Sensitive Data Accessibility Financial Management College of Education Michigan State University

Sensitive data Back in 2005, the University started a campaign to make staff more aware of sensitive data concerns PCI DSS - Payment Card Industry Data Security Standard is that if credit card numbers are stolen from our servers and we are found to be in breach of the PCI DSS standard at the time of the breach, Visa and MasterCard may EACH fine the University up to $500,000 and then revoke out ability to use their credit cards. More information: MSU’s Managing Sensitive Data site at is worth a thorough read.

Levels of sensitivity for data Confidential Sensitive Public

Public data Not protected and generally made publically available Directories Library card catalogs Course catalogs Institutional policies

Sensitive data Protected by institutional policy, guidelines, or procedures – may be public/FOI-able (freedom of information) Salary data Detailed institutional accounting and budget data Personally restricted directory data Certain personal employee attributes

Confidential data Protected by law, contract, or University policy SSN payment/credit card health records student records

Where to look for sensitive data Digital Laptop computers, Desktop computers PDAs, thumb drives Network drives, web and file servers attachments, social networking sites Paper Sticky notes, notepads, paper files Receipts PAN forms and other official documents Travel documentation

Ask, “Do I absolutely need this data?” If not, get rid of it. If you do need it, minimize its exposure. As soon as you no longer need the data, delete it. Don’t leave sensitive data on computers or PDAs that are easily stolen. Make sure the computer the data is stored on is protected against viruses, worms, etc. Be careful distributing the data via or paper forms.

Identifying and reporting an incident For help determining if an exposure or intrusion occurred, contact the College Computer Support

What happens if an incident occurs? College CSG checks the computer to determine if there is sensitive data involved. Computer remains powered on but disconnected from the network. If there is sensitive data involved, College notifies DPPS at DPPS, the unit, and LCT will assess the incident. Systems involved may be taken for investigation. If necessary, MSU will disclose an exposure to those who might be affected

Incidents at MSU Despite best efforts, exposures have happened at MSU Student PIN #s exposed during data transfers between business units SSNs may have been exposed on a server at a business unit Student SSNs, names, addresses may have been exposed on a server at an academic unit Years of credit card transactions may have been exposed on a server at a business unit Confidential employee information may have been exposed on servers at a business unit

College Policy The college has been working on sensitive data management and security awareness has increased. Our data is more secure now that we have followed the policy for a few years. All college staff are required to attend sensitive data awareness seminar every three years.

And in practical terms, that means? No confidential data on college servers or computers There is no reason to store SSNs on a computer, so don’t. If you need to use SSNs at all (and we know there are reasons), work with us to make sure they are handled with a minimum of risk. For credit card/payment information, use web credit service at If you absolutely must have SSNs, credit card numbers, or any other sensitive data on paper, destroy those papers as soon as you don’t need the data anymore. If you need to keep the data, lock the papers up, then destroy them as soon as you can. Most importantly: be aware of how you can minimize exposure.

Financial Management Oversight Segregation of duties: More than one person needed to complete a record transaction. Implement mitigating controls if staffing resources do not permit desired segregation of duties. Adequate oversight: at least take samples. Pay attention to high risk areas: cash and inventories. Take periodic inventory. Monthly reconciliation of P-card statement is required.

Accessibility Web accessibility means that people with disabilities can read, navigate, and contribute on the Web through the use of assistive technology like screen readers. The web accessibility initiative facilitates MSU interacting with the broadest possible audience. The web accessibility policy will start being enforced May 15, 2009.

What needs to be accessible? Any content that is considered “core business” by the university must be accessible.

What is “core business”? Core business is defined very broadly. It is “activities that students, employees, or visitors must access in order to effectively participate in a program, service, or activity offered by the University.” In practical terms, this means EVERYTHING (web pages, PDF documents, Word documents, etc.) except personal web sites or documents. In theory, it also includes internal documents that students never see.

The University will help. LCTTP has free classes on how to make Word documents and PDFs accessible. In fact, one is offered on April 3. Details here:

If you do create web site or edit pages You need to follow the University’s guidelines, which can be found here: technical-guidelines.htmlhttp://webaccess.msu.edu/policies-and-guidelines/interim- technical-guidelines.html

What about my faculty members? The policy dictates that faculty are responsible for making their own course content accessible. This includes course information on Angel or any other web-based teaching methods. Faculty are aware of this and have resources to consult in approaching this task.