Loyola University Chicago

Wireless Access Points Policy

Scope:

This policy covers all devices that provide wireless access to the Loyola network.

Purpose:

Devices that provide wireless access to a network are commonly referred to as wireless access points or wireless routers. These devices may create a security risk by providing unauthorized access to Loyola resources, including the disclosure of Loyola protected data.

Policy:

Faculty, Staff, Students, and Guests are prohibited from attaching any device operating as a wireless access point or router in any University building.

Any wireless connectivity into the PCI-DSS environment is strictly prohibited. Wireless networks are not allowed to connect to the credit card processing (High Security Network) environment under any circumstances.

PCI-DSS Rogue Access Point Detection

Each quarter a helpdesk ticket will be created and assigned to ITS Network Services to request a rogue wireless scan at all sites where credit cards are processed. The scan will be performed using a wireless scanner. Scan information will be reviewed and compared to a list of known Loyola access points as well as known nearby Non-Loyola access points (e.g. Starbucks). All non-Loyola access points will be checked against the Loyola network MAC address table to verify that the MAC address is not present on Loyola networks. The outside access point will be added to the Loyola wireless management system (NCS) and is marked as ‘malicious’. NCS will alert Network Services should it appear on the Loyola network.  Results are to be saved to a spreadsheet and the ticket closed.

When Information Technology Services (ITS) becomes aware of any problem that involves a device operating as a wireless access point that is attached to the campus network in violation of this policy, the network connection to the device will be severed. If additional attempts to reconnect a prohibited device to the campus network are made, the matter will referred to the appropriate University disciplinary staff.

Questions about this policy:

If wireless access is inadequate in your area, contact the ITS Helpdesk (773) 508-4487 for assistance or if you have questions about this policy, please contact the University Information Security Office at DataSecurity@luc.edu.

Exceptions:

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review:

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies:

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan.  These actions may include rendering systems inaccessible.

History:

  • July 13, 2005: Initial Policy
  • August 5, 2008: Revised
  • November 1, 2012: Annual review for PCI Compliance
  • February 14, 2013: Revised
  • August 6, 2013: Revised
  • June 17, 2014: Annual review for PCI Compliance
  • April 20, 2015: Annual review for PCI Compliance
  • May 17, 2016: Annual review for PCI Compliance
  • June 5, 2017: Annual review for PCI Compliance
  • June 12, 2018: Added Exception, Review and Emergencies, Annual Review for PCI Compliance
  • July 15, 2019: Corrected language that refers to the rogue wireless scan, Annual Review for PCI Compliance
  • July 14, 2020: Annual review for PCI Compliance

Because of the apparent anonymity provided by the Internet, people often behave in inappropriate ways. If you are being harassed online, the first thing to do is to tell the harasser to stop. If possible, save a copy of the harassing material, and your request that they stop. Do not communicate further with the person. If they do not stop, contact the Department of Campus Safety. Loyola is committed to maintaining an environment which respects the dignity of all individuals.

Illinois has laws covering cyberstalking and harassment through electronic communications.

Illinois cyberstalking law:
720 ICLS 5/12-7.5/Criminal Code of 1961 (Search for "Cyberstalking")
Sec. 12.7.5. Cyberstalking.
(a) A person commits cyberstalking when he or she, knowingly and without lawful justification, on at least 2 separate occasions, harasses another person through the use of electronic communication and:
(1) at any time transmits a threat of immediate or future bodily harm, sexual assault, confinement, or restraint and the threat is directed towards that person or a family member of that person, or
(2) places that person or a family member of that person in reasonable apprehension of immediate or future bodily harm, sexual assault, confinement, or restraint.
(b) As used in this Section:
"Harass" means to engage in a knowing and willful course of conduct directed at a specific person that alarms, torments, or terrorizes that person.
"Electronic communication" means any transfer of signs, signals, writings, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electron-magnetic, photoelectric, or photo-optical system. "Electronic communication" includes transmissions by a computer through the Internet to another computer.

Illinois electronic harassment law:
720 ILCS 135/ Harassing and Obscene Communications Act
(720 ILCS 135/1.2)
Sec. 1.2. Harassment through electronic communications.
(a) Harassment through electronic communications is the use of electronic communication for any of the following purposes:
(1) Making any comment, request, suggestion or proposal which is obscene with an intent to offend;
(2) Interrupting, with the intent to harass, the telephone service or the electronic communication service of any person;
(3) Transmitting to any person, with the intent to harass and regardless of whether the communication is read in its entirety or at all, any file, document, or other communication which prevents that person from using his or her telephone service or electronic communications device;

Transmitting an electronic communication or knowingly inducing a person to transmit an electronic communication for the purpose of harassing another person who is under 13 years of age, regardless of whether the person under 13 years of age consents to the harassment, if the defendant is at least 16 years of age at the time of the commission of the offense;

(4) Threatening injury to the person or to the property of the person to whom an electronic communication is directed or to any of his or her family or household members; or
(5) Knowingly permitting any electronic communications device to be used for any of the purposes mentioned in this subsection (a).


(b) As used in this Act:
(1) "Electronic communication" means any transfer of signs, signals, writings, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectric or photo-optical system.
(2) "Family or household member" includes spouses, former spouses, parents, children, stepchildren and other persons related by blood or by present or prior marriage, persons who share or formerly shared a common dwelling, persons who have or allegedly share a blood relationship through a child, persons who have or have had a dating or engagement relationship, and persons with disabilities and their personal assistants. For purposes of this Act, neither a casual acquaintanceship nor ordinary fraternization between 2 individuals in business or social contexts shall be deemed to constitute a dating relationship.

(720 ILCS 135/1.3)
Sec. 1.3. Evidence inference. Evidence that a defendant made additional telephone calls or engaged in additional electronic communications after having been requested by a named complainant or by a family or household member of the complainant to stop may be considered as evidence of an intent to harass unless disproved by evidence to the contrary.

History and Updates:

  • April 12, 2006: Initial Policy
  • June 23, 2015: Annual Review for PCI Compliance
  • April 26, 2016: Annual Review for PCI Compliance
  • April 19, 2017: Annual Review for PCI Compliance
  • Sep 6, 2018: Annual Review for PCI Compliance
  • Author: UISO
  • Version: 1.1