Vendor VPN Access Procedure
This document describes the procedure to activate VPN access for vendors to Loyola networks and systems for maintenance and support.
Vendors requiring remote access to Loyola’s intranet for configuration, maintenance, and emergency support are required to use the Loyola VPN service. As outlined in PCI-DSS requirement 8.1.5, access is enabled only when needed and disabled when not in use.
When the vendor requires access to a system on the Loyola environment through a scheduled window or to respond for emergency support, the Loyola primary system contact shall contact the Loyola ITS Helpdesk to have access enabled.
The Loyola primary system contact must provide the following information to the Helpdesk when requesting access:
- Vendor Organization
- VPN account name & associated email address
- Name and contact (phone/email) for staff performing maintenance
- System(s) to be accessed
- Anticipated time window of access required
The ITS Helpdesk will assign the ticket the UISO department with the above information for the account to be enabled. Once enabled, the user provided as the vendor staff member will be notified of the account activation.
The ITS Helpdesk maintains a list of emergency contacts that can be contacted in case of an emergency situation requiring vendor VPN access.
When the vendor has completed their maintenance of the necessary systems, they should notify Loyola that access is no longer required and can be disabled.
The vendor should do this by replying to the email with notification of account enabling. The UISO department will disable the account until further use is requested.
In the event that the vendor does not provide notification that all necessary work is completed and access is no longer required, the Loyola vendor VPN account will be automatically disabled after 24 hours.
Questions about this procedure:
If you have questions about this procedure, please contact the University Information Security Office at email@example.com.
- November 7, 2012: Initial Procedure Created
- July 7, 2013: Annual Review for PCI Compliance
- April 20, 2016: Annual Review for PCI Compliance
- May 17, 2017: Annual Review for PCI Compliance
- June 20, 2018: Annual Review for PCI Compliance
- Aug 2, 2019: Annual Review for PCI Compliance
- Author: University Information Security Office (UISO)
- Version: 1.1
Title II of the Digital Millennium Copyright Act ("DMCA") of 1998 limits the liability of online service providers, such as Loyola University Chicago, for certain copyright infringement liability if various procedures are followed. This policy is intended to take advantage of the liability protections in the DMCA.
Loyola University Chicago respects the rights of holders of copyrights, their agents and representatives and will implement appropriate policies and procedures to support these rights without infringing on the legal use, by individuals, of those materials. Legal use can include, but is not limited to, ownership, license or permission, and fair use under the US Copyright Act. Employees and students need to be aware of the rights of copyright owners. Information on copyright law and these rights can be found in a number of places, but general information particularly can be found by going to the following sites:
- Copyright at Loyola University Chicago, Loyola University Chicago, August, 1999
- United States Copyright Office: http://www.lcweb.loc.gov/copyright
- What you need to know about DMCA on University Campuses: Educause DMCA FAQ
Persons who are found to intentionally or repeatedly violate the copyright rights of others may be denied access to all University computing and networking facilities and resources. All instances of reported copyright violations will be reported to the appropriate University authority in accordance with the following policies for possible additional disciplinary actions.
The Designated Agent for complaints under the DMCA is:
Information Security Officer
Information Technology Services
Loyola University Chicago
6439 North Sheridan Road
Chicago, IL 60626
Listing of the Designated Agent is posted on the United States Copyright Office web site in the Directory of Agents. Notices sent to an email address other than the Designated Agent will be considered invalid.
Complaint Notice Procedures for Copyright Owners
A notice of alleged copyright infringement to the Designated Agent concerning information residing on the University's systems or networks at the direction of the user must have the following:
- A description of the works claimed to be infringed.
- A description of the allegedly infringing works or location site sufficient to enable the Designated Agent to find them.
- Sufficient information to enable the Designated Agent to contact the complaining party.
- A statement that the complaining party believes in good faith that the use of the material is not authorized by the copyright owner, the owner's agent, or the Copyright Act.
- A signed statement that the information provided by the complaining party in the notice is accurate and, under penalty of perjury, that the complaining party is authorized to act on behalf of the copyright owner of one or more of the exclusive copyright rights.
- A physical or digital signature of the owner of an exclusive copyright right or the owner's authorized agent, which accompanies the statement.
Alleged Infringing Site Take Down Procedures
When properly notified of the potential copyright infringement, the Designated Agent will make a reasonable effort to contact the site or page owner of the materials in question. There will be an attempt to secure the voluntary take down of the work, but, if not, then the University will immediately disable access to the work unless it is immediately determined that the work is lawful under the copyright law. The owner of the site or page of the alleged infringing material may exercise their counter notice procedure rights set forth below.
The Designated Agent may, but need not, undertake to determine if the work complies with copyright law.
Counter Notice Procedures
After voluntary take down or if the site is involuntarily disabled, the University may, but need not, proceed to counter notification on its behalf or on behalf of its employees and students, the owner of the site may provide counter notification to the Designated Agent. Counter notices can claim only that either the copyright owner is mistaken and that the work is lawfully posted or that the work has been misidentified. A site owner may assert that use of another's work is fair use, which falls under the provision that the copyright owner is mistaken in characterizing the work as infringing. Various University officials may be consulted in arriving at a fair use determination.
Counter notices to the Designated Agent must contain the following:
- A physical or digital signature of the site or page owner.
- A description of the materials removed and its location before it was removed.
- A statement that the owner believes in good faith that the material was removed by mistake because the work is not infringing or that it was misidentified.
- Sufficient information to enable the Designated Agent to contact the owner who filing the counter-notice, e.g., name, address, phone number, e-mail address, and his or her consent to jurisdiction of the federal district court with proper jurisdiction for any court actions arising from the infringement.
- A statement that the owner will accept service of process from the complaining party.
Access to the materials in question will be restored within 10 to 14 business days after the date the Designated Agent receives the counter notice unless the Designated Agent first receives a notice from the complaining party that he or she has filed an action seeking a court order to restrain the page owner. The Designated Agent will promptly send a copy of any substantially conforming counter notice to the complaining party indicating that the site will be restored within 10 to 14 business days unless the Designated Agent receives a notice of court action.
History and Updates
- September 12, 2011: Initial Policy
- October 22, 2012 Corrected Contact Information
- June 22, 2015: Annual Review for PCI Compliance
- April 26,2016: Annual Review for PCI Compliance
- July 6, 2016: Added verbiage designating correct email for complaints
- April 19, 2017: Annual Review for PCI Compliance
- Sep 6, 2018: Annual Review for PCI Compliance
- Sep 24, 2019: Annual Review for PCI Compliance
- Author: UISO
- Version: 1.2