Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Critical Data Management Indiana University HR Summit April 24, 2014.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
Sensitive Data Accessibility Financial Management College of Education Michigan State University.
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
New Data Regulation Law 201 CMR TJX Video.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Protecting Sensitive Information PA Turnpike Commission.
The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
PCI requirements in business language What can happen with the cardholder data?
PCI: As complicated as it sounds? Gerry Lawrence CTO
Introduction to Payment Card Industry Data Security Standard
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Florida Information Protection Act of 2014 (FIPA).
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Personal data protection in research projects
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Payment Card Industry (PCI) Rules and Standards
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
Managing Windows Security
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Larry Brownfield, CPO, OHE – KOA, Inc.
Internet Payment.
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Red Flags Rule An Introduction County College of Morris
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Contact Center Security Strategies
Introduction to the PACS Security
Presentation transcript:

Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management

Presentation Topics Principles related to privacy of financial transactions Importance of a measured, proactive approach Use of Identity Finder and other security measures to safeguard information

Principles for Privacy Protection Collect only the information needed to achieve the identified business purposes in support of the universitys mission Use and keep the individuals information only as long as necessary to fulfill the stated purpose

Attachments and Collection Limitation Redact sensitive information from Disbursement Voucher attachments sent for imaging Personally identifiable information for prescription or health care re-imbursements Credit card information for membership re- imbursements Banking information for copies of cleared checks How much do we redact? Full credit card number, routing and account numbers, SSNs and individual names (HIPPA)

Limit Your Paper, Limit Your Exposure Dont retain un-necessary copies of documents within your department – Payroll: W-4, WH-4 and direct deposit sign-up information – IRS Forms: W-8, W-9 – Employment Verification: I-9 – Personal information: copies of drivers licenses, SSN card, passports, credit card numbers for hotel reservations Process information, not paper

Proper use of Designated Fields Bank Account information should not be added to EPIC notes for requisitions, Purchase Orders, Payment Requests nor should they be added to EPIC Vendor Note records Significant time and resources can be expended tracking down and removing personally identifiable information from common use fields like descriptions, reference fields and notes

Payment Card Industry Data Security Standards REMEMBER: It is against University Policy VI-110 to store credit card numbers on any computer, server, or database Applies to all members, merchants, and service providers that process or transmit cardholder data Use central systems or run approved specialty system in the PCI DSS network If you process credit card numbers, please contact IMMEDIATELY for an assessment

PCI DSS Goals and Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data (electronic and paper data) 4. Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security

2009 Breach Statistics Gathered from the Identity Theft Resource Center ( Educational – # of Breaches: 78 – # of Records: 803,667 – % of Breaches: 15.7 – % of Records: 0.4% Totals for All Categories – # of Breaches: 498 – # of Records: 222,477,043 – % of Breaches: 100.0% – % of Records: 100.0%

Compliance Pays Breaches happen You are safer to work at a steady pace, find and fix problems, and remain vigilant Exhibiting a pattern of compliance can ease consequences Receive Safe Harbor from card associations

Identity Finder It can search for, protect, and dispose of personal information stored on your computer, file shares, or external media Credit card numbers, bank account numbers, social security numbers, birthdates, passwords, driver's license numbers, addresses, passports, employee identification numbers, maiden names, or other data you determine To learn more: Or visit and select Security under Software Categorieshttp://iuware.iu.edu

Scanning and Results Prior notification – have written permission from the individual, or – have given prior written notification to the individuals that this tool will be used, by whom, for what purpose, and how the resulting information will be used Send the names of the files found to the owner of the account/system where the files were stored, and direct the owner to review the files and take appropriate action Most of the time people had forgotten what was stored on the CPU Some applications were storing sensitive data in internet cache and temporary files Group Policy to remove internet cache, temporary files and cookies (clear IE cache on close, all else on log out, and force Secure Delete each night)

Additional Security Measures Encrypt data transmissions – check printing – retirement contributions – unemployment/new hire reports – tax transmissions to 3rd party vendors Kuali Financial System provides field level encryption Removal of System Admin rights – Principle of Least Privilege Installation of only the required software Up to date virus scans, push our Windows updates/patches, run current software Periodic reminders of policies Monthly ITSO scans to detect vulnerabilities from outside attacks DBAN to securely wipe hard drives – shred hard drives Secunia Personal Software Inspector Never store critically sensitive data on personal storage devices

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.