Educause Security Discussion mailing list archives

Re: Inbound Email Policy & PCIDSS

From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 19 Nov 2009 11:16:52 -0600

This is all well and good from a strict liability standpoint, but would it be such a bad thing to  have an internal 
policy (or training activity) such that if a staff member comes across a PAN in email, they learn/know that they should 
delete the message ASAP and ask IT to attempt to eradicate it?  

A lot of the policy focus I've seen in PCI is actually business-facing, not IT-facing.  That said, IANAQSA.

   -jml

Joel Rosenblatt <joel () COLUMBIA EDU> 2009-11-19 10:59 >>>

This is the same wording as a common carrier would have about data on their network - it goes back to the argument that 
the phone company used - "we are not 
responsible for the bank robbery just because the bad guys used the telephone to plan it"

Joel

--On Thursday, November 19, 2009 9:28 AM -0700 Bob Bayn <bob.bayn () USU EDU> wrote:

Our draft Information Security policy says "USU does not accept liability for PSI that is transmitted through, or 
stored on, IT Resources by the end user for
non-university related purposes."

Bob Bayn        (435)797-2396      Security Team coordinator
  Stop by the "Security Bunker" in SER 301 to see our network
  visualizers showing the continual attacks by outsiders.
Office of Information Technology   at  Utah State University
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen 
[zjanse20 () CALVIN EDU] 
Sent: Thursday, November 19, 2009 6:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Inbound Email Policy & PCIDSS

It doesn't seem feasible to me to write a policy about inbound CC#'s and really expect that to stop people from 
sending you CC#'s. I'm not saying you
shouldn't do it, but unless you have a technical control in place that refuses CC#'s sent to your email system you're 
going to have CC#'s in your email
system. Very little of it may be orders placed via email, ie sent to your "merchants" on campus. However, you will 
have students getting CC#'s from their
parents, faculty and staff sending CC#'s to their spouses, and variations on that general theme. Are you really 
responsible for these as a merchant? That
doesn't really make sense to me. But I am not a QSA or an ASV or an expert on PCI.

Zach

--

Zach Jansen
Information Security Officer
Calvin College




Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

Current thread:

Re: Inbound Email Policy & PCIDSS, (continued)
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)