Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Wed, 18 Nov 2009 18:37:21 -0500
Hi, In our Email Usage and Retention Policy <http://policylibrary.columbia.edu/email-usage-and-retention-policy> item 6 in the full policy text Confidential and/or sensitive information (e.g., SSN, credit card, medical records) must not be sent by email. The only acceptable way to transmit such information electronically is to attach the information as a password-protected and/or encrypted file; never type the information in the body of the email; and never send a password or decryption key in the same email. Unless the file is encrypted or password-protected, it can be read by others and therefore should not be considered private communication. Instructions for password protecting and encrypting Microsoft Office documents can be found at http://www.columbia.edu/acis/security/articles/data/encryption.html For communications involving health care and medical information, you must adhere to the Columbia University Medical Center's email policies. Please see: http://www.cumc.columbia.edu/hipaa/policies/docs/cumcemailpolicy.pdf http://www.cumc.columbia.edu/hipaa/policies/docs/cumcimptinfo_provider.pdf Prior to sending an email with sensitive and/or confidential information, verify the accuracy of the recipient's email address to prevent unintentionally sending it to an unauthorized individual. Once an email is sent, it cannot be recalled and /or undone. Thanks, Joel Rosenblatt Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel --On Wednesday, November 18, 2009 3:35 PM -0500 "Witmer, Robert" <r.witmer () SNHU EDU> wrote:
I was having a discussion this morning with my ASV. He stated that if our email system accepted inbound email with credit card information, they considered it electronic storage of credit card info. However, if the university had a written policy on emails containing credit card info, that changed the circumstances as far as the level of SAQ we are required to submit for that particular processor. I will concede the premise of electronic storage of credit card info in an email system. My question is "does anyone have a written email policy that specifically addresses inbound emails with credit cards?" And if so, would you care to share it? Regards, Bob Please consider the environment before printing this e-mail.
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)