Vendor VPN Access Procedure
This document describes the procedure to activate VPN access for vendors to Loyola networks and systems for maintenance and support.
Vendors requiring remote access to Loyola’s intranet for configuration, maintenance, and emergency support are required to use the Loyola VPN service. As outlined in PCI-DSS requirement 8.1.5, access is enabled only when needed and disabled when not in use.
When the vendor requires access to a system on the Loyola environment through a scheduled window or to respond for emergency support, the Loyola primary system contact shall contact the Loyola ITS Helpdesk to have access enabled.
The Loyola primary system contact must provide the following information to the Helpdesk when requesting access:
- Vendor Organization
- VPN account name & associated email address
- Name and contact (phone/email) for staff performing maintenance
- System(s) to be accessed
- Anticipated time window of access required
The ITS Helpdesk will assign the ticket the UISO department with the above information for the account to be enabled. Once enabled, the user provided as the vendor staff member will be notified of the account activation.
The ITS Helpdesk maintains a list of emergency contacts that can be contacted in case of an emergency situation requiring vendor VPN access.
When the vendor has completed their maintenance of the necessary systems, they should notify Loyola that access is no longer required and can be disabled.
The vendor should do this by replying to the email with notification of account enabling. The UISO department will disable the account until further use is requested.
In the event that the vendor does not provide notification that all necessary work is completed and access is no longer required, the Loyola vendor VPN account will be automatically disabled after 24 hours.
Questions about this procedure:
If you have questions about this procedure, please contact the University Information Security Office at email@example.com.
Compliance Driver: PCI-DSS v3.0
History and Updates
Initial Procedure Created: November 7, 2012
PCI Compliance Review, July 7, 2013
Approved: November 6, 2013
Author: University Information Security Office (UISO)