> MSU Policy and Procedures > Business Procedures Manual
600.00 Safeguarding Customer Information
Introduction and Purpose
This policy is being introduced as required by the Federal
Trade Commission under the Gramm-Leach Bliley (GLB) Act.
At Montana State University, safeguarding the privacy and
confidentiality of personal information is important. As an institution of
higher education, we collect, retain, and use personal non-public information
about individual students and staff members. We may collect personal
information from such sources as hard copy applications, electronic forms,
background checks, or over the Internet. The objectives of our information
security program are to ensure the security and confidentiality of such personal
information; to protect against any anticipated threats to its security or
integrity; and to guard it against unauthorized access to or use.
Any
sharing of nonpublic personal information about our students or employees must
be done in strict adherence to the Federal Family Educational Rights and Privacy
Act (FERPA) guidelines. The University may exchange such information with
certain nonaffiliated third parties (under limited circumstances) to the extent
permissible under law. Examples may include (but are not limited to) medical
insurance institutions or credit card processing software companies.
We restrict access to student and employee information only
to those employees who have business reasons to know such information, and we
educate our employees and contract service providers about the importance of
confidentiality and privacy.
Policy
In order to provide adequate safeguards over customers'
credit card data and electronic addresses as they are received over the Web, the
university will adhere to the following minimum technical specifications:
- Any server on the University network that makes
non-personal public information available must be certified secure. A copy of
the security certificate must be forwarded to ITC before any such server is
connected to the network.
- Customer information, including credit card data, must
be reasonably secured against disclosure and modification.
- The University must oversee local and contracted service
providers by taking steps to select and retain providers that are proven
capable of maintaining appropriate safeguards for customer information.
- MSU will contractually require service providers to
implement and maintain such safeguards; and
- MSU will periodically evaluate, based on results of
testing and monitoring, any material changes to the service providers'
operations.
Departments may develop Web pages to accept payment by
credit card under the following circumstances:
The department must complete the application for
Authorization to Process Bankcard Transactions to apply to become an
authorized merchant department and return it to the Controller's
Office. (Request MSU startup procedures for processing credit cards from the
Controller's Office). Procedures for timely deposit of credit card transactions
and safe and proper handling of the data must be followed.
ITC will review, at the department's own expense, the
department's hardware and software to ensure that the server is secure and the
program requirements for a secure Internet site have been adhered to. (See
Procedures below). Internal Audit will review the department's internal
procedures to ensure that personal information is handled utilizing reasonable
confidentiality security practices.
The following safeguards should be in place:
·
Personal computers containing confidential information must be
secure.
·
Adequate internal controls regarding separation of duties must be
in place.
·
It is the merchant department's responsibility to maintain the
customer's credit card or e-mail information in a confidential manner.
·
Any hard copy documents containing confidential information must
be shredded in a timely manner.
·
The merchant department must follow the MSU Business Procedures
Manual
Section 350.00 regarding procedures for safe handling of money deposits.
Procedures
- Approvals - Obtain approvals from the ITC, Internal
Audit, and the Controller's Office by completing the required forms.
- Program Requirements - Follow these procedures to
establish a secure Internet site.
a.
Install and maintain an effective network firewall to protect data
accessible via the Internet.
b.
Keep operating system and application software security patches
up-to-date.
c.
Encrypt stored data.
d.
Encrypt data sent across open networks.
e.
Use and regularly update anti-virus software.
- Develop adequate office procedures for staff or contract
service providers to maintain secure information.
a.
Restrict access to data by business "need-to-know".
b.
Assign a unique ID to each person with computer access to data.
c.
Do not use vendor-supplied defaults for system passwords and others
security parameters.
d.
Track access to data by unique ID.
e.
Regularly test security systems and processes.
f.
Maintain a policy that addresses information security for employees and
contractors.
g.
Restrict physical access to cardholder information.
Internal Controls
1.
Individuals who collect monies and/or write receipts may not be the same
individuals who account for deposits.
2.
Different Individuals are to perform the following functions:
a.
Collecting monies and preparing receipts
b.
Depositing receipts
c.
Accounting for receipts
3.
Limit access to information such as ID and credit card numbers only to
those individuals who need to know.
4.
Protect and shred confidential information.
5.
Small departments that do not have sufficient staff to meet ideal
segregation of duties requirements must ensure that detailed supervisory review
compensates for this weakness.
Effective Date and Review
These procedures are effective immediately.
The Controller's Office will review and update this policy
annually.
|
