Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Access Control Policy

 Scope:

This policy applies to Loyola University Chicago faculty, staff, students, contractors and vendors that connect to servers, applications or network devices that contain or transmit Loyola Protected Data, per the Data Classification Policy. All servers, applications or network devices that contain, transmit or process Loyola Protected Data are considered “High Security Systems”.

 

Purpose:

Access controls are designed to minimize potential exposure to the University resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the University networks, systems and applications.

 

Policy:

Segregation of Duties

Access to High Security Systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the UISO, with a valid business justification. Access controls to High Security Systems are implemented via an automated control system. Account creation, deletion, and modification as well as access to protected data and network resources is completed by the Server Operations group.

On an annual basis, the University Information Security Office will audit all user and administrative access to High Security Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit, and remediated accordingly.

 

User Account Access

User Access

All users of High Security Systems will abide by the following set of rules:

 

Citrix Access

Users may only gain access to the Citrix environmentif:

 

AdministrativeAccess

 

Remote Access

All users and administrators accessing HighSecurity Systems must abide by the following rules:

 

PhysicalAccess

All ITS data centers will abide by the following physical security requirements:

 

Policy adherence

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

 

Questions about this policy

If you have questions about this policy, please contact the Information Security team at datasecurity@luc.edu.

 

History

September 22, 2009: Initial Policy
September 19, 2012: Added section for PCI Compliance
September 23, 2012: Corrected links.
September 25, 2014: Added statement requiring immediate disabling of third-party accounts
June 22, 2015: Annual Review for PCI Compliance

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy