Re: Ideas for auditing ID card system

[Vik Solem <vik.solem () TUFTS EDU>]

You may want to urge caution about converting a student ID into a
device which contains a financial account.  Massachusetts laws now
impose some interesting and in some cases cumbersome handling
requirements for any instance (electronic or physical) of a person's
name and financial account number.

The full definition of Personal Information is a resident's first name
and last name or first initial and last name in combination with any 1
or more of the following data elements that relate to such resident:
  (a) Social Security number;

  (b) driver's license number or state-issued identification card
number; or

  (c) financial account number, or credit or debit card number, with
or without any required security code, access code, personal
identification number or password, that would permit access to a
resident's financial account; provided, however, that "Personal
information'' shall not include information that is lawfully obtained
from publicly available information, or from federal, state or local
government records lawfully made available to the general public.





Basically, it's name and SSN, CC, or financial account.

The Mass law is written to be applied to any data for any resident of
Massachusetts, regardless of where the data resides.  I don't know of
any case law indicating inter-state enforcement of such things, but it
might not be fun to be the test case.

-Vik


References:

Laws - Security Breaches: (p3H)
        http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

Laws - Disposition and Destruction: (93I)
        http://www.mass.gov/legis/laws/mgl/gl-93i-toc.htm

Regulations: (201 CMR 17.0)
        http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf


On Jun 8, 2010, at 08:42 , Theresa Rowe wrote:

> We have an older implementation of the Blackboard ID / Campus card
> system (originally a different vendor).  The ID card department is
> currently looking to expand the relationship of the card with a
> local credit union, so that the card is used for payment as a debit
> card.  Before we go down this path, I would like an external audit,
> from an IT security and COBIT controls standard.
>
> The audit would be strictly limited to this environment (not any
> other systems or networks).  I'd appreciate any ideas or
> recommendations.  Vendors - I do not have a confirmed budget, but I
> am looking for external consulting to handle this project.
> --
> Theresa Rowe
> Chief Information Officer
> Oakland University
> **Think Green - Think before you print.**

-Vik

Vik Solem
Sr. Applications Risk Consultant
Information Security
Tufts University UIT / 617-627-4326

Check Out the UIT Information Security Team blog
http://blogs.uit.tufts.edu/infosecteamblog/