ITS Policies & Guidelines
Access & Use
- Rights and Responsibilities When Using Electronic University Resources
- Acceptable Use Policy for University Computing Labs
- Digital Millennium Copyright Act
- Online Harassment
- Ownership and Use of Data
- Peer-to-Peer File Sharing Programs and Services
- Technology Fee
- Cloud Computing Policy
- Standard for Undergraduate Student Worker Access to PeopleSoft Resources
- Access Control Policy
- Access and Responsible Use of University Electronic Mail Systems
- Electronic Mail and Voice Mail Use and Disclosure Policy
- Access and Responsible Use of University Electronic Mail Systems for Electronic Mass Communications
ITS Internal Policies
- Change Management Policy
- ITS Key and Badge Access Policy
- Privileged Access Policy
- Vulnerability Risk Review Procedure
Macintosh Computers
Personally Identifiable Information (PII) Protection
- Data Classification Policy
- Loyola Protected and Loyola Sensitive Data Identification Policy
- Electronic Security of Loyola Protected & Loyola Sensitive Data Policy
- Physical Security of Loyola Protected and Loyola Sensitive Data Policy
- Disposal of Loyola Protected and Loyola Sensitive Data Policy
- Encryption Policy
- Personal Information Protection Compliance Review Protocol
- Data Breach Response Policy
- Secure Deletion Procedure
Purchasing
- Purchasing Computer Hardware and Software
Security
- Security Policy
- Security Policy for Technology Professionals
- Digital Surveillance Governance Policy
- Wireless Access Points Policy
- Antivirus Policy
- Computer Security Standard
- Log Management Standard
- Network Firewall Standard
- Password Standards
- Router and Switch Standard
- Security Awareness Policy
- Server Security Standard
- Vulnerability Assessment Policy
- Incident Response Plan
- Incident Response Plan - Appendix
- Vendor VPN Access Procedure
- Vendor Access to Internal Systems
- Wireless Access Point and Router Policy
Voicemail
- Voice Mail
Protected Health Information
- Policies and Procedures for Protecting Health Information
Enterprise Content Management
Enterprise content refers to technologies used to manage content ranging from document management, imaging and workflow to web content and digital asset management. If you have questions, please contact the Help Desk at 8-4ITS.
Document Imaging Guidelines
Please contact the ITS Help Desk at 8-4ITS, if you have questions about document management systems, equipment or service.
Related University Policies
Scope:
This policy covers all computers and electronic devices capable of storing or transmitting electronic data that are owned or leased by Loyola University Chicago, consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola.
Purpose:
The purpose of this policy is to ensure that Loyola Protected or Loyola Sensitive data is not inappropriately stored on Loyola computers and electronic devices through systematic electronic examination.
Policy:
Frequency
All departments will perform a Personal Information Security Compliance (PISC) Review at least every 6 months. Departments are free to perform PISC Reviews more frequently if they see a need to do so. All departments must maintain a schedule for performing their PISC Reviews.
Covered Systems
During a PISC Review, departments are responsible for scanning workstations, laptops, portable devices, and any servers that are managed by the department. Portable devices that store electronic data should be attached to a computer during the PISC Review. ITS will perform PISC Reviews for all servers that they manage.
Collection Method & Methodology
Scan results shall be stored on each machine that is scanned. The primary data steward or the alternate data steward in each department will be responsible for examining each scan result to determine if the machine or device houses Loyola Protected or Loyola Sensitive data.
Measurement & Reporting
The primary data steward or the alternate data steward in each department will create and send a summary of their scan results to ITS. This summary of scan results will include the number of computers and electronic devices that contain either Loyola Protected data or Loyola Sensitive data, and the number that contain neither. Scan results will also include any machines which were believed to not contain Loyola Protected data or Loyola Sensitive data but were found to contain either data type. ITS will create and provide a summary report to the Information Technology Executive Steering Committee.
Follow-up & Training
Any users who regularly use a computer or electronic device identified by a scan as inappropriately containing Loyola Protected data or Loyola Sensitive data without proper authorization may be required to complete online training on the use and storage of Loyola Protected data and Loyola Sensitive data.
Software
ITS will install software that is capable of scanning for Loyola Protected data and Loyola Sensitive data on all Loyola computers and electronic devices subject to this Policy. Only software approved by ITS to scan for and identify Loyola Protected data and Loyola Sensitive data may be used during a PISC review.
Search Terms
The scanning software will search for the patterns that are specified in the Appendix. If additional patterns are identified that need to be identified, they will be added to the Appendix.
Questions about this policy:
If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.
Policy adherence:
Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide
Appendix:
Policies referenced
Definitions
Personal Information Security Compliance (PISC) Review – Occurs when a department follows the Personal Information Security Compliance Review Protocol.
Regular expression – A pattern, such as 9 consecutive digits or 3 consecutive digits then 2 consecutive characters. Any item which matches the regular expression will be flagged by the scanning software.
Search Terms
The following regular expressions will be flagged by the scanning software as possible matches for sensitive data:
- SSN9 – 9 consecutive digits
- SSN324 – 3 consecutive digits, a dash, 2 consecutive digits, a dash, and 4 consecutive digits
- AMEX – 4 consecutive digits, a dash, 6 consecutive digits, a dash, and 5 consecutive digits
- VMCD – 4 consecutive digits, a dash, 4 consecutive digits, a dash, 4 consecutive digits, a dash, and 4 consecutive digits
History:
- March 4, 2008: Initial Policy
- June 19, 2015: Annual Review for PCI Compliance
- June 20, 2016: Annual Review for PCI Compliance
- June 21, 2017: Annual Review for PCI Compliance
- Sep 6, 2018: Annual Review for PCI Compliance
- Sep 24, 2019: Annual Review for PCI Compliance
- Aug 6, 2020: Annual Review for PCI Compliance
Scope:
This procedure applies to any electronic media which is required to be securely deleted because of the type of data it contains.
Purpose:
This procedure covers the process for securely deleting electronic media which either currently contains or previously contained information classified as Loyola Protected data or Loyola Sensitive data, which will be referred to as “covered data” in this procedure.
Procedure:
Hard drives
When a computer with a hard drive containing covered data is replaced, it initially will be stored in accordance with the existing equipment replacement policy. When the hard drive would normally be placed back into circulation, it must first be securely deleted before this happens.
To securely delete a hard drive, an ITS technician will place the hard drive into a computer and boot a copy of an approved whole drive secure deletion tool, as listed in the appendix. The ITS technician will then run the program, performing one complete overwrite.
USB drives
When a USB drive containing covered data needs to be discarded, an ITS technician will attach the USB drive to a computer and run an approved granular secure deletion tool, as listed in the appendix. The ITS technician will then run the program, performing one complete overwrite.
Floppy diskettes, CD-Roms, DVD-Roms, and other similar media
When any form of media, which is inserted into a desktop drive, containing covered data needs to be discarded, the media must be physically destroyed. This is most easily accomplished by using a pair of scissors to cut the media in half. It is also acceptable to send the media through a shredding device. This does not need to be performed by an ITS technician.
Backup tapes
When a backup tape needs to be discarded, the backup tape must be sent through a degaussing device. Because it is difficult to determine which specific files are on which specific tape, all backup tapes are subject to this policy. If an area has backup tapes but does not have a degaussing device, they can provide the backup tapes to ITS. An ITS technician will then degauss the backup tapes. Once the backup tapes are degaussed, they can be discarded.
Broken devices or media
If a device or piece of media is unable to be read, it must be either degaussed or physically destroyed. If an area is unsure of how to do so, or does not have a degaussing device, they can contact ITS. ITS will pick up the device or piece of media. The ITS technician will then either physically destroy the device or degauss it, depending on which is more appropriate.
PCI Lockbox
PCI lockbox images older than 14 days will automatically be deleted from server storage daily. Results of this job will be logged to a central logging server in accordance with the Log Management Standard and emailed to appropriate ITS staff members.
PCI Servers and Network Devices
PCI servers and network devices that store Primary Account Number “PAN” information will have records containing the PAN older than 90 days will automatically be deleted from server storage daily. Records containing the PAN on the ORACLE MICROS system, used by food services, will have records containing the PAN automatically deleted from the server older than 120 days deleted from server storage daily.
Devices containing HIPAA Related Information
Devices containing protected health information as outlined by HIPAA require additional steps to ensure no data can be retrieved from the device. All HIPAA related devices will be erased using an approved whole drive secure deletion tool, as listed in the appendix. The ITS technician will then run the program, performing seven complete overwrites. Any device that cannot be erased in this manner must be physically destroyed.
Appendix
Approved whole drive secure deletion tools
DBAN - https://sourceforge.net/projects/dban/ - 2.3 and above
Approved granular secure deletion Tools
Eraser - http://eraser.heidi.ie/download/ - 6.2 and above
History
- March 12, 2008: V 1.0, Initial Procedure
- October 8, 2014: V 1.1, Add PCI Lockbox procedure
- June 19, 2015: V 1.1, Annual Review for PCI Compliance
- April 13, 2016: V 1.1, Annual Review for PCI Compliance
- May 18, 2017: V 1.1, Annual Review for PCI Compliance
- July 20, 2017: V 1.2, Added secure deletion process for HIPAA information
- June 12, 2018: V1.2 Annual Review for PCI Compliance
- October 5, 2018: V1.3 Added procedure change for Micros
- July 15, 2019: V1.3 Annual Review for PCI Compliance
Scope:
This policy defines the essential rules regarding the management, maintenance and operation of network firewalls at Loyola University Chicago and applies to all network firewalls procured through, operated or contracted by the University.
Purpose:
To establish a set policies and strategies in the deployment and configuration of all network firewalls that process University network traffic.
Policy:
Network Connections
All external and wireless connections to University networks must pass through a network firewall. In addition, all network connections entering a high security network must pass through a network firewall. Any change to an external connection or to the configuration of the firewall must be adequately tested and documented according to the ITS Network Firewall Standard.
Dedicated Functionality
Network firewalls used to protect University networks must run on single-purpose devices.
- These devices may not serve other purposes, such as acting as web servers.
- Each network firewall must have a rule set specific to its purpose and location on the network, in accordance with the ITS Network Firewall Standard.
Network Firewall Change Control
Network firewall configuration rules and permissible services rules must not be changed unless the permission of the Information Security Officer and Network Manager has first been obtained. Any change to rules and permissible services made to any network firewall needs to be documented using the ITS Change Management Policy, and a justification for the change and the actual updated configuration or service rule needs to be documented in the ITS Network Firewall Supporting Documentation. Changes made to Intrusion Prevention functions of the Internet facing firewalls (See Allowable Changes) are an exception and do not require a change management request.
Allowable Changes (External Facing Firewalls Only)
The following list of changes do not require a change management request
- Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Wildfire Analysis, Data Filtering, and DoS protection)
- Zone Protection
- Log Forwarding
- Global Protect VPN
Regular Auditing
An audit of network firewalls will be done on a biannual basis. These audits must also include the regular execution of vulnerability scanning in accordance with the ITS Vulnerability Assessment Policy. Audits must be performed by the Information Security Team and Network Services.
Network Firewall Physical Security
All University network firewalls must be physically located in ITS data centers and accessible only to those whose roles and responsibilities permit them to access network firewalls as defined within the ITS Access Control Policy.
These secure spaces must also have adequate physical security measures installed. All physical access to the secured spaces will be automatically logged. All visitor access to the secured space must abide by the ITS Access Control Policy.
Exceptions:
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
Review:
This policy will be maintained in accordance with the ITS Security Policy.
Emergencies:
In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan. These actions may include rendering systems inaccessible.
References:
- Change Management Policy
- ITS Access Control Policy
- ITS Network Firewall Standard
- Incident Response Plan
- ITS Security Policy
History:
- September 04, 2008: Initial Policy
- April 15, 2016: corrected links, annual review for PCI compliance
- May 24, 2017: Annual review for PCI Compliance
- August 11, 2017: v1.2 Modified Change Control section to reflect unified Firewall and IPS functions.
- May 1, 2018: Annual review for PCI Compliance
- June 19, 2019: Annual review for PCI Compliance