×

Physical Security of Loyola Protected and Sensitive Data

Scope

This policy covers any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored on paper (covered paper documents).

Purpose

The purpose of this policy is to provide physical security practices for employees, student workers, consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola, who produce or have access to covered paper documents.

Policy

For departments within Loyola, department heads will be responsible for implementing additional precautions to be used by any individuals in their department who have access to covered paper documents.  Contracted 3rd parties will be responsible for implementing additional precautions to be used by their employees.  These additional precautions include:

Limited access – At Loyola

All areas that contain covered paper documents should not be accessible to all employees, student workers, consultants, agents, or visitors of Loyola University Chicago.  All areas that contain covered paper documents must not provide unsupervised access to the public. Department heads or their designee will work with Campus Safety to control access to areas containing covered paper documents via either a physical key or a badge reader. Areas that cannot be locked cannot be used to store covered paper documents. Department heads or their designee will identify individuals who have a need to access these areas to perform their job function, and will communicate the names of these individuals and their required access to Campus Safety. When leaving their desk in an area containing covered paper documents, individuals shall, to the best of their ability, properly put away and secure covered paper documents.

Limited access – Outside of Loyola

Non-Loyola spaces used by contracted 3rd parties should only be accessible by individuals the contractor has approved to access covered paper documents. All areas that contain covered paper documents must not provide unsupervised access to the public.  Areas that cannot be locked cannot be used to store covered paper documents.  When leaving their desk in an area containing covered paper documents, individuals shall, to the best of their ability, properly put away and secure covered paper documents.

Cleaning staff

For departments which contain covered paper documents, the department head or their designee will determine if it is practical to request that the cleaning staff perform their duties during normal business hours, while the area is staffed. If none of the department employees are present, the cleaning staff will not clean that area at that time.  If a department has covered paper documents but receives cleaning services after hours, then employees shall, to the best of their ability, properly put away and secure covered paper documents before ending their work day. Cleaning staff will not have master keys for any areas which they clean during normal business hours.

Printers and Fax Machines

Department heads or their designee will work with ITS and Facilities to ensure that all printers and fax machines that output covered paper documents will be in a limited access area.  In areas where this is not possible, employees, to the best of their ability, will not leave printed or faxed covered paper documents unattended for long periods of time.

Designated shredding containers

For departments that handle covered paper documents, the department head or their designee will work with Purchasing to ensure that the department has access to a secured repository in which they can deposit covered paper documents to be shredded.

Training

ITS and HR will make training materials available to all employees with access to covered paper documents covering all issues raised in this policy in greater detail.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Policy adherence

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan.  These actions may include rendering systems inaccessible.

Appendix

Policies referenced

Definitions

Covered paper documents – Any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored on paper.

History

  • March 4, 2008: Initial Policy
  • June 19, 2015: Annual review for PCI Compliance
  • June 21, 2016: Annual review for PCI Compliance
  • June 21, 2017: Annual review for PCI Compliance
  • Sep 7, 2018: Annual review for PCI Compliance
  • Sep 26, 2019: Annual review for PCI Compliance

Scope

This policy covers any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored on paper (covered paper documents).

Purpose

The purpose of this policy is to provide physical security practices for employees, student workers, consultants or agents of Loyola University Chicago and any parties who are contractually bound to handle data produced by Loyola, who produce or have access to covered paper documents.

Policy

For departments within Loyola, department heads will be responsible for implementing additional precautions to be used by any individuals in their department who have access to covered paper documents.  Contracted 3rd parties will be responsible for implementing additional precautions to be used by their employees.  These additional precautions include:

Limited access – At Loyola

All areas that contain covered paper documents should not be accessible to all employees, student workers, consultants, agents, or visitors of Loyola University Chicago.  All areas that contain covered paper documents must not provide unsupervised access to the public. Department heads or their designee will work with Campus Safety to control access to areas containing covered paper documents via either a physical key or a badge reader. Areas that cannot be locked cannot be used to store covered paper documents. Department heads or their designee will identify individuals who have a need to access these areas to perform their job function, and will communicate the names of these individuals and their required access to Campus Safety. When leaving their desk in an area containing covered paper documents, individuals shall, to the best of their ability, properly put away and secure covered paper documents.

Limited access – Outside of Loyola

Non-Loyola spaces used by contracted 3rd parties should only be accessible by individuals the contractor has approved to access covered paper documents. All areas that contain covered paper documents must not provide unsupervised access to the public.  Areas that cannot be locked cannot be used to store covered paper documents.  When leaving their desk in an area containing covered paper documents, individuals shall, to the best of their ability, properly put away and secure covered paper documents.

Cleaning staff

For departments which contain covered paper documents, the department head or their designee will determine if it is practical to request that the cleaning staff perform their duties during normal business hours, while the area is staffed. If none of the department employees are present, the cleaning staff will not clean that area at that time.  If a department has covered paper documents but receives cleaning services after hours, then employees shall, to the best of their ability, properly put away and secure covered paper documents before ending their work day. Cleaning staff will not have master keys for any areas which they clean during normal business hours.

Printers and Fax Machines

Department heads or their designee will work with ITS and Facilities to ensure that all printers and fax machines that output covered paper documents will be in a limited access area.  In areas where this is not possible, employees, to the best of their ability, will not leave printed or faxed covered paper documents unattended for long periods of time.

Designated shredding containers

For departments that handle covered paper documents, the department head or their designee will work with Purchasing to ensure that the department has access to a secured repository in which they can deposit covered paper documents to be shredded.

Training

ITS and HR will make training materials available to all employees with access to covered paper documents covering all issues raised in this policy in greater detail.

Questions about this policy

If you have questions about this policy, please contact the Information Security team at DataSecurity@luc.edu.

Policy adherence

Failure to follow this policy can result in disciplinary action as provided in the Staff Handbook, Student Worker Employment Guide, and Faculty Handbook. Disciplinary action for not following this policy may include termination, as provided in the applicable handbook or employment guide.

Exceptions

Exceptions to this policy will be handled in accordance with the ITS Security Policy.

Review

This policy will be maintained in accordance with the ITS Security Policy.

Emergencies

In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Plan.  These actions may include rendering systems inaccessible.

Appendix

Policies referenced

Definitions

Covered paper documents – Any data that has been classified as either Loyola Protected data or as Loyola Sensitive data and is stored on paper.

History

  • March 4, 2008: Initial Policy
  • June 19, 2015: Annual review for PCI Compliance
  • June 21, 2016: Annual review for PCI Compliance
  • June 21, 2017: Annual review for PCI Compliance
  • Sep 7, 2018: Annual review for PCI Compliance
  • Sep 26, 2019: Annual review for PCI Compliance