Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Inbound Email Policy & PCIDSS

From: Bob Bayn <bob.bayn () USU EDU>
Date: Thu, 19 Nov 2009 09:28:17 -0700
Our draft Information Security policy says "USU does not accept liability for PSI that is transmitted through, or 
stored on, IT Resources by the end user for non-university related purposes."

Bob Bayn        (435)797-2396      Security Team coordinator
  Stop by the "Security Bunker" in SER 301 to see our network
  visualizers showing the continual attacks by outsiders.
Office of Information Technology   at  Utah State University
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen 
[zjanse20 () CALVIN EDU]
Sent: Thursday, November 19, 2009 6:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Inbound Email Policy & PCIDSS

It doesn't seem feasible to me to write a policy about inbound CC#'s and really expect that to stop people from sending 
you CC#'s. I'm not saying you shouldn't do it, but unless you have a technical control in place that refuses CC#'s sent 
to your email system you're going to have CC#'s in your email system. Very little of it may be orders placed via email, 
ie sent to your "merchants" on campus. However, you will have students getting CC#'s from their parents, faculty and 
staff sending CC#'s to their spouses, and variations on that general theme. Are you really responsible for these as a 
merchant? That doesn't really make sense to me. But I am not a QSA or an ASV or an expert on PCI.

Zach

--

Zach Jansen
Information Security Officer
Calvin College
Previous By Date Next
Previous By Thread Next

Current thread: