Educause Security Discussion mailing list archives
Re: Ideas for auditing ID card system
From: Vik Solem <vik.solem () TUFTS EDU>
Date: Tue, 8 Jun 2010 11:34:41 -0400
You may want to urge caution about converting a student ID into a device which contains a financial account. Massachusetts laws now impose some interesting and in some cases cumbersome handling requirements for any instance (electronic or physical) of a person's name and financial account number. The full definition of Personal Information is a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information'' shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public. Basically, it's name and SSN, CC, or financial account. The Mass law is written to be applied to any data for any resident of Massachusetts, regardless of where the data resides. I don't know of any case law indicating inter-state enforcement of such things, but it might not be fun to be the test case. -Vik References: Laws - Security Breaches: (p3H) http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm Laws - Disposition and Destruction: (93I) http://www.mass.gov/legis/laws/mgl/gl-93i-toc.htm Regulations: (201 CMR 17.0) http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf On Jun 8, 2010, at 08:42 , Theresa Rowe wrote:
We have an older implementation of the Blackboard ID / Campus card system (originally a different vendor). The ID card department is currently looking to expand the relationship of the card with a local credit union, so that the card is used for payment as a debit card. Before we go down this path, I would like an external audit, from an IT security and COBIT controls standard. The audit would be strictly limited to this environment (not any other systems or networks). I'd appreciate any ideas or recommendations. Vendors - I do not have a confirmed budget, but I am looking for external consulting to handle this project. -- Theresa Rowe Chief Information Officer Oakland University **Think Green - Think before you print.**
-Vik Vik Solem Sr. Applications Risk Consultant Information Security Tufts University UIT / 617-627-4326 Check Out the UIT Information Security Team blog http://blogs.uit.tufts.edu/infosecteamblog/
Current thread:
- Ideas for auditing ID card system Theresa Rowe (Jun 08)
- <Possible follow-ups>
- Re: Ideas for auditing ID card system Vik Solem (Jun 08)