Educause Security Discussion mailing list archives

Re: PCI Responsability

From: Ronald King <ronald.king () MORGAN EDU>
Date: Fri, 6 Apr 2018 15:46:48 -0400

Thank you everyone. This is very useful and enlightening.

Ron

*Ronald A. King, CISSP*
Chief Information Security Officer
Morgan State University Office: (443) 885-3372
1700 E. Cold Spring Ln. Email: ronald.king () morgan edu
Baltimore, MD 21251 URL: http://www.morgan.edu

*Growing the future ... Leading the world*
<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Fri, Apr 6, 2018 at 3:28 PM, Carlos S Lobato <clobato () nmsu edu> wrote:

At New Mexico State University, we have an official University Board
called PCI DSS Compliance Committee with representatives from Controller,
Treasury, Merchants including University Accounts Receivable and IT
representatives from Networking, Applications, Systems and Security.  I am
the chair of the committee and the committee reports progress annually to
the Chancellor of the University.  This works very well, has backing from
Executive Administration and compliance is taken seriously.


In my opinion, I don’t think is a good idea to have Finance or IT solely
own it.  You the actual merchants involved as they have to operate
according to PCI DSS requirements and once they understand the requirements
they will implement them.  This is working very well for us.



Carlos

*Carlos S. Lobato, CISSP, CISA, CIA, CPA*

*IT Compliance Officer (Chief Privacy Officer)*



*New Mexico State University*

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003-8001



Phone: 575-646-5902

Fax: 575-646-5278



Email: clobato () nmsu edu
IT Compliance at NMSU - https://itcompliance.nmsu.edu/
<https://urldefense.proofpoint.com/v2/url?u=https-3A__itcompliance.nmsu.edu_&d=DwMF-g&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=eg53P32n1iN9droha4X14k9on76enIYI1HSdFuq2DXs&s=i5csO0_mhscl_ABm9ZQqKup9P1542vwFq9UrEkQhkW0&e=>


*From:* The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Lazarus, Carolann
*Sent:* Friday, April 6, 2018 1:12 PM

*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] PCI Responsability



Same here – IT advises (both security and technical) Controller and
Financial Management under the VP Finance has ultimate responsibility.  We
have a PCI compliance group that will soon morph into a standing PCI
Compliance Committee that will have oversight responsibilities.



Carolann Lazarus

716-829-6947

lazarus () buffalo edu



*From:* The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Ken Connelly
*Sent:* Friday, April 6, 2018 12:30 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] PCI Responsability



IT Security advises on the technical aspects but the responsibility for
compliance lies under the VP for Finance and Operations, specifically
Business Operations and Cashiers offices.

- ken

On 4/6/18 10:18 AM, Ronald King wrote:

Good morning colleagues,



I wanted to reach out to you to ask what division or department in your
institution is ultimately accountable for PCI compliance. Is it your IT,
Finance or another department/division? Why?



Do you have a dedicated employee, contractor or team overseeing compliance
to PCI?



As always, feel free to reach me directly.



Thank you and have a great weekend!

Ron

*Ronald A. King, CISSP*

Chief Information Security Officer

Morgan State University
               Office: (443) 885-3372

1700 E. Cold Spring Ln
<https://maps.google.com/?q=1700+E.+Cold+Spring+Ln&entry=gmail&source=g>.

               Email: ronald.king () morgan edu

Baltimore, MD 21251
URL:               http://www.morgan.edu



                                             *Growing the future ...
Leading the world*
<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>





--

- Ken

=================================================================

Ken Connelly                       Director, Information Security

Information Security Officer          University of Northern Iowa

email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373



Any request to divulge your UNI password via e-mail is fraudulent!

Current thread:

Re: PCI Responsability, (continued)
- - - Re: PCI Responsability Josh Callahan (Apr 06)
- Re: PCI Responsability Ken Connelly (Apr 06)
  - Re: PCI Responsability Lazarus, Carolann (Apr 06)
    - Security Onion - IDS build Sunil Singh (Apr 07)
- Re: PCI Responsability Laura Raderman (Apr 06)
- Re: PCI Responsability Rob Milman (Apr 06)
- Re: PCI Responsability Penn, Blake C (Apr 09)
  - Re: PCI Responsability Dennis Bolton (Apr 09)
    - Re: PCI Responsability Ronald King (Apr 13)
- Re: PCI Responsability Carlos S Lobato (Apr 06)
  - Re: PCI Responsability Ronald King (Apr 06)