Educause Security Discussion mailing list archives

Re: Inbound Email Policy & PCIDSS

From: Joel Rosenblatt <joel () COLUMBIA EDU>
Date: Wed, 18 Nov 2009 18:37:21 -0500

Hi,

In our Email Usage and Retention Policy

<http://policylibrary.columbia.edu/email-usage-and-retention-policy>

item 6 in the full policy text

Confidential and/or sensitive information (e.g., SSN, credit card, medical records) must not be sent by email. The only 
acceptable way to transmit such
information electronically is to attach the information as a password-protected and/or encrypted file; never type the 
information in the body of the email; and
never send a password or decryption key in the same email. Unless the file is encrypted or password-protected, it can 
be read by others and therefore should
not be considered private communication.
Instructions for password protecting and encrypting Microsoft Office documents can be found at
http://www.columbia.edu/acis/security/articles/data/encryption.html
For communications involving health care and medical information, you must adhere to the Columbia University Medical 
Center's email policies. Please see:
http://www.cumc.columbia.edu/hipaa/policies/docs/cumcemailpolicy.pdf
http://www.cumc.columbia.edu/hipaa/policies/docs/cumcimptinfo_provider.pdf
Prior to sending an email with sensitive and/or confidential information, verify the accuracy of the recipient's email 
address to prevent unintentionally
sending it to an unauthorized individual. Once an email is sent, it cannot be recalled and /or undone.

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel


--On Wednesday, November 18, 2009 3:35 PM -0500 "Witmer, Robert" <r.witmer () SNHU EDU> wrote:

I was having a discussion this morning with my ASV.  He stated that if our email system accepted inbound email with 
credit card information, they considered
it electronic storage of credit card info.  However, if the university had a written policy on emails containing credit 
card info, that changed the
circumstances as far as the level of SAQ we are required to submit for that particular processor.

I will concede the premise of electronic storage of credit card info in an email system.  My question is "does anyone 
have a written email policy that
specifically addresses inbound emails with credit cards?"  And if so, would you care to share it?

Regards,
Bob

Please consider the environment before printing this e-mail.




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

Current thread:

Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- <Possible follow-ups>
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)