Re: Inbound Email Policy & PCIDSS

[Joel Rosenblatt <joel () COLUMBIA EDU>]

No .. it would be a really good thing .. and it should also cover PII and FERPA - but this is a CYA risk reduction 
clause .. just in case the employee was out
the day doing the right thing was taught :-)

Joel

--On Thursday, November 19, 2009 11:16 AM -0600 John Ladwig <John.Ladwig () csu mnscu edu> wrote:

> This is all well and good from a strict liability standpoint, but would it be such a bad thing to  have an internal 
> policy (or training activity) such that
> if a staff member comes across a PAN in email, they learn/know that they should delete the message ASAP and ask IT to 
> attempt to eradicate it?
>
> A lot of the policy focus I've seen in PCI is actually business-facing, not IT-facing.  That said, IANAQSA.
>
>    -jml
>
> > > > Joel Rosenblatt <joel () COLUMBIA EDU> 2009-11-19 10:59 >>>
> This is the same wording as a common carrier would have about data on their network - it goes back to the argument that the 
> phone company used - "we are not
> responsible for the bank robbery just because the bad guys used the telephone to plan it"
>
> Joel
>
> --On Thursday, November 19, 2009 9:28 AM -0700 Bob Bayn <bob.bayn () USU EDU> wrote:
>
> > Our draft Information Security policy says "USU does not accept liability for PSI that is transmitted through, or 
> > stored on, IT Resources by the end user for
> > non-university related purposes."
> >
> > Bob Bayn        (435)797-2396      Security Team coordinator
> >   Stop by the "Security Bunker" in SER 301 to see our network
> >   visualizers showing the continual attacks by outsiders.
> > Office of Information Technology   at  Utah State University
> > ________________________________________
> > From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen 
> > [zjanse20 () CALVIN EDU]
> > Sent: Thursday, November 19, 2009 6:36 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Inbound Email Policy & PCIDSS
> >
> > It doesn't seem feasible to me to write a policy about inbound CC#'s and really expect that to stop people from sending you 
> > CC#'s. I'm not saying you
> > shouldn't do it, but unless you have a technical control in place that refuses CC#'s sent to your email system you're going 
> > to have CC#'s in your email
> > system. Very little of it may be orders placed via email, ie sent to your "merchants" on campus. However, you will have 
> > students getting CC#'s from their
> > parents, faculty and staff sending CC#'s to their spouses, and variations on that general theme. Are you really 
> > responsible for these as a merchant? That
> > doesn't really make sense to me. But I am not a QSA or an ASV or an expert on PCI.
> >
> > Zach
> >
> > --
> >
> > Zach Jansen
> > Information Security Officer
> > Calvin College
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel