Safeguarding Customer Information

At Montana State University - Billings, safeguarding the privacy and confidentiality of personal information is important.  As an institution of higher education, we collect, retain, and use personal non-public information about individual students and staff members.  We may collect personal information from such sources as hard copy applications, electronic forms, background checks, or over the Internet. The objectives of our information security program are to ensure the security and confidentiality of such personal information; to protect against any anticipated threats to its security or integrity; and to guard it against unauthorized access to or use.

Any sharing of nonpublic personal information about our students or employees must be done in strict adherence to the Federal Family Educational Rights and Privacy Act (FERPA) guidelines. The University may exchange such information with certain nonaffiliated third parties (under limited circumstances) to the extent permissible under law.  Examples may include (but are not limited to) medical insurance institutions or credit card processing software companies.

We restrict access to student and employee information only to those employees who have business reasons to know such information, and we educate our employees and contract service providers about the importance of confidentiality and privacy.

Policy
In order to provide adequate safeguards over customers’ credit card data and electronic addresses as they are received over the Web, the university will adhere to the following minimum technical specifications:

• Any computer device on the University network that makes non-personal public information available must be certified secure.  A copy of the security certificate must be completed with IT before any such computing device that is connected to the network.
• Customer information, including credit card data, must be reasonably secured against disclosure and modification as determined by current campus policy.
• The University must oversee local and contracted service providers by taking steps to select and retain providers that are proven capable of maintaining appropriate safeguards for customer information.
• MSU Billings will contractually require service providers to implement and maintain such safeguards; and
• MSU Billings will periodically evaluate, based on results of testing and monitoring, any material changes to the service providers’ operations.

Departments may accept payment by credit card under the following circumstances:

The department must complete the application for Authorization to Process Bankcard Transactions to apply to become an authorized merchant department and return it to the Business Service's Office. (Request MSU Billings startup procedures for processing credit cards from the Business Service's Office).  Procedures for timely deposit of credit card transactions and safe and proper handling of the data must be followed.

IT will review the department’s hardware and software to ensure that the server is secure and the program requirements have been adhered to. (See Procedures below). Internal Audit will review the department’s internal procedures to ensure that personal information is handled utilizing reasonable confidentiality security practices.

The following safeguards need to be in place:

• Personal computers containing confidential information must be secure.

• Adequate internal controls regarding separation of duties must be in place.

• It is the merchant department’s responsibility to maintain the customer’s credit card or e-mail information in a confidential manner.

• Any hard copy documents containing confidential information must be shredded in a timely manner.

• The merchant department must follow the MSU Billings Business Procedures Manual regarding procedures for safe handling of money deposits.

Procedures

1.	Approvals – Obtain approvals from the IT, Internal Audit, and the Business Service’s Office by completing the required forms.
2.	Program Requirements – IT is responsible for these procedures to establish a secure computing environment.
	a.	Install and maintain an effective network firewall to protect data accessible via the Internet.
	b.	Keep operating system and application software security patches up-to-date.
	c.	Encrypt stored data.
	d.	Encrypt data sent across open networks.
	e.	Use and regularly update anti-virus software.
3.	Develop adequate office procedures for staff or contract service providers to maintain secure information.
	a.	Restrict access to data by business “need-to-know”.
	b.	Assign a unique ID to each person with computer access to data.
	c.	Do not use vendor-supplied defaults for system passwords and others security parameters.
	d.	Track access to data by unique ID.
	e.	Regularly test security systems and processes.
	f.	Maintain a policy that addresses information security for employees and contractors.
	g.	Restrict physical access to cardholder information.
Internal Controls Segregation of duties is important to protect against fraud and maintain confidentiality.
1.	Individuals who collect monies and/or write receipts may not be the same individuals who account for deposits.
2.	Different Individuals are to perform the following functions:
	a.	Collecting monies and preparing receipts
	b.	Depositing receipts
	c.	Accounting for receipts
3.	Limit access to information such as ID and credit card numbers only to those individuals who need to know.
4.	Protect and shred confidential information.
5.	Small departments that do not have sufficient staff to meet ideal segregation of duties requirements must ensure that detailed supervisory review compensates for this weakness.

Effective Date and Review
These procedures are effective immediately.

The Business Service's Office will review and update this policy annually.