Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Computer Security Standard

Scope:

This standard applies to all computers,defined as any work station,desktop or laptops that are:

The owner of a computer may use it at his or her discretion; however, once that computer is connected to the University network or is used to store university data, it is subject to applicable laws and regulations, and to University policies.

Purpose:

The purpose of this document is to establish standards for the base configuration of University computers. Effective implementation of this standard will minimize security incidents involving University resources.

This document is broken up into two sections: Baseline Standards, and High Security Standard. All in scope computers will be configured to the baseline standard. All computers connected to high security systems will conform to both the Baseline Standard and the High Security Standard.

Standards:

The following sections must be adhered to by the user of the computer.

Baseline Standards

The University does not allow the use of shared local profiles, when logging in to a Loyola workstation.

High Security Standard

All computers procured through, operated or contracted by the University and connected to, or interacting with, a high security network zone, as defined in the ITS Network Firewall Policy, or store Loyola Protected Data, must adhere to the following rules in addition to the Baseline Standard:

Information Security guidelines, as referenced in the Appendix.

  1. All approved remote access will comply with the ITS Access Control Policy.
  2. All approved remote access techniques will be encrypted between the computer and the remote machine.
  3. The user is encouraged to use an alternative browser, such as Firefox.
  4. In instances where an alternative browser is not available, Internet Explorer (IE) can be used as long as ActiveX is disabled on all IE zones except Trusted.
  5. Trusted zones may be explicitly enabled for specific web sites on an as needed basis.

Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.

Appendix

DocumentsReferenced

DisposalofLoyolaProtectedData&LoyolaSensitiveDataPolicy

ElectronicSecurityofLoyolaProtectedData&LoyolaSensitiveDataPolicy

AccessControlPolicy

AntivirusStandard

IncidentResponsePlan

LogManagementStandard

NetworkFirewall Standard

PasswordStandard

SecurityPolicy

Supported Operating Systems

Guidelines

CIS_Microsoft_Windows_7_Benchmark_v1.2.0.pdf

CIS_SUSE_Linux_Benchmark_v2.0.pdf CIS_VM_Benchmark_v1.1.0.pdf

Definitions

High Security Systems – Servers, applications or network computers that store, process or transmit Loyola Protected Data, per the Data Classification Policy.

Service Accounts – User accounts that are required by applications as part of their normal function and operation. These accounts are not used by users to login interactively.

History

January 24, 2011: Initial Policy

October 22, 2012: Corrected links, Removed vendor specific references

July 12, 2013: Corrected Links

September 16, 2014: Added supported operating system reference

June 22, 2015: Annual review for PCI Compliance, removed CIS reference for XP

 

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

helpdesk@luc.edu

Notice of Non-discriminatory Policy