Loyola University Chicago

- Navigation -

Loyola University Chicago

Information Technology Services

Vendor Access to Internal Systems

Scope

Vendors requiring access to the Loyola systems for configuration, maintenance, and emergency support should adhere to the restricted and monitored channels that ITS staff uses to access the environment.  Additionally, the access should only be activated on an as-needed basis and disabled when not in use.

Purpose

As listed in PCI requirement 8.1.5 to minimize potential exposure to the University resulting from unauthorized use of resources and to preserve and protect the confidentiality, integrity and availability of the University networks, systems and applications.

Policy

Segregation of Duties

Access to High Security Systems will only be provided to users based on business requirements, job function, responsibilities, or need-to-know. All additions, changes, and deletions to individual system access must be approved by the appropriate supervisor and the ISO, with a valid business justification.

User Account Access

User Access

All users of High Security Systems will abide by the following set of rules:

Citrix Access

Users may only gain access to the Citrix environment if:

Administrative Access

“This computer and network are provided for use by authorized members of the Loyola community. Use of this computer and network are subject to all applicable Loyola policies, including Information Technology Services policies, and any applicable Loyola Handbooks. Any use of this computer or network constitutes acknowledgment that the user is subject to all applicable policies. Any other use is prohibited.

Users of any networked system, including this computer, should be aware that due to the nature of electronic communications, any information conveyed via a computer or a network may not be private. Sensitive communications should be encrypted or communicated via an alternative method.”

Remote Access

All users and administrators accessing High Security Systems must abide by the following rules:

Physical Access

All ITS data centers will abide by the following physical security requirements:

The Information Security Team and the ITS Infrastructure Services Director will audit physical access to ITS data centers on an annual basis.

Policy adherence:

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook.  Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Questions about this policy:

If you have questions about this policy, please contact the Information Security team at datasecurity@luc.edu.

This policy applies to Loyola University Chicago faculty, staff, students, contractors and vendors that connect to servers, applications or network devices that contain or transmit Loyola Protected Data, per the Data Classification Policy.

All servers, applications or network devices that contain, transmit or process Loyola Protected Data are considered “High Security Systems”. 

History:

November 6, 2013: Initial Policy
June 4, 2014: Annual review for PCI Compliance

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-4ITS

InfoServices@luc.edu

Notice of Non-discriminatory Policy