Loyola University Chicago

Information Technology Services

Security Policy

Scope:

This policy covers all of Loyola University Chicago’s computing, networking, telephony, and information resources. All members of the University community share in the responsibility for protecting information resources for which they have access or custodianship.

Purpose:

The purpose of this policy is to establish the University’s approach to information security and to establish procedures that will help identify and prevent compromises of information around the University’s computing, networking, telephony, and information resources, as well as to create a secure baseline standard for the University’s computing, networking, telephony, and information resources.

Policy:

Individuals Covered

This policy applies to all persons accessing and using computing, networking, telephony, and information resources through any facility of the University. These persons include students, faculty, staff, persons retained to perform University work, and any other person extended access and use privileges by the University given the availability of these resources and services, and in accordance with University contractual agreements and obligations.  There are additional requirements for information technology professionals employed by the University who install, manage, and maintain computing, networking, telephony, and information resources. These individuals should reference: https://www.luc.edu/its/aboutits/itspoliciesguidelines/security_policy.shtml.  Activities related to teaching and learning are excepted provided they are segmented from the general university network and do not violate and State of Federal regulations.

Systems and Resources Covered

This policy covers all computing, networking, telephony, and information resources procured through, operated, or contracted by the University. This policy also covers any computing device connecting to and utilizing University information resources. Such resources include computing and networking systems including those that connect to the University telecommunications infrastructure, other computer hardware, software, databases, support personnel and services, physical facilities, and communications systems and services. 

Information Classification & Protection

In order to ensure that information about members of the University community is properly protected, all information will be classified in accordance with the Data Classification Policy. Information that is classified as Loyola Protected or Loyola Sensitive data will receive additional protections as described in the Personally Identifiable Information (PII) Protection Policies. All Personal Health Information (PHI) must be protected or properly redacted as outlined in the HIPAA Privacy Rule. Individuals and departments that require the acceptance of credit card payments on behalf of Loyola University Chicago, will have to adhere to additional requirements and will need to contact Loyola Cash Management for assistance.

User Training and Awareness

Effective information security requires a high level of participation from all members of the University and all must be well informed of their responsibilities. To facilitate this, information security awareness materials and training will be provided to the Loyola community in accordance with the ITS Security Awareness Policy.

Physical and Environmental Security

Departmental computers housing Loyola Sensitive or Loyola Public data may require physical and environmental security safeguards. All servers containing Loyola Protected data must be housed in an approved ITS data center.

Incident Response

Information security incidents have the potential to negatively impact members of the University community and to harm the University’s reputation. Therefore, it is important that all information security incidents are handled confidentially and appropriately. Any potential incident should be reported to the University Information Security Office.

Network and Computer Security

All devices being connected to the university network must be approved by Information Technology Services prior to connecting via manual or automated means.

Password Security

All workstations, desktops and laptops procured through, operated or contracted by the University will be configured in accordance with the ITS Password Standard.

Antivirus

Viruses and other malicious programs can compromise the confidentiality, integrity, and availability of information resources. All systems connected to University networks shall abide by the ITS Antivirus Policy.

Policy Adherence:

Failure to follow this policy can result in disciplinary action as provided in the Employee Staff Handbook, Student Worker Employment Guide, and Faculty Handbook.  Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions:

Exceptions to this policy will be handled on a case-by-case basis and reviewed and approved by the University Information Security Office.  ITS is available to advise and support faculty that have questions regarding the proper use of technology.

Review:

This policy, and all policies, standards, handbooks and supporting materials contained within, will be reviewed by the UISO on an annual basis.

Emergencies:

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.

Definitions:

Server – a software program, or the computer on which that program runs, that provides a service to client software running on the same computer or other computers on a network.

History:

June 16, 2008: V 1.0, Initial Policy
October 6, 2011: V 1.1, Revised
June 17, 2015: V 1.1, Annual Review for PCI Compliance
June 18, 2015: V 1.1, Reformatted to standard policy format
December 5, 2013: V 1.2, Corrected reference to Incident Response Plan
April 14, 2016: V 1.2, Annual Review for PCI Compliance
June 23, 2017: V 1.2, Annual Review for PCI Compliance
July 21, 2017: V 1.3 Added HIPAA information, updated PCI-DSS version
June 14, 2018: V1.4, revised Exception section, Annual review for PCI Compliance
Aug 27, 2019: V1.4 Annual Review for PCI Compliance
Aug 10, 2020 V1.4 Annual Review for PCI Compliance
December 2, 2020 V1.5 Revised for general user consumption