Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Security Policy

Scope

This policy covers all of Loyola University Chicago’s computing, networking, telephony and information resources.

Purpose

The purpose of this policy is:

Policy

Individuals Covered

This policy applies to all persons accessing and using computing, networking, telephony and information resources through any facility of the University. These persons include students, faculty, staff, persons retained to perform University work, and any other person extended access and use privileges by the University given the availability of these resources and services, and in accordance with University contractual agreements and obligations.

All members of the University community share in the responsibility for protecting information resources for which they have access or custodianship.

Systems and Resources Covered

This policy covers all computing, networking, telephony and information resources procured through, operated or contracted by the University. This policy also covers any computing device connecting to and utilizing University information resources. Such resources include computing and networking systems including those that connect to the University telecommunications infrastructure, other computer hardware, software, databases, support personnel and services, physical facilities, and communications systems and services.  Authorized support personnel for high security systems are outlined in the ITS Roles and Responsibilities Matrix and Audit Calendar.

Information Classification & Protection

In order to ensure that information about members of the University community is properly protected, all information will be classified in accordance with the Data Classification Policy. Information that is classified as Loyola Protected or Loyola Sensitive data will receive additional protections as described in the Personally Identifiable Information (PII) Protection Policies. Data deemed PCI-DSS relevant must comply with all PCI-DSS requirements as outlined by the PCI Data Security Standard Version 2.0.

User Training and Awareness

Effective information security requires a high level of participation from all members of the University and all must be well informed of their responsibilities. To facilitate this, information security awareness materials and training will be provided to the Loyola community in accordance with the ITS Security Awareness Policy.

Physical and Environmental Security

Centralized computer facilities will be protected in physically secure locations with controlled access, in accordance to the ITS Access Control Policy. They will also have appropriate environmental safeguards. Departmental computers housing Loyola Sensitive or Loyola Public data may require physical and environmental security safeguards. All servers containing Loyola Protected data must be housed in an approved ITS data center.

Incident Response

Information security incidents have the potential to negatively impact members of the University community and to harm the University’s reputation. Therefore, it is important that all information security incidents are handled confidentially and appropriately. All information security incidents will be handled in accordance with the ITS Incident Response Plan.

Risk Assessment

Security incidents are more likely to occur when there are unknown and unaddressed risks and vulnerabilities in information systems. Therefore, risk assessments will be conducted in accordance with the ITS Risk Assessment Process. In addition, the IT Security Team will periodically perform vulnerability assessments, per the ITS Vulnerability Assessment Policy.

Network Security

All networking devices procured through, operated or contracted by the University will be configured in accordance with the ITS Router and Switch Security Standard, the ITS Network Firewall Policy, or the ITS Wireless Access Point Policy, depending on the type of device that it is.

Computer Security

All workstations, desktops and laptops procured through, operated or contracted by the University will be configured in accordance with the ITS Computer Security Standard and the ITS Password Standard.

Server Security

All servers procured through, operated or contracted by the University will be configured in accordance with the ITS Computer Security Standard and the ITS Password Standard.

Antivirus

Viruses and other malicious programs can compromise the confidentiality, integrity, and availability of information resources. All systems connected to University networks shall abide by the ITS Antivirus Policy.

Key Management

All systems that store Loyola Protected data will encrypt said data using appropriate encryption techniques, as defined within the Encryption Policy. This policy requires the use of private keys to encrypt the data.

Individuals who, because of their job function, are responsible for using a private key will be designated as “key custodians”. No key custodian will have knowledge of a majority of the private keys.

Any private keys created during the encryption process will be maintained via a key management procedure specific to that system. This procedure is determined by the key custodians, and must include the following items:

Log Management Standard

System logs are required to enable effective troubleshooting of system problems and are a required component of the incident response process. All systems that store, transmit or process Loyola Protected data shall abide by the ITS Log Management Standard.

Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook.  Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy, and all policies, standards, handbooks and supporting materials contained within, will be reviewed by the ISO on an annual basis.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.

Appendix

Definitions

Server – a software program, or the computer on which that program runs, that provides a service to client software running on the same computer or other computers on a network

History and Updates

June 16, 2008: Initial Policy
October 6, 2011: Revised
October 29, 2012: Annual Review for PCI Compliance
July 17, 2013: Annual Review for PCI Compliance
December 5, 2013: Corrected reference to Incident Response Plan
Author: UISO
Version: 1.2
 
 

 

 

 

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy