Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Electronic Security Sensitive Data

Scope:

This policy covers any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored electronically (covered electronic documents).

Purpose:

The purpose of this policy is to provide security practices for employees, student workers, consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola, who produce or have access to covered electronic documents.

Policy:

Additional precautions shall be used by any departments or individuals who have access to covered electronic documents. These additional precautions include:

Encryption

ITS will provide full disk encryption technology to protect desktop and laptop computers identified during the compliance review as containing covered electronic documents. Users who know that their computer will store Loyola Protected data or Loyola Sensitive data should, in accordance with Loyola’s Encryption Policy, contact the ITS Information Security team at DataSecurity@luc.edu to request an installation of the full disk encryption software. ITS will provide training in using encryption software to the users of these systems.

Storage of Covered Electronic Documents

When possible, users shall store covered electronic documents on network hard drives instead of local hard drives or any form of removable media. If this is not possible, the computer must run a full disk encryption product provided by Loyola’s ITS.

If a user wishes to store Loyola Protected data or Loyola Sensitive data for remote access, the acceptable storage options are listed below in order of preference:

  1. Networked storage
  2. Laptop running encryption software
  3. PDA/Blackberry/Smartphone running encryption software
  4. Portable drive using encryption software
  5. CD/DVD/Disk saved as an encrypted file

Loyola employees, student workers, consultants or agents should not store Loyola Protected data or Loyola Sensitive data on computers and devices that are not encrypted according to Loyola’s Encryption Policy.

Passwords

The user shall protect any resources that house covered electronic data with a password. This password must meet or exceed the current ITS password standards described in the Password Standards.

Limited access – At Loyola

All areas that contain computers storing covered electronic documents should not be accessible to all employees, student workers, consultants, agents, or visitors of Loyola University Chicago. All areas that contain computers storing covered documents must not provide unsupervised access to the public. Department heads or their designee will work with Campus Safety to control access through either a physical key or via a badge reader. Areas that cannot be locked cannot be used to house computers that store covered documents on their local hard drives. Department heads or their designee will identify individuals who have a need to access these areas to perform their job function, and will communicate the names of these individuals and their required access to Campus Safety. When leaving their desk in an area containing computers storing covered documents, individuals shall, to the best of their ability, either lock access to their computer or log off of their computer.

Limited access – Outside of Loyola

Non-Loyola spaces used by contracted 3rd parties should only be accessible by individuals the contractor has approved to access covered electronic documents. All areas that contain computers storing covered documents must not provide unsupervised access to the public. Areas that cannot be locked cannot be used to house computers that store covered documents on their local hard drives. When leaving their desk in an area containing computers storing covered documents, individuals shall, to the best of their ability, either lock access to their computer or log off of their computer.

Training

ITS and HR will make training materials available to all staff with access to covered electronic documents which will cover all issues raised in this policy in greater detail.

Questions about this Policy:

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Policy adherence:

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

 

Appendix:

Policies Referenced

Data Classification Policy

Encryption Policy

Password Standards

Definitions

Covered electronic documents – Any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored electronically.

History:

March 4, 2008: Initial Policy

July 15, 2013: Annual Review for PCI Compliance

June 4, 2014: Annual Review for PCI Compliance

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy