Access Control Policy
This policy applies to Loyola University Chicago faculty, staff, students, contractors and vendors that connect to servers, applications or network devices that contain or transmit Loyola Protected Data, per the Data Classification Policy. All servers, applications or network devices that contain, transmit or process Loyola Protected Data are considered “High Security Systems”.
Access controls are designed to minimize potential exposure to the University resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the University networks, systems and applications.
Segregation of Duties
Access to High Security Systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the UISO, with a valid business justification. Access controls to High Security Systems are implemented via an automated control system. Account creation, deletion, and modification as well as access to protected data and network resources is completed by the Server Operations group.
On an annual basis, the University Information Security Office will audit all user and administrative access to High Security Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit, and remediated accordingly.
All users of High Security Systems will abide by the following set of rules:
- Users with access to High Security Systems will utilize a separate unique account, different from their normal University account. This account will conform to the following standards:
- The password will conform, at a minimum, to the published ITS Password Standards.
- Inactive users will be disabled after 90 days of inactivity.
- Access will be enabled only during the time period needed and disabled when not in use
- Access will be monitored when account is in use
- Repeated access attempts will be limited by locking out the user ID after not more than six attempts.
- Lockout duration must be set to a minimum of 30 minutes or until an administrator enables the user ID.
- If a session has been idle for more than 15 minutes, the user is required to re-authenticate to re-active the terminal or session.
- Users will not log in using generic, shared or service accounts.
Users may only gain access to the Citrix environment if:
- A user’s manager must submit the request.
- The Director Cash Management and/or E-Commerce Coordinator must approve all requests.
- Users will abide by the above user access guidelines.
- Users must complete annual PCI training through the Treasurer’s office.
- Administrators will abide by the Privileged Access Policy.
- Users will abide by above user access guidelines.
- Administrators will immediately revoke all of a user’s access to High Security Systems when a change in employment status, job function, or responsibilities dictate the user no longer requires such access.
- All service accounts must be used by no more than one service, application, or system.
- Administrators must not extend a user group’s permissions in such a way that it provides inappropriate access to any user in that group.
- All servers, applications and network devices shall contain a log in banner that displays the following content:
“This computer and network are provided for use by authorized members of the Loyola community. Use of this computer and network are subject to all applicable Loyola policies, including Information Technology Services policies (http://www.luc.edu/its/aboutus/policies.shtml), and any applicable Loyola Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited. Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.”
All users and administrators accessing High Security Systems must abide by the following rules:
- No modems or wireless access points are allowed on high security networks, or other unapproved remote access technology.
- All remote access must be authenticated and encrypted through the University’s Virtual Private Network (VPN).
- All remote access will be accomplished through the use of two factor authentication; a username/password combination, and a second method not based on user credentials, such as a certificate or token, provisioned to the user.
- Any third party, non-Loyola affiliate that requires remote access to High Security Systems for support, maintenance or administrative reasons must designate a person to be the Point of Contact (POC) for their organization. In the event the POC changes, the third party must designate a new POC.
- All third party access to High Security Systems must be approved by the Information Security Officer.
- Third parties may access only the systems that they support or maintain.
- All third party accounts on High Security Systems will be disabled and inactive unless needed for support or maintenance. The server System Administrator will be responsible for enabling/disabling accounts and monitoring vendor access to said systems. All third parties with access to any High Security Systems must adhere to all regulations and governance standards associated with that data (e.g. PCI security requirements for cardholder data, FERPA requirements for student records). Third party accounts must be immediately disabled after support or maintenance is complete.
- Data must not be copied from high security systems to a user’s remote machine.
- Access will be disconnected automatically after 24 hours.
- Users will abide by the above user access guidelines.
All ITS data centers will abide by the following physical security requirements:
- Video surveillance will be installed to monitor access into and out of ITS data centers.
- Access to ITS data centers will be accomplished the use of electronic badge systems.
- Only the Director of Facilities, ITS Infrastructure Services Director, and Service Operations and Data Center Manager will have physical key access.
- Physical access to ITS data centers is limited to ITS personnel, designated approved Loyola employees or contractors whose job function or responsibilities require such physical access.
- These individuals will be classified appropriately in the ITS Roles and Responsibilities Matrix.
- Loyola badges will be prominently displayed.
- Visitors accessing ITS data centers will be accompanied by authorized ITS personnel, and all access will be logged via the ITS Data Center Visitor Access Log.
- This log will be stored at each ITS Data Center.
- Each visitor, and accompanying authorized ITS personnel, must sign in and out of the data center.
- The log will be kept for at least a period of three months.
- Modification, additions or deletions of physical access to ITS data centers will be accomplished by utilizing the ITS High Security Authorization Form.
- Physical access requires the approval of the ITS Infrastructure Services Director.
- The Information Security Team and the ITS Infrastructure Services Director will audit physical access to ITS data centers on an annual basis.
Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Questions about this policy
If you have questions about this policy, please contact the Information Security team at email@example.com.
- September 22, 2009: Initial Policy
- September 19, 2012: Added section for PCI Compliance
- September 23, 2012: Corrected links.
- September 25, 2014: Added statement requiring immediate disabling of third-party accounts
- June 22, 2015: Annual Review for PCI Compliance
- July 7, 2015: Added statement for VPN inactivity timeout
- August 5, 2015: v1.3 Added statements for PCI-DSS v3.1 Sec.8.1