×

Wireless Access Points Policy

Scope:

This policy covers all devices that provide wireless access to the Loyola network.

Purpose:

Devices that provide wireless access to a network are commonly referred to as wireless access points or wireless routers. These devices may create a security risk by providing unauthorized access to Loyola resources, including the disclosure of Loyola protected data.

Policy:

Faculty, Staff, Students, and Guests are prohibited from attaching any device operating as a wireless access point or router in any University building.

Any wireless connectivity into the PCI-DSS environment is strictly prohibited. Wireless networks are not allowed to connect to the credit card processing (High Security Network) environment under any circumstances.

PCI-DSS Rogue Access Point Detection

Each quarter a helpdesk ticket will be created and assigned to ITS Network Services to request a rogue wireless scan at all sites where credit cards are processed. The scan will be performed using a wireless scanner. Scan information will be reviewed and compared to a list of known Loyola access points as well as known nearby Non-Loyola access points (e.g. Starbucks). All non-Loyola access points will be checked against the Loyola network MAC address table to verify that the MAC address is not present on Loyola networks. The outside access point will be added to the Loyola wireless management system (NCS) and is marked as ‘malicious’. NCS will alert Network Services should it appear on the Loyola network.  Results are to be saved to a spreadsheet and the ticket closed.

When Information Technology Services (ITS) becomes aware of any problem that involves a device operating as a wireless access point that is attached to the campus network in violation of this policy, the network connection to the device will be severed. If additional attempts to reconnect a prohibited device to the campus network are made, the matter will referred to the appropriate University disciplinary staff.

Questions about this policy:

If wireless access is inadequate in your area, contact the ITS Helpdesk (773) 508-4487 for assistance or if you have questions about this policy, please contact the University Information Security Office at DataSecurity@luc.edu.

Exceptions:

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review:

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan.  These actions may include rendering systems inaccessible.

History:

  • July 13, 2005: Initial Policy
  • August 5, 2008: Revised
  • November 1, 2012: Annual review for PCI Compliance
  • February 14, 2013: Revised
  • August 6, 2013: Revised
  • June 17, 2014: Annual review for PCI Compliance
  • April 20, 2015: Annual review for PCI Compliance
  • May 17, 2016: Annual review for PCI Compliance
  • June 5, 2017: Annual review for PCI Compliance
  • June 12, 2018: Added Exception, Review and Emergencies, Annual Review for PCI Compliance
  • July 15, 2019: Corrected language that refers to the rogue wireless scan, Annual Review for PCI Compliance
  • July 14, 2020: Annual review for PCI Compliance

Scope:

This policy covers all devices that provide wireless access to the Loyola network.

Purpose:

Devices that provide wireless access to a network are commonly referred to as wireless access points or wireless routers. These devices may create a security risk by providing unauthorized access to Loyola resources, including the disclosure of Loyola protected data.

Policy:

Faculty, Staff, Students, and Guests are prohibited from attaching any device operating as a wireless access point or router in any University building.

Any wireless connectivity into the PCI-DSS environment is strictly prohibited. Wireless networks are not allowed to connect to the credit card processing (High Security Network) environment under any circumstances.

PCI-DSS Rogue Access Point Detection

Each quarter a helpdesk ticket will be created and assigned to ITS Network Services to request a rogue wireless scan at all sites where credit cards are processed. The scan will be performed using a wireless scanner. Scan information will be reviewed and compared to a list of known Loyola access points as well as known nearby Non-Loyola access points (e.g. Starbucks). All non-Loyola access points will be checked against the Loyola network MAC address table to verify that the MAC address is not present on Loyola networks. The outside access point will be added to the Loyola wireless management system (NCS) and is marked as ‘malicious’. NCS will alert Network Services should it appear on the Loyola network.  Results are to be saved to a spreadsheet and the ticket closed.

When Information Technology Services (ITS) becomes aware of any problem that involves a device operating as a wireless access point that is attached to the campus network in violation of this policy, the network connection to the device will be severed. If additional attempts to reconnect a prohibited device to the campus network are made, the matter will referred to the appropriate University disciplinary staff.

Questions about this policy:

If wireless access is inadequate in your area, contact the ITS Helpdesk (773) 508-4487 for assistance or if you have questions about this policy, please contact the University Information Security Office at DataSecurity@luc.edu.

Exceptions:

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review:

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan.  These actions may include rendering systems inaccessible.

History:

  • July 13, 2005: Initial Policy
  • August 5, 2008: Revised
  • November 1, 2012: Annual review for PCI Compliance
  • February 14, 2013: Revised
  • August 6, 2013: Revised
  • June 17, 2014: Annual review for PCI Compliance
  • April 20, 2015: Annual review for PCI Compliance
  • May 17, 2016: Annual review for PCI Compliance
  • June 5, 2017: Annual review for PCI Compliance
  • June 12, 2018: Added Exception, Review and Emergencies, Annual Review for PCI Compliance
  • July 15, 2019: Corrected language that refers to the rogue wireless scan, Annual Review for PCI Compliance
  • July 14, 2020: Annual review for PCI Compliance