops when connected to
the Client networks, dispose of IBM and Medtronic confidential information, and remove Medtronic data from
equipment upon leaving an account or contract team, or when separating from IBM. Evidence of execution is
required.

Refer to GBS Data Security and Privacy Controls Framework for updates to this template as well as other
supporting guidance.

6
IBM Confidential
This document also covers overview of Percolator tool which is used to manage On-Off boarding and retaining
related evidences.

Objectives
 Ensure the On/Off-boarding Process is managed consistently and accurately across the contract,
regardless of the presence of Personal Information (PI), Sensitive Personal Information (SPI) and/or
Business Sensitive Information (BSI)
 Provide a central point of contact for the On-boarding and Off-boarding of GBS Workforce Members
 Ensure compliance with project-specific Data Security and Privacy requirements
 Ensure timely and complete On-boarding and Off-boarding of GBS Workforce
 Maintain historical records of individuals processed through the On/Off-boarding Process

7
IBM Confidential
4. Guidelines
A. On/Off-boarding is a planned and systematic approach to processing new and departing GBS workforce
members. The Process and On-boarding Checklist cover basic IBM and client contractual requirements.
The Process and Off-boarding Checklist ensure that the departing GBS workforce members meet IBM and
client requirements for access removals, continued non-disclosures and compliance to post employment or
contract requirements. Required employee clearances, physical and logical access assignments and
assignment of special equipment. The On-Off boarding and Access Control List of Medtronic Account is
managed and tracked through a web based tool called “Percolator”.

B. On-Boarding
New GBS workforce members are on-boarded shortly after starting on a project and should occur no later
than 60 days from joining the project. On-boarding activities capture the completion of items such as project
specific training, client specific training, work permit requirements, Timing
 New members are required to complete the DS&P Awareness training within 30 days of their on-
boarding start date
 Due to delays from multiple stakeholders and background check and/or Drug Screening (Drug
screening is only applicable for Key resources) verification on-boarding activities can take up to 60
days from the resource start date on the project.
 Percolator tool based Work Force Member List (Staff Management Dashboard) is updated to reflect
the on-boarding of the new resource. User ids or Access Control List is updated and managed
through Percolator tool, Separation of Duties (SOD) matrix, Workplace Inspection logs are updated
during the next immediate monthly review following the resources start on the project.

C. Off-boarding
Off-boarding ensures that all access to systems, environments, network, support tools as well as access to
client PI/SPI/BSI data is revoked and passwords are reset. In addition, PI/SPI/BSI data is removed from the
GBS workforce member’s equipment (for example, laptops, memory sticks, other peripheral equipment)
and client-issued equipment (for example, laptops, keys, badges and security tokens) is collected and
returned. Any IBM confidential information stored on client-issued equipment is securely deleted prior to
returning. Off-boarding are managed and tracked through Percolator Tool.
Timing
 IBM team notifies Medtronic of off-boarding within 24 hours of Team Leads being made aware of
the intended departure. (If the departing member is not leaving “for cause,” there may be a period
where the departing member is still providing services up to their identified “last day
 The IBM Medtronic project account is required to submit a request for account revocation to
Medtronic within 24 hours after departure of the resource through Workday tool
 WMML, ACL, SOD and Workplace Inspection logs are manually updated to reflect the departure of
the departing member, no later than during monthly reviews.

Evidence is reviewed to validate that the project’s On-boarding Process is followed. A Percolaotor based On-
boarding Checklist is used as part of the project’s On-boarding Process to:

 Ensure timely and complete On-boarding of GBS Workforce Members

 Ensure compliance with project-specific Data Security and Privacy training requirements
 Ensure required updates are made to manually managed documents.
 Ensure updates of SOD Matrix are performed to reflect changes in personnel (contrast against current SOD
Matrix)
 Ensure specific Client requirements are addressed, such as background security clearances

8
IBM Confidential
  Ensure specific project requirements are addressed, such as when using non-IBM or non-client issued
workstations
 Ensure any other relevant project documentation is updated to reflect the new role or new workforce
member introduced with On-boarding
 Maintain historical records of individuals processed through Percolator tool

Evidence is reviewed to validate that the project’s Off-boarding Process is followed. Off-boarding activities for the
departing resources are required to be completed by the member’s last work day on the project. A Percolator based
Off-boarding Checklist is used as part of the project’s Off-boarding Process to:

 Ensure timely and complete removal of physical and logical accesses within 24 hours
 Ensure the removal of data from workstations and other storage media
 Ensure IBM information is removed off of client assets before returning
 Ensure the return of client assets to the client
 Ensure any client post contract requirements are met
 Ensure specific client requirements are addressed, such as Non-Disclosure agreements and security
clearances
 Ensure project documentation is updated to reflect the workforce member change (for example, the SOD
Matrix a)
 Maintain historical records of individuals processed

Exception
The project periodically uses consultants from Delivery Excellence, Risk Management, and Subject Matter Experts
(SMEs) on various technical areas. These members are approved for a few hours and/or for a short duration on the
project. These members are not on- and off-boarded and required to complete any on-boarding activities, but are
tracked in the Percolator as Support team members, for the duration they charge time to the project.

However, if consultants/SMEs stay on longer on the project, or are assigned User ID accounts for access to
Medtronic systems, these members will at that time be on-boarded and required to complete on-boarding activities,
including MDT required training, DS&P training, and background verification check.

Mandatory Breaks

Every two years, all US resources (Regulars, subcontractors, LTS, landed) in the account , need to take 60 days /
more mandatory break. These resources are not permanently rolled-off from MDT account however they do not
support any client related work or retain access to client n/w, applications, system, data etc. during break. Such
resources will not be charging billable hours on ILC during breaks.
Post completion of 60 days / more break, resources regain access to MDT n/w and resume services.
Steps to manage these breaks are mentioned below.
Percolator tool is used to record Mandatory breaks and access status. The tool moves active records to “Mandatory
Break” section as soon as step 2 is completed by manager. The record is moved to active state once the break is
over.
Leaving: -
Step responsibility
1. Percolator staff management dashboard assignments PM
details are updated
2. Mandatory Break Start date and end date recorded PM
on Percolator
3. N/W level access and application level access PM / PMO
revocation request is raised
4. Update Percolator ACL dashboard “Mandatory PMO
Break Access Revoked Date” to record revocation
details of leaver.
5. Update SOD DS&P
6. Review ACL records for completion DS&P
9
IBM Confidential
Resuming Services: -
Step Responsibility
1. Workday request is raised for n/w level access and PMO
DS&P is informed
2. Application/system level access request is raised by PM
managers and DS&P is informed
3. Update Percolator ACL dashboard “Mandatory PMO
Break Access Renewal Date” to records access renewal
of joiner.
4. Access level / profile and role reviewed and updated PM
5. SOD is updated DS&P
6. Review ACL records DS&P

4.0.1 Supporting Processes and Documentation

 Medtronic On-Off Boarding Checklists on Percolator

 Evidence of On-boarding task completion for new members
 Workforce Member Master List on Percolator

4.1. Roles and Responsibilities

The following table outlines the On/Off-boarding roles and responsibilities on the Medtronic

Role
Medtronic Cost Center Manager
(for IBM members)
Medtronic (MDT) On-Off Boarding
Contact
MDT SAP Coordinator/manager
Manager, PMO team
IBM On/Off-boarding Coordinator
 India Project
Management Office (PMO)
New Workforce Member
Off-Boarding Team Member
Responsibility
o Approve on boarding of new IBM members to the IBM cost center
within the Medtronic accounting system
o Processing Enterprise User Access (EUA) requests
o Monitoring IBM EUA related activities
o Receiving BAM request to on-board a new SAP member
o Performs contract/funding and skill review for the new member
proposed for on-boarding
o Either approving or rejecting the request for on-boarding of new
persons who will access the MDT SAP environments.
o Add new member on the Percolator tool and initiate on-boarding
o Oversees the activities of the PMO team
o Liaison between DS&P SE and Medtronic Security Manager
o IBM contact who executes the On/Off-boarding process
o Ensure all evidence of execution are uploaded on Percolator tool.
o Fills out the appropriate checklist on the Percolator
and completes all required activities for on-boarding, such as training
requirements, ISAM registration, background check forms, and
upload evidence on the tool to show fulfillment of on-boarding tasks
o Fills out Off-boarding checklist and Data Removal
Certificate on the Percolator, and captures all required evidence to
show fulfillment of off-boarding tasks

10
IBM Confidential
 Role
IBM Team Manager/Lead
IBM Project Manager/Business
Area Manager (BAM)
IBM Project Management Office
(PMO) Coordinator
MDT On-Boarding Approver
o Key Employees
o SAP
Medtronic Project Manager/
Medtronic On/Off-boarding Contact
IBM Technical Contract
Coordinator
Medtronic (MDT) On-Off Boarding
Contact
DS&P SE
Responsibility
o Identifying need for a change to staffing level
o Identifying new members to be on-boarded and initiate on-boarding
on Percolator
o Identifying departing member to be off- boarded and initiate off-
boarding on Percolator
o
o Requesting approval from BAM for such individuals
o Assist new resource and provides direction for completion of on-
boarding activities
o Obtaining and providing approval to on/ off-board an individual
o Sends notification of approval to the On-Off Boarding Coordinator
Update Percolator PMO section and provide assistance to DS&P team
Provides initial MDT approval of all requests for SAP Production
access
o MDT single point approver for all new IBM resources
o MDT contact managing the On/Off-boarding Process.
o Acting as single point of Contact for all On- and Off-boarding of US
Subcontractors
o Processing Enterprise User Access (EUA) requests
o Monitoring IBM EUA related activities
o Validates the On-Off Boarding process, completion of activities fully
and timely, and accuracy of documentation.

Client-specified, Industry and Regulations Requirements

The following are Medtronic specific data security and privacy requirements documented in the SOW. IBM
resources who will work and access Medtronic’s internal systems/environments are required to:
 Background checks for all IBM personnel accessing Medtronic’s on-site facilities and/or systems; and
drug testing of key IBM personnel.
 All IBM Personnel performing Services shall be fully trained in MDT’s Quality System Requirements
(QSRs),( QRS training is managed by MDT on their learning portal)
 HIPAA Regulation compliance
HIPAA retention policy is followed:
 All versions of HIPAA related Process Documents/Procedures are retained for six years from last
date of being active (e.g. the date the new version replaces it)
 Activity Monitoring evidence is retained for six years
 Project training materials and evidence of completion at on boarding and annually thereafter to
include both HIPAA and DS&P courses (six years)
 Execution evidence of those HIPAA related processes and procedures have a two year retention
such as on/off boarding checklists and evidence, Access Management requests & approvals
including any changes and revocations
 HIPAA related process documents are reviewed annually at a minimum and all individuals
supporting the account have access to the documents needed to perform their roles/
responsibilities
 All employees have compliant WST reports at on-boarding and checked periodically thereafter
 HIPAA Program Office requirements for on/off boarding are met with controls in the on/off boarding
process

11
IBM Confidential
 All above mentioned requirements are tracked and managed through on-boarding checklist.

Medtronic On-Boarding Exception

All the exemptions below are tracked through MDT Risk log.

 Drug Testing has not been performed for all IBM personnel (An exception mail has been taken from
DPE)

 HIPAA On-Boarding exception: Persons or organizations (e.g. janitorial services or electricians)

whose functions or services do not involve the use or disclosure of protected health information,
and where any access to protected health information by such persons would be incidental, if at all,
are not required to go through HIPAA On-Boarding. In addition, individuals who will not have logical
or physical access to PHI that will work on the account on an emergency basis for no more than 8
hours are exempt as well. These individuals must work under supervision of an individual that is
trained.
 Medtronic On-Boarding Exception for Short-Term Resources -The project periodically hires short-term
consultants from Delivery Excellence, Risk Management, and Subject Matter Experts (SMEs) on various
technical areas. These members are approved for a few hours and/or for a short duration on the project.
These members are not on- and off-boarded and required to complete any on-boarding activities, but are
tracked in the Percolator as Support team members, for the duration they charge time to the project.
However, if consultants/SMEs stay on longer on the project or are assigned User ID accounts for access to
Medtronic systems, these members will at that time be on-boarded and required to complete on-boarding
activities, including MDT required training, DS&P training, and background verification check.
 Drug testing is forbidden under Brazilian law, however this is not really an issue, as there are no key
employees located in Brazil.

5. On/Off-boarding

5.1. On-boarding Process Description

The following table outlines the On-boarding steps for this account. All workforce team members are
required to be processed according to these steps and the associated on- and off-boarding checklists. All
workforce members include temporary or part time workforce members who may provide support for short
periods of time in support of contract commitments. However, this is not applicable to other IBM employees
performing an external review as a part of an IBM quality or controls process such as Risk Managers, KCO
Testers and Audit team members.

# Step Task ID and Description* Who*

1 Identify need for • MDT Identifies need for new resource and inform IBM Team
new resource under the T&M contract Manager/Lead /
• The resource is interviewed by MDT. MDT/ BAM
• Upon a clearance received from MDT IBM initiates on-
boarding on Workday and Percolator tool
•
3 Initiate On • Send a welcome email to the new resource that On-Boarding
Boarding includes On-Off boarding Guidelines to fill Percolator Coordinator
based form, mandatory training links and other
compliance requirements that needs to be completed
by the resource and copy Team Manager/Lead in the
email.
• Generate and send TUI to new team member. The
TUI (Tokenized User Interface) is a mechanism to
allow non-credentialed resources to populate data into
a Percolator specific to that resource. TUI are active

12
IBM Confidential
 # Step Task ID and Description* Who*
for limited time duration
•
4 Initiate and • Initiate background verification according to the IBM Project
Execute country laws and regulations of the new resource’s Management Office
Background home location. (PMO) Manager
Verification • Tracks background completion up to clearance. /DS&P SE
Update Percolator.
• Triggers MDT notification through Workday tool
(Customer use only)
5 Execute On- • Follows process/procedures to fill out all applicable New team member
boarding Checklist sections of the On-boarding Checklist on Percolator
and Initial On- • Provides laptop details; model and serial number on
boarding steps tool
• Registers in IBM Standard Asset Manager (ISAM) tool;
and upload screen shot of ISAM record (showing PGP
installation & type of user- privileged or standard) on
Percolator
• Completes DS&P Training and submits training
completion confirmation on Percolator tool.
• Completes MDT mandatory training, when user
account is provided in Medtronic SABA system
(tracked by MDT) and upload evidence on Percolator
tool
• Provides all relevant information to for initiation of
background verification.
• Submits request for use of Open Source Software;
(must obtain written approval from PM prior to use)
• Submits request for use of portable media devices;
(must obtain written approval from PM prior to use)

6 Submit request for • Submits new resource On-boarding form to Medtronic On-Off Boarding
Basic profile RS HROC department to on-board the new resource Coordinator
creation and request for Basic profile creation through Workday
•
7 Approval of User ID • MDT HR Manager approves user account for network MDT Manager
access. Offboardings require notification within 24
hours to Medtronic when role changes or resource is
reassigned/departs project.
8 Basic profile • User ID and password is granted and issued to MDT RS HROC/
creation / Issuance resource’s Medtronic manager. Resource Manager
of User ID • Medtronic manager will also receive instructions on
credentials creation of Adaptive Authentication account (two-factor
authentication)
• User receives basic network user ID and credentials
from Medtronic manager
• Adaptive Authentication credentials are provided by
Medtronic manager to new resource, when issued
• RS HROC notifies IBM PMO when user network ID is
created
9 Update Checklist, • Updates OOB Coordinator section on Percolator On-Off Boarding
store and notify based On-Boarding checklist r Coordinator
• Captures Team Manger/Lead email
9 Request for • Submits request for access to other IT Assets and Team Manager/lead
application/ applications/ systems, via Access Management
system/ additional Process
resources • Offboardings require notification within 24 hours to
Medtronic when role changes or resource is
13
IBM Confidential
 # Step Task ID and Description* Who*
reassigned/departs project.

See the IBM Medtronic User ID Administration

Process document for more information on 24 hour
access revocation requirements.
11 On-boarding • Validates completion of all On-boarding activities DS&P SE
process Validation within process timelines; and accuracy of
documentation on Percolator
• Tracks & documents completion of on-boarding
activities and move record to completed status

5.2. HIPAA 2-year document retention for access-related artifacts

Members requiring access to systems where ePHI reside are required to acknowledge that,
per HIPAA guidelines, access-related documents are retained for a 2-year period. Each
member requiring such access will encounter the following statement when seeking access
to these systems:

_____ Check here to acknowledge your awareness that you are requesting access to a system
that
contains Sensitive Personal Information (SPI) /Protected Health Information (PHI) data or is
otherwise
subject to HIPAA and HITECH regulations, and that you agree to comply with those
regulations and IBM
policies.

5.3. On-Boarding Process and User account request process

1. The Business Area Manager (BAM) / Delivery Manager are provided with the Medtronic IBM On-boarding
form for the new resource. A request is sent to the BAM for approval of On-Boarding resource
2. Once approved a record is created on the Percolator tool and On-boarding is initiated
3. The employee receives a Percolator Welcome letter and link to Percolator tool to begin on-boarding.

For more details, please see 6.1On-boarding and Percolator

4. Once the Medtronic IBM On-boarding form with BAM’s approval is complete, an On-Boarding Request is
submitted to Medtronic.
5. PMO submits a completed On-boarding Form to Medtronic.
6. Medtronic approves and grants access by creating a user network account in LDAP, with limited access.
7. User network account is issued to Medtronic account Manager, with instructions to create an Adaptive
Authentication (AA) account.
8. MDT Resource Manager forwards user credentials and AA code once received to new resource.
9. MDT Resource Manager notifies IBM PMO when user network access is issued. If not received, PMO
sends email request to MDT HROC department for confirmation.

14
IBM Confidential
5.2.1 Required Training

Where applicable Training completion certificates are uploaded on the Percolator tool by new joiner. If
certificate cannot be provided (i. e. DS&P training PPT which is not tool based) the new joiner’s self-
certification provided on the Percolator tool is considered valid. New joiner adds date of completion
on the tool to certify completion.
Process to Complete Required Training:

# Step Task Description

• Complete mandatory Medtronic System Specific and Quality Assurance
training, without which the Medtronic access will be revoked
• Upon receipt of user account, AA code and Medtronic Outlook email account,
into Saba Training systems and completes the following Medtronic training
certifications:
Medtronic
1 • GRS Basic Navigation Overview (ITIL-BNO)
Mandatory Training
• Change Management Process Training (GRS) (CHANGEM)
• GRS Change Management eLearning (GRS-CHM-1000)
• GRS Incident Management eLearning (GRS-IPK-1000)
• Configuration Management Training

DS&P Medtronic • Completes Medtronic Data Security and Privacy Training

2 Specific Training • HIPAA eligible employees, submit a signed HIPAA Acknowledgement form
Submits completion certificate of IBM required training, or completes the following
IBM Training:
Confirms completion • BCG Annual Training
3 of IBM Mandatory • GBS Annual DS&P Training
Training • Open Source Software training (if member as requested and is approved by
PM for use of OSS)

Information Security Education

4 Security Training

Eligible workforce members are required to complete IBM HIPAA training

5 HIPAA Training
Submits completion certificate

Note: On-boarding timeliness for Medtronic is 30. Likewise, off-boarding is considered timely if
performed within five (5) business days. Personnel are rigorously tracked by the DS&P Team with
notifications and reminders sent to all levels of the PM Team to ensure the timeliest responses from
all members. Risks will be logged in cases where on- and off-boarding timeliness exceeds the ideal
window.

5.4. Off-boarding Process

The following table outlines the Off-boarding steps for this account. All departing workforce team members are
required to be processed according to these steps and the associated on- and off-boarding checklists.
All departing workforce members include temporary or part time workforce members who may provide support for
short periods of time in support of contract commitments. This process is also applicable to sub-contractors on the
project.

15
IBM Confidential
5.5. Off-boarding Process Description

# Off-Boarding Step Description* Who*

1 Identify need for • MDT Identifies need for resource to depart, MDT manager
departure • Inform the BAM /IBM
2 Consider/ • If a contractor is departing, sends notification of BAM/PM
Coordinate/ departure to Technical Contract Coordinator
Grant approval • Initiate Off-boarding on Percolator tool

3 Trigger Appropriate • Takes appropriate contracting actions per ongoing Technical Contract
Contracting Actions policies and procedures Coordinator
4 Provide • If the resource is able to be contacted, sends email to On-Off Boarding
notifications off-boarding resource on the tasks required to be Coordinator
completed as apart of Off boarding process, including
viewing the BISO Offboarding Companion Video and
slide deck.
5 Communicate • Within 24 hours sends email to MDT RS HROC On-Off Boarding
resource release to department, to off-board resource nad terminate access. Coordinator
MDT This serves as request for access revocation.
• Copies DS&P SE in notification
• Triggers MDT notification through the Workday tool
(Customer use only)
6 Initiate Off- • send Off-boarding mail and TU link to departing PMO Coordinator
boarding on the member
Percolator
7 MDT RS HROC • Terminates MDT network account following internal MDT On-Off
Dept. MDT processes/procedures Boarding Contact
• Triggers deletion of all IT asset accesses
8 Notify IBM of • Notifies IBM of termination completion (optional) MDT RS HROC
termination dept.
9 Facilitate Off- • Provides ongoing support to departing member as IBM Manager/ Team
boarding Checklist needed Lead
10 HIPAA access • Access revocation within 24 hours to Medtronic IBM Manager
revocation when role changes or resource is reassigned/departs
project, incl., Siebel /Oracle / SAP systems; ensure
records retained for 24 months
11 Execute Off- • Follows process/procedures to fill out all applicable Individual or Team
boarding Checklist sections of the Off-boarding Checklist on the Percolator Manager/Lead
• Attaches evidence to email

12 Store Off-Boarding • Tracks completion of off-boarding tasks On-Off Boarding

evidence • Ensure records reflects access revocation performed Coordinator
within 24 hours
13 Return of Assets US Process PMO Coordinator
1) Collects MDT Badge from resource and returns to
Medtronic Security.
2)Laptops:
A. If a landed resource is moving within IBM in the
U.S., the resource takes the laptop and ownership is
transferred to the new account.
B. If a landed resource is returning to India, a
return request is generated for the laptop, which is
then returned to the warehouse. The resource ships
the laptop to warehouse using IBM UPS account.
16
IBM Confidential
 # Off-Boarding Step Description* Who*

India Process

IBM equipment returns, e.g. laptops, badges, etc., are

applicable to resources leaving IBM. This is initiated
by resource’s Blue Pages Manager.

14 Update PMO and Update PMO and coordinator section on the Percolator Off- PMO Coordinator
Coordinator section boarding checklist
15 Review checklists Quality Assurance of process. Validates the completion of all DS&P SE
off-boarding activities on Percolator with required timelines
and accuracy of evidence and Checklist.

Team Custom Java & DBA/HR System

For application level removal is done through Workday request. No separate application level access revocation
request is required.

5.6. Verification and Quality Assurance of Process

The following table outlines the On/Off-boarding verification and Quality Assurance Process for this account:

# Step How Who

1. Track On/Off-boarding Utilize the Percolator staff management and OOB DS&P SE
process completion dashboard based Workforce Member Master List to
activities, conduct the reviews
every month
2. Identify and Resolve If there are discrepancies, handle as appropriate: On/Off-Boarding
findings • Initiate off-boarding process and associated Coordinator/DS&P
evidence SE
• Initiate on-boarding process and associated
evidence
• Revoke access following the revocation process
and associated evidence
• Update SOD matrix as applicable
• Remove on-call, temporary or part time resource
access and re-instated when necessary.
• Adjust process to adjust gaps in process if
applicable
3. File evidence File all evidence of revalidation. On/Off-Boarding
• Evidence of findings being addressed Coordinator
4 Validate process 1. Verify that the project On/Off-boarding Process is DS&P SE
consistent with the contractual and internal
requirements, and HIPAA regulations.
2. Update the process, as appropriate.
3. Retain results of verification for a minimum of 24
months in the Medtronic Percolator tool.

17
IBM Confidential
6. Appendix – Welcome and Data Removal Notes
Upon being accepted onto the program, the PMO sends a welcome letter to the prospective employee, which
contains instructions on the next steps to be take. The narrative below picks up from where the resource receives
the welcome letter.

6.1. On-boarding and Percolator

Percolator is being used to manage each new employee’s on-boarding. Each employee receives an email from
DS&P containing an attached Welcome letter and instructions on how to on-board, including how to complete a
Percolator on-boarding form.

6.1.1. Welcome Letter

After describing Medtronic, the attached Welcome letter informs the employee to complete within ten (10) days the
following training:
1. Medtronic Account Specific Training
2. Configuration Management Training
3. ISAM workstation registration, which requires that an ISAM report be produced
4. Reporting of the machine type and serial number
5. A follow-up response by the employee with the ISAM report screen-shots
6. DS&P training
7. Open Source Software training
8. Notification to management of portable device requirements
9. HIPAA training for Siebel support, Oracle DBAs, and Siebel Testers
The Welcome letter can be found in the PCB here:
DS&P/Evidence/5. On-boarding Checklist/Account Level/Welcome To Medtronic.eml
A Percolator on-boarding steps presentation is provided as an attachment to the Welcome Letter. The training
presentation can be found in the PCB here:
DS&P/Evidence/5. On-boarding Checklist/Account Level/Percolator-On Boarding Steps.ppt

6.1.2. Training
On-boarded resource is required to complete certain on-boarding formalities, before he/she starts working on the
project. Welcome note comprising all such requirements is sent by the PMO team, to all the new resources. The
PCB location of the welcome note is provided below:

DS&P/Evidence/5. On-boarding Checklist/Account Level/On-boarding Welcome Letter.pdf

New joiners reads DS&P training slides and fill the completion date on Percolator. No separate confirmation is
taken from the resources for DS&P trainings.

HIPAA eligible resources are required to complete DS&P training and IBM HIPAA training, and sign/ submit the
attached HIPAA Acknowledgement form, found here in the PCB:

DS&P/Evidence/5. On-boarding Checklist/Account Level/HIPAA Acknowledgement Form.doc

18
IBM Confidential
6.1.3. Percolator Access Notification (TUI based)

Within ten days, the on-boarding employee will receive an email from the PMO with instructions to begin populating
Percolator at a dedicated TUI, meant only for that person. The employee will follow this link and fill the fields as
directed in the initial Percolator letter, discussed earlier.

6.2. Request for data removal, upon off-boarding and Percolator

On last day of the resource or few days in advance the Medtronic Off-boarding Data Removal Certificate is filled by
the resource on the tool upon the notification of PMO. No separate DR certificate is collected from the departing
employee unless he/she is unable to fill the same on Percolator. If the resources have left IBM, the DR Certificate or
TP /Asset return confirm is collected in place of DR Certificate. The DR certificate can be found in the Percolator
OOB Dashboard. :

Manual DR Certificate template can be found here in the IPWC:

DS&P/Evidence/5. On-boarding Checklist/Account Level/Off-boarding Data Removal Letter.pdf

The customer controls the off-boarding process beyond the steps outlined here:

1. Medtronic ID deactivation is initiated through Workday

2. A data deletion mail sent if the employee is accessible
3. The employee’s workstation is received by the PMO
4. The workstation is stored prior to data removal following the standard steps to purge data in
the next section.

19
IBM Confidential
7. Appendix – Adaptive Authentication & Data Removal Artifacts

7.1. Steps to connect using Adaptive Authentication

1. Steps to connect using Adaptive Authentication can be found in the PCB here:

DS&P/Evidence/5. On-boarding Checklist/Account Level/Adaptive Authentication Hosts File

Configuration.docx

2. Follow instruction as mentioned in the documents below:

DS&P/Evidence/5. On-boarding Checklist/Account Level/VPE How to Log in to Adaptive

Authentication.docx
and
DS&P/Evidence/5. On-boarding Checklist/Account Level/VPE Remote Registration for Adaptive
Authentication.docx

4. Following the instructions below, log into Adaptive Authentication

DS&P/Evidence/5. On-boarding Checklist/Account Level/How to Login to Adaptive Authentication.docx

7.2. Steps to Purge Data and Certify Data Removal

Below are instructions on how to purge data from hard drives

DS&P/Evidence/5. On-boarding Checklist/Account Level/Purging Data Using PGP.docx

Following data purge, a certificate must be completed and returned to the PMO by the employee in possession of
the workstation in which the hard drive is being purged.

DS&P/Evidence/5. On-boarding Checklist/Account Level/Data Removal Certificate.docx

-------------- END OF DOCUMENT --------------

20
IBM Confidential