SCOPE

This policy covers any data that has been classified as either Loyola Protected Data or as Loyola Sensitive Data and is stored electronically (covered electronic documents).

PURPOSE

The purpose of this policy is to provide security practices for faculty, staff, student workers, consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola, who produce or have access to covered electronic documents.

POLICY

Additional precautions shall be used by any departments or individuals who have access to covered electronic documents.  These additional precautions include:

Storage of Covered Electronic Documents No Loyola Protected Data may be stored on workstations, desktops, computers, laptops, thumb drives, mobile phones, or mobile devices.  Loyola Protected Data may only be stored on ITS managed information resources, such as file servers, application servers or databases.  All storage of Loyola Protected Data must abide by Loyola’s Encryption Policy.

Users who have a business need to store Loyola Protected Data should request an exception to the policy at https://www.itssecurity.luc.edu/pe.

If a user wishes to store Loyola Sensitive Data, the acceptable storage options are listed below in order of preference:

1. Networked storage
2. Workstation or Laptop running encryption software
3. PDA/Blackberry/Smartphone running encryption software
4. Portable drive using encryption software (see appendix for examples)
5. CD/DVD/Disk saved as an encrypted file

Loyola faculty, staff, student workers, consultants or agents should not store Loyola Sensitive Data on computers and devices that are not encrypted according to Loyola’s Encryption Policy.

Encryption ITS will provide full disk encryption technology to protect desktop and laptop computers.  Users who know that their computer will store Loyola Sensitive data should ensure that their system is encrypted. 

Limited access - At Loyola All areas that contain computers storing covered electronic documents should not be accessible to all faculty, staff, student workers, consultants, agents, or visitors of Loyola University Chicago.  All areas that contain computers storing covered documents must not provide unsupervised access to the public.  Department heads or their designee will work with Campus Safety to control access through either a physical key or via a badge reader.  Areas that cannot be locked cannot be used to house computers that store covered documents on their local hard drives.  Department heads or their designee will identify individuals who have a need to access these areas to perform their job function, and will communicate the names of these individuals and their required access to Campus Safety.  When leaving their desk in an area containing computers storing covered documents, individuals shall, to the best of their ability, either lock access to their computer or log off of their computer.

Limited access – Outside of Loyola Non-Loyola spaces used by contracted 3rd parties should only be accessible by individuals the contractor has approved to access covered electronic documents.  All areas that contain computers storing covered documents must not provide unsupervised access to the public.  Areas that cannot be locked cannot be used to house computers that store covered documents on their local hard drives.

When leaving their desk in an area containing computers storing covered documents, individuals shall, to the best of their ability, either lock access to their computer or log off of their computer.

Training ITS and HR will make training materials available to all staff with access to covered electronic documents which will cover all issues raised in this policy in greater detail.  The training materials can be accessed online at http://www.luc.edu/its/data_security_training.shtml.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Policy Adherence

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook.  Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

APPENDIX

Examples of portable drives

• Flash drives

• Thumb drives
• Memory sticks
• USB hard drives
• iPhones / iPods /iPads
• Smart Phones (Blackberry, Android, Windows CE devices)

Please  contact the UISO at DataSecurity@luc.edu  for assistance with file or drive encryption.  USB flash drives/thumb drives/memory sticks can be purchased with encryption built-in. Please visit http://www.luc.edu/its/purchases.shtml to view recommended products.

Policies Referenced

• PIP policy - Data Classification policy

• PIP policy - Encryption policy
• Password Standards

Definitions 

Covered electronic documents – Any data that has been classified as either Loyola Protected Data or as Loyola Sensitive Data and is stored electronically.

HISTORY

 May 25, 2011: Initial Policy

 October 26, 2012: Annual Review for PCI Compliance

 Author: Information Security Advisory Council (ISAC)

Version: 2.0