Introduction and Purpose

This policy is being introduced as required by the Federal Trade Commission under the Gramm-Leach Bliley (GLB) Act and the Payment Card Industry Data Security Standards.

At Montana State University - Billings, safeguarding the privacy and confidentiality of personal information is important.  As an institution of higher education, we collect, retain, and use personal non-public information about individual students and staff members.  We may collect personal information from such sources as hard copy applications, electronic forms, background checks, or over the Internet. The objectives of our information security program are to ensure the security and confidentiality of such personal information; to protect against any anticipated threats to its security or integrity; and to guard it against unauthorized access to or use.

Any sharing of nonpublic personal information about our students or employees must be done in strict adherence to the Federal Family Educational Rights and Privacy Act (FERPA) guidelines. The University may exchange such information with certain nonaffiliated third parties (under limited circumstances) to the extent permissible under law.  Examples may include (but are not limited to) medical insurance institutions or credit card processing software companies.

We restrict access to student and employee information only to those employees who have business reasons to know such information, and we educate our employees and contract service providers about the importance of confidentiality and privacy.

Policy

In order to provide adequate safeguards over customers’ credit card data and electronic addresses as they are received over the Web, the university will adhere to the following minimum technical specifications:

  • Any computer device on the University network that makes non-personal public information available must be certified secure.  A copy of the security certificate must be completed with IT before any such computing device that is connected to the network.
  • Customer information, including credit card data, must be reasonably secured against disclosure and modification as determined by current campus policy.
  • The University must oversee local and contracted service providers by taking steps to select and retain providers that are proven capable of maintaining appropriate safeguards for customer information.
  • MSU Billings will contractually require service providers to implement and maintain such safeguards; and
  • MSU Billings will periodically evaluate, based on results of testing and monitoring, any material changes to the service providers’ operations.

IT will review the department’s hardware and software to ensure that the server is secure and the program requirements have been adhered to. (See Procedures below). Internal Audit will review the department’s internal procedures to ensure that personal information is handled utilizing reasonable confidentiality security practices.

The following safeguards need to be in place:

  • Personal computers containing confidential information must be secure.

  • Adequate internal controls regarding separation of duties must be in place.

  • It is the merchant department’s responsibility to maintain the customer’s credit card or e-mail information in a confidential manner.

  • Any hard copy documents containing confidential information must be shredded in a timely manner.

  • The merchant department must follow the MSU Billings Business Procedures Manual regarding procedures for safe handling of money deposits.

Procedures

  1. Approvals – Obtain approvals from the IT, Internal Audit, and the Business Service’s Office by completing the required forms.
  2. Program Requirements – IT is responsible for these procedures to establish a secure computing environment.
    1. Install and maintain an effective network firewall to protect data accessible via the Internet.
    2. Keep operating system and application software security patches up-to-date.
    3. Encrypt stored data.
    4. Encrypt data sent across open networks.
    5. Use and regularly update anti-virus software.
  3. Develop adequate office procedures for staff or contract service providers to maintain secure information.
    1. Restrict access to data by business “need-to-know”.
    2. Assign a unique ID to each person with computer access to data.
    3. Do not use vendor-supplied defaults for system passwords and others security parameters.
    4. Track access to data by unique ID.
    5. Regularly test security systems and processes.
    6. Maintain a policy that addresses information security for employees and contractors.
    7. Restrict physical access to cardholder information. Records need to be in locked file cabinets at all times. Rooms need to be locked when not occupied.

Internal Controls

Segregation of duties is important to protect against fraud and maintain confidentiality.

  1.  Individuals who collect monies and/or write receipts may not be the same individuals who account for deposits.
  2. Different Individuals are to perform the following functions:
    1. Collecting monies and preparing receipts
    2. Depositing receipts
    3. Accounting for receipts
  3. Limit access to information such as ID and credit card numbers only to those individuals who need to know.
  4. All documents kept in the campus departments must mask the credit card information.
  5. Protect and shred confidential information.
  6. Small departments that do not have sufficient staff to meet ideal segregation of duties requirements must ensure that detailed supervisory review compensates for this weakness.

Effective Date and Review

These procedures are effective immediately.

The Business Service's Office will review and update this policy annually.