Educause Security Discussion mailing list archives
Re: Inbound Email Policy & PCIDSS
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Thu, 19 Nov 2009 11:16:52 -0600
This is all well and good from a strict liability standpoint, but would it be such a bad thing to have an internal policy (or training activity) such that if a staff member comes across a PAN in email, they learn/know that they should delete the message ASAP and ask IT to attempt to eradicate it? A lot of the policy focus I've seen in PCI is actually business-facing, not IT-facing. That said, IANAQSA. -jml
Joel Rosenblatt <joel () COLUMBIA EDU> 2009-11-19 10:59 >>>
This is the same wording as a common carrier would have about data on their network - it goes back to the argument that the phone company used - "we are not responsible for the bank robbery just because the bad guys used the telephone to plan it" Joel --On Thursday, November 19, 2009 9:28 AM -0700 Bob Bayn <bob.bayn () USU EDU> wrote:
Our draft Information Security policy says "USU does not accept liability for PSI that is transmitted through, or stored on, IT Resources by the end user for non-university related purposes." Bob Bayn (435)797-2396 Security Team coordinator Stop by the "Security Bunker" in SER 301 to see our network visualizers showing the continual attacks by outsiders. Office of Information Technology at Utah State University ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen [zjanse20 () CALVIN EDU] Sent: Thursday, November 19, 2009 6:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Inbound Email Policy & PCIDSS It doesn't seem feasible to me to write a policy about inbound CC#'s and really expect that to stop people from sending you CC#'s. I'm not saying you shouldn't do it, but unless you have a technical control in place that refuses CC#'s sent to your email system you're going to have CC#'s in your email system. Very little of it may be orders placed via email, ie sent to your "merchants" on campus. However, you will have students getting CC#'s from their parents, faculty and staff sending CC#'s to their spouses, and variations on that general theme. Are you really responsible for these as a merchant? That doesn't really make sense to me. But I am not a QSA or an ASV or an expert on PCI. Zach -- Zach Jansen Information Security Officer Calvin College
Joel Rosenblatt, Manager Network & Computer Security Columbia Information Security Office (CISO) Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel
Current thread:
- Re: Inbound Email Policy & PCIDSS, (continued)
- Re: Inbound Email Policy & PCIDSS Brad Judy (Nov 18)
- Re: Inbound Email Policy & PCIDSS Conor McGrath (Nov 18)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 18)
- Re: Inbound Email Policy & PCIDSS Witmer, Robert (Nov 18)
- Re: Inbound Email Policy & PCIDSS Zach Jansen (Nov 19)
- Re: Inbound Email Policy & PCIDSS Daniel Adinolfi (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS Basgen, Brian (Nov 19)
- Re: Inbound Email Policy & PCIDSS Bob Bayn (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)
- Re: Inbound Email Policy & PCIDSS John Ladwig (Nov 19)
- Re: Inbound Email Policy & PCIDSS Joel Rosenblatt (Nov 19)