Information Security & Compliance Financial Services Workshop February 10, 2010

Information Security and Electronic PHI What is Information Security? “ Information Security ” - ensures the Confidentiality, Integrity, and Availability of information through safeguards. “ Confidentiality ” – information will not be disclosed to unauthorized individuals or processes “ Integrity ” – data from one system is consistently and accurately transferred to other systems. “ Availability ” – the data or information is accessible and useable upon demand by an authorized person.

Good Security Begins With You! Human error is the single largest cause of security incidents. You are the first line of defense in Information Security. Incorporate good security practices into your everyday routine.

What is Compliance? Compliance is a state in which an organization is in accordance with established guidelines, specifications, or legislation Federal, state and regulatory compliance laws and requirements necessitate financial institutions employ levels of security to protect sensitive information from compromise, unauthorized access, interception or corruption. The challenge is maintaining acceptable data security while meeting the business needs of the organization.

Data Breaches From 2005 through 2007, there were 277 publicly reported breaches at colleges and universities in the United States. Of the 263 reported privacy data breaches in the United States in 2008, about one-third (76) occurred at colleges and universities. More electronic records were breached in 2008 than the previous four years combined, fueled by a targeting of the financial services industry and a strong involvement of organized crime.

Data Breaches (contd) A Rockland Community College student worker has been accused of stealing credit card numbers of former students to purchase high-end clothing costing over $2,200. The student worker is believed to have gained access to the credit card information of 12 former students' transcript applications.

Data Breaches (contd) Students at Binghamton University in New York are circulating a petition to remove the university's chief information security officer following the discovery of boxes full of documents listing personal information of students and parents in an unlocked storage room.Binghamton University

Compliance and Security In order to meet the compliance requirements, organizations must approach data security from a holistic perspective. Consider what controls are needed to protect your most sensitive data, then implement those controls. A review of most compliance laws will reveal the same set of data security controls are required.

Compliance Examples UNC FIT NC Identity Theft Protection Act FERPA GLBA HIPAA HITECH Act PCI Red Flag Rules SOX

Information Security and Electronic PHI How Do We Become & Remain Compliant? Develop joint effort between ITCS and departments Integrate security and compliance into everyday processes Understand compliance is an ongoing process Develop and implement a set of standards that will satisfy most compliance requirements Maintain accountability

Don’t Share Logins and Passwords ITCS Identify information, assets and appropriate level of protection Conduct an assessment of risks and analyze against the probability of occurrence Implement reasonable and appropriate safeguards

Don’t Share Logins and Passwords ITCS (contd) Train students, faculty, staff, and third parties Require third parties to implement reasonable and appropriate safeguards Regularly monitor and test the effectiveness of implemented safeguards Review and revise the information security program

Don’t Share Logins and Passwords Department Identify and classify your data; determine data ownership and data type (public, sensitive, etc.) Ensure systems used in performing financial transactions are protected by strict technical controls Ensure online banking transactions computers are used SOLELY for such transactions (no , no web browsing, no general-purpose business use)

Don’t Share Logins and Passwords Department (contd) Require all other computers that access sensitive data employ the locked-down workstation configuration Make certain that personnel have the necessary security awareness and training; Appoint a resource from your department to receive in-depth security training Have written policies defining the controlled environment in which financial transactions can be conducted

Viruses What is PCI Compliance? Protection of customer payment card data as it is collected, transmitted, processed and stored PCIDSS – Payment Card Industry Data Security Standards PCISSC – Payment Card Industry Security Standards Council (All major payment card companies are represented in the PCISSC)

Viruses Why Comply? PCI compliance is NOT a Financial Services or ITCS initiative PCIDSS created and mandated by payment card companies PCIDSS adopted by Office of the State Controller (OSC) ECU Merchants must comply in order to operate under the Master Service Agreement administered by OSC

Viruses PCI Compliance Requirements for ECU Campus Merchants New Merchants must request and receive approval to accept payment cards from the University Cash Manager prior to accepting any payment cards All merchants are required to achieve and maintain 100% compliance with the PCIDSS No gray areas: Either you are 100% compliant or you’re not compliant

Viruses Are We PCI Compliant? SAQ: Self Assessment Questionnaires administered annually by Financial Services help determine compliance ITCS: Review systems involving computers or the campus network (i.e. workstations, software, servers, websites); Any computing system or IT device used to access, process, transmit, or store payment card data must be installed and verified by ITCS after approval by ECU Financial Services

Viruses How Do We Maintain Compliance? SAQ: Annual Assessment - All merchant departments must perform and pass an annual PCI compliance audit (administered by Financial Services) Security Awareness for staff members (annual certification) Additions or changes to your system must receive approval from Financial Services and/or ITCS prior to the purchase or implementation

Viruses How Do We Maintain Compliance? (contd) All workstations and servers that are part of a payment card system must have appropriate protection against malware and unauthorized access DO NOT store payment card data electronically! (workstations, servers, laptops, backup devices, etc…)

Viruses PCI Compliance – Things To Do Secure payment card data at ALL TIMES! Treat it like cash$$$ Destroy payment card data by cross-cut shredder or secure shredding service after business need is met If you must retain payment card data, store in a locked file cabinet and limit access to authorized staff members only

Viruses PCI Compliance – Things To Do (contd) Document payment card procedures in writing (Business Manual) Train staff on PCI standards Contact PCI compliance resource with questions

Viruses PCI Compliance – What Not To Do DO NOT store payment card data electronically! (workstations, servers, laptops, backup devices, etc…) DO NOT sore the full contents of any track of the magnetic stripe DO NOT store the card validation code (aka CVV)

Viruses PCI Compliance – What Not To Do (contd) DO NOT transmit payment card data via and discourage any data you might receive via DO NOT leave payment card data unattended (desk inbox, Fax machine, “to be filed” stack) DO NOT verbally repeat payment card account data for others to hear

Viruses PCI Compliance – What Not To Do (contd) DO NOT throw it in the trash! DO NOT use campus mail to transport payment card data DO NOT retain the full payment card account number (truncate all but last four digits) DO NOT Worry! We will help you achieve and maintain compliance! BUT you have to contact us…….

Viruses PCI Compliance Contact Questions concerning payment card systems should be directed to: Brian Heath University PCI resource PCI Website

Relevant Policies For Additional Information ECU IT Security IT Helpdesk / PCI Information

Presenters Margaret Streeter Umphrey Information Security Officer Clay Hallock IT Security Analyst Brian Heath PCI Compliance Resource