Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security & Compliance Financial Services Workshop February 10, 2010.

Published byLauren Sara Matthews Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security & Compliance Financial Services Workshop February 10, 2010."— Presentation transcript:

1 Information Security & Compliance Financial Services Workshop February 10, 2010

2 Information Security and Electronic PHI What is Information Security? “ Information Security ” - ensures the Confidentiality, Integrity, and Availability of information through safeguards. “ Confidentiality ” – information will not be disclosed to unauthorized individuals or processes “ Integrity ” – data from one system is consistently and accurately transferred to other systems. “ Availability ” – the data or information is accessible and useable upon demand by an authorized person.

3 Good Security Begins With You! Human error is the single largest cause of security incidents. You are the first line of defense in Information Security. Incorporate good security practices into your everyday routine.

4 What is Compliance? Compliance is a state in which an organization is in accordance with established guidelines, specifications, or legislation Federal, state and regulatory compliance laws and requirements necessitate financial institutions employ levels of security to protect sensitive information from compromise, unauthorized access, interception or corruption. The challenge is maintaining acceptable data security while meeting the business needs of the organization.

5 Data Breaches From 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities. More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime.

6 Data Breaches (contd) A Rockland Community College student worker has been accused of stealing credit card numbers of former students to purchase high-end clothing costing over $2,200. The student worker is believed to have gained access to the credit card information of 12 former students' transcript applications.

7 Data Breaches (contd) Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room.Binghamton University

8 Compliance and Security In order to meet the compliance requirements, organizations must approach data security from a holistic perspective. Consider what controls are needed to protect your most sensitive data, then implement those controls. A review of most compliance laws will reveal the same set of data security controls are required.

9 Compliance Examples UNC FIT NC Identity Theft Protection Act FERPA GLBA HIPAA HITECH Act PCI Red Flag Rules SOX

10 Information Security and Electronic PHI How Do We Become & Remain Compliant? Develop joint effort between ITCS and departments Integrate security and compliance into everyday processes Understand compliance is an ongoing process Develop and implement a set of standards that will satisfy most compliance requirements Maintain accountability

11 Don’t Share Logins and Passwords ITCS Identify information, assets and appropriate level of protection Conduct an assessment of risks and analyze against the probability of occurrence Implement reasonable and appropriate safeguards

12 Don’t Share Logins and Passwords ITCS (contd) Train students, faculty, staff, and third parties Require third parties to implement reasonable and appropriate safeguards Regularly monitor and test the effectiveness of implemented safeguards Review and revise the information security program

13 Don’t Share Logins and Passwords Department Identify and classify your data; determine data ownership and data type (public, sensitive, etc.) Ensure systems used in performing financial transactions are protected by strict technical controls Ensure online banking transactions computers are used SOLELY for such transactions (no e-mail, no web browsing, no general-purpose business use)

14 Don’t Share Logins and Passwords Department (contd) Require all other computers that access sensitive data employ the locked-down workstation configuration Make certain that personnel have the necessary security awareness and training; Appoint a resource from your department to receive in-depth security training Have written policies defining the controlled environment in which financial transactions can be conducted

15 Viruses What is PCI Compliance? Protection of customer payment card data as it is collected, transmitted, processed and stored PCIDSS – Payment Card Industry Data Security Standards PCISSC – Payment Card Industry Security Standards Council (All major payment card companies are represented in the PCISSC)

16 Viruses Why Comply? PCI compliance is NOT a Financial Services or ITCS initiative PCIDSS created and mandated by payment card companies PCIDSS adopted by Office of the State Controller (OSC) ECU Merchants must comply in order to operate under the Master Service Agreement administered by OSC

17 Viruses PCI Compliance Requirements for ECU Campus Merchants New Merchants must request and receive approval to accept payment cards from the University Cash Manager prior to accepting any payment cards All merchants are required to achieve and maintain 100% compliance with the PCIDSS No gray areas: Either you are 100% compliant or you’re not compliant

18 Viruses Are We PCI Compliant? SAQ: Self Assessment Questionnaires administered annually by Financial Services help determine compliance ITCS: Review systems involving computers or the campus network (i.e. workstations, software, servers, websites); Any computing system or IT device used to access, process, transmit, or store payment card data must be installed and verified by ITCS after approval by ECU Financial Services

19 Viruses How Do We Maintain Compliance? SAQ: Annual Assessment - All merchant departments must perform and pass an annual PCI compliance audit (administered by Financial Services) Security Awareness for staff members (annual certification) Additions or changes to your system must receive approval from Financial Services and/or ITCS prior to the purchase or implementation

20 Viruses How Do We Maintain Compliance? (contd) All workstations and servers that are part of a payment card system must have appropriate protection against malware and unauthorized access DO NOT store payment card data electronically! (workstations, servers, laptops, backup devices, etc…)

21 Viruses PCI Compliance – Things To Do Secure payment card data at ALL TIMES! Treat it like cash$$$ Destroy payment card data by cross-cut shredder or secure shredding service after business need is met If you must retain payment card data, store in a locked file cabinet and limit access to authorized staff members only

22 Viruses PCI Compliance – Things To Do (contd) Document payment card procedures in writing (Business Manual) Train staff on PCI standards Contact PCI compliance resource with questions

23 Viruses PCI Compliance – What Not To Do DO NOT store payment card data electronically! (workstations, servers, laptops, backup devices, etc…) DO NOT sore the full contents of any track of the magnetic stripe DO NOT store the card validation code (aka CVV)

24 Viruses PCI Compliance – What Not To Do (contd) DO NOT transmit payment card data via email and discourage any data you might receive via email DO NOT leave payment card data unattended (desk inbox, Fax machine, “to be filed” stack) DO NOT verbally repeat payment card account data for others to hear

25 Viruses PCI Compliance – What Not To Do (contd) DO NOT throw it in the trash! DO NOT use campus mail to transport payment card data DO NOT retain the full payment card account number (truncate all but last four digits) DO NOT Worry! We will help you achieve and maintain compliance! BUT you have to contact us…….

26 Viruses PCI Compliance Contact Questions concerning payment card systems should be directed to: Brian Heath heathb@ecu.edu, University PCI resource heathb@ecu.edu PCI Website www.ecu.edu/pciwww.ecu.edu/pci

27 Relevant Policies For Additional Information ECU IT Security www.ecu.edu/itsecuritywww.ecu.edu/itsecurity IT Helpdesk 328-9866 / http://help.ecu.eduhttp://help.ecu.edu PCI Information 737-1521

28 Presenters Margaret Streeter Umphrey Information Security Officer 328-9187 Clay Hallock IT Security Analyst 328-9185 Brian Heath PCI Compliance Resource 737-1521

Download ppt "Information Security & Compliance Financial Services Workshop February 10, 2010."

Similar presentations

University of Minnesota

University of Minnesota
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, 2014 1IT Security, East Carolina University.

Financial Services Workshop Margaret Umphrey ECU Information Security Officer March 12, IT Security, East Carolina University.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.

Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?

C USTOMER CREDIT CARD AND DEBIT CARD SECURITY (PCI – DSS COMPLIANCE) What is PCI – DSS Compliance and Who needs to do this?
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Security Controls – What Works

Security Controls – What Works
1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:

1 Goal is protection of sensitive data New Rice policy calls for protection of sensitive personally identifying information Confidential information includes:
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

Similar presentations

Ads by Google