Electronic Security & Sensitive Data
Scope
This policy covers any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored electronically (covered electronic documents).
Purpose
The purpose of this policy is to provide security practices for employees, student workers, consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola, who produce or have access to covered electronic documents.
Policy
Additional precautions shall be used by any departments or individuals who have access to covered electronic documents. These additional precautions include:
Encryption
ITS provides and requires full disk encryption technology to protect all University managed computers identified during the compliance review as containing covered electronic documents.
Users who know that their computer will store covered electronic documents should, in accordance with Loyola’s Encryption Policy, contact the ITS Service Desk at ITSServiceDesk@luc.edu to request an installation of the full disk encryption software. ITS will provide training in using encryption software to the users of these systems.
Storage of Covered Electronic Documents
Users shall store covered electronic documents on approved network storage instead of local hard drives or any form of removable media. In cases of a granted exception, the computer must run a full disk encryption product provided by ITS.
Loyola Protected data must never be stored on unapproved media. Loyola Sensitive data can be stored for remote access upon permission of the department owning the data. The acceptable storage options for Loyola Sensitive data are listed below in order of preference:
- Networked storage
- University owned laptop running approved encryption software
- Portable drive using approved encryption software
- CD/DVD/Disk saved as an encrypted file using approved encryption software
Passwords
The user shall protect any resources that house covered electronic data with a password. This password must meet or exceed the current ITS password standards described in the Password Standards.
Limited access– At Loyola
All areas that contain computers storing covered electronic documents should only be accessible to employees, student workers, consultants, or agents of Loyola University Chicago that have a business need for access. Individuals not affiliated with Loyola University Chicago must not have unsupervised access. Department heads or their designee will work with Campus Safety to control access through either a physical key or via a badge reader. Areas that cannot be locked cannot be used to house computers that store covered documents. Department heads or their designee will identify individuals who have a need to access these areas to perform their job function, and will communicate the names of these individuals and their required access to Campus Safety. When leaving their desk in an area containing computers with access to covered documents, individuals shall either lock their computer or log off. Off campus access requires the use of the University’s Virtual Private Network branded as LSA.
Limited access – Outside of Loyola
Non-Loyola spaces used by contracted 3rd parties should only be accessible by individuals the contractor has approved to access covered electronic documents. All areas that contain computers storing covered documents must not provide unsupervised access to the public. Areas that cannot be locked cannot be used to house computers that store covered documents. When leaving their desk in an area containing computers with access to covered documents, individuals shall either lock their computer or log off.
Data Loss Prevention
The University has employed technologies designed to protect against the intentional or inadvertent transmission or sharing of covered electronic documents. These technologies protect the following services:
- OneDrive
- SharePoint
- Others may be added at time of deployment
If an individual attempts to send or share any covered electronic documents using these services, the action will be logged and they will receive a notification stating why the content may violate University policy.
Any of the following actions may follow:
- Action has been prevented
- Content will be blocked
- User will be provided an opportunity to justify the action
- Content will be encrypted
Training
ITS and HR will make training materials available to all staff with access to covered electronic documents which will cover all issues raised in this policy in greater detail.
Questions about this Policy
If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.
Policy adherence
Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Exceptions
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
Review
This policy will be maintained in accordance with the ITS Security Policy.
Emergencies
In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan. These actions may include rendering systems inaccessible.
Appendix
Definitions
Covered electronic documents – Any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored electronically.
LSA – Loyola Secure Access, the Loyola branded version of virtual private network.
History
- March 4, 2008: Initial Policy
- July 15, 2013: Annual Review for PCI Compliance June 4, 2014: Annual Review for PCI Compliance
- May 11, 2015: Annual Review for PCI Compliance, minor edits to remove vague references to local storage.
- May 16, 2016: Annual Review for PCI Compliance
- June 21, 2017: Annual Review for PCI Compliance
- Sep 7, 2018: Added Exceptions, Review and Emergencies sections. Annual Review for PCI Compliance
- Sep 24, 2019: Annual Review for PCI Compliance
Scope
This policy covers any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored electronically (covered electronic documents).
Purpose
The purpose of this policy is to provide security practices for employees, student workers, consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola, who produce or have access to covered electronic documents.
Policy
Additional precautions shall be used by any departments or individuals who have access to covered electronic documents. These additional precautions include:
Encryption
ITS provides and requires full disk encryption technology to protect all University managed computers identified during the compliance review as containing covered electronic documents.
Users who know that their computer will store covered electronic documents should, in accordance with Loyola’s Encryption Policy, contact the ITS Service Desk at ITSServiceDesk@luc.edu to request an installation of the full disk encryption software. ITS will provide training in using encryption software to the users of these systems.
Storage of Covered Electronic Documents
Users shall store covered electronic documents on approved network storage instead of local hard drives or any form of removable media. In cases of a granted exception, the computer must run a full disk encryption product provided by ITS.
Loyola Protected data must never be stored on unapproved media. Loyola Sensitive data can be stored for remote access upon permission of the department owning the data. The acceptable storage options for Loyola Sensitive data are listed below in order of preference:
- Networked storage
- University owned laptop running approved encryption software
- Portable drive using approved encryption software
- CD/DVD/Disk saved as an encrypted file using approved encryption software
Passwords
The user shall protect any resources that house covered electronic data with a password. This password must meet or exceed the current ITS password standards described in the Password Standards.
Limited access– At Loyola
All areas that contain computers storing covered electronic documents should only be accessible to employees, student workers, consultants, or agents of Loyola University Chicago that have a business need for access. Individuals not affiliated with Loyola University Chicago must not have unsupervised access. Department heads or their designee will work with Campus Safety to control access through either a physical key or via a badge reader. Areas that cannot be locked cannot be used to house computers that store covered documents. Department heads or their designee will identify individuals who have a need to access these areas to perform their job function, and will communicate the names of these individuals and their required access to Campus Safety. When leaving their desk in an area containing computers with access to covered documents, individuals shall either lock their computer or log off. Off campus access requires the use of the University’s Virtual Private Network branded as LSA.
Limited access – Outside of Loyola
Non-Loyola spaces used by contracted 3rd parties should only be accessible by individuals the contractor has approved to access covered electronic documents. All areas that contain computers storing covered documents must not provide unsupervised access to the public. Areas that cannot be locked cannot be used to house computers that store covered documents. When leaving their desk in an area containing computers with access to covered documents, individuals shall either lock their computer or log off.
Data Loss Prevention
The University has employed technologies designed to protect against the intentional or inadvertent transmission or sharing of covered electronic documents. These technologies protect the following services:
- OneDrive
- SharePoint
- Others may be added at time of deployment
If an individual attempts to send or share any covered electronic documents using these services, the action will be logged and they will receive a notification stating why the content may violate University policy.
Any of the following actions may follow:
- Action has been prevented
- Content will be blocked
- User will be provided an opportunity to justify the action
- Content will be encrypted
Training
ITS and HR will make training materials available to all staff with access to covered electronic documents which will cover all issues raised in this policy in greater detail.
Questions about this Policy
If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.
Policy adherence
Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.
Exceptions
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
Review
This policy will be maintained in accordance with the ITS Security Policy.
Emergencies
In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan. These actions may include rendering systems inaccessible.
Appendix
Definitions
Covered electronic documents – Any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored electronically.
LSA – Loyola Secure Access, the Loyola branded version of virtual private network.
History
- March 4, 2008: Initial Policy
- July 15, 2013: Annual Review for PCI Compliance June 4, 2014: Annual Review for PCI Compliance
- May 11, 2015: Annual Review for PCI Compliance, minor edits to remove vague references to local storage.
- May 16, 2016: Annual Review for PCI Compliance
- June 21, 2017: Annual Review for PCI Compliance
- Sep 7, 2018: Added Exceptions, Review and Emergencies sections. Annual Review for PCI Compliance
- Sep 24, 2019: Annual Review for PCI Compliance