Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Access Control Policy


This policy applies to Loyola University Chicago faculty, staff, students, contractors and vendors that connect to servers, applications or network devices that contain or transmit Loyola Protected Data, per the Data Classification Policy. All servers, applications or network devices that contain, transmit or process Loyola Protected Data are considered “High Security Systems”.


Access controls are designed to minimize potential exposure to the University resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the University networks, systems and applications.


Segregation of Duties

Access to High Security Systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the UISO, with a valid business justification. Access controls to High Security Systems are implemented via an automated control system. Account creation, deletion, and modification as well as access to protected data and network resources is completed by the Server Operations group.

On an annual basis, the University Information Security Office will audit all user and administrative access to High Security Systems. Discrepancies in access will be reported to the appropriate supervisor in the responsible unit, and remediated accordingly.

User Account Access

User Access

All users of High Security Systems will abide by the following set of rules:

Citrix Access

Users may only gain access to the Citrix environment if:

Administrative Access

“This computer and network are provided for use by authorized members of the Loyola community. Use of this computer and network are subject to all applicable Loyola policies, including Information Technology Services policies (http://www.luc.edu/its/aboutus/policies.shtml), and any applicable Loyola Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited. Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.”

Remote Access

All users and administrators accessing High Security Systems must abide by the following rules:

Physical Access

All ITS data centers will abide by the following physical security requirements:

Policy adherence

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at



September 22, 2009: Initial Policy

September 19, 2012: Added section for PCI Compliance

September 23, 2012: Corrected links.

September 25, 2014: Added statement requiring immediate disabling of third-party accounts

June 22, 2015: Annual Review for PCI Compliance

July 7, 2015: Added statement for VPN inactivity timeout

August 5,2015: v1.3 Added statements for PCI-DSS v3.1 Sec.8.1


Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS


Notice of Non-discriminatory Policy