XXIII. Policy Regarding Access to and Saving of Social Security Numbers and Credit Card Numbers
I. Purpose
To prohibit the saving of Social Security Numbers (SSN) or Credit Card
numbers on laptop computers or other mobile computing devices including portable
data storage devices.
II. Scope
This policy applies to all Metropolitan State College of Denver
personnel.
III. Policy Statements
Some business activities may require storing SSN data or Credit Card data in
a secured folder on a secured IT server. Authorization to store SSN data or
Credit Card data on a secured IT server, outside of the BANNER database,
requires written authorization from the employee’s area Vice President and the
Vice President of Information Technology. Access to such data will be limited to
those individuals having obtained the required written authorization.
SSN data and Credit Card data will be stored inside of the BANNER database.
Access to enter, view, or modify SSN data or Credit Card data will be limited to
those individuals having obtained written authorization from the employee’s area
Vice President.
Neither Social Security numbers nor Credit Card numbers may be saved on a
mobile computing device including, but not limited to, laptop computers, PDAs,
Smart Phones, USB drives, CD/DVDs, or diskettes.
Neither SSN data nor Credit Card data may be sent through Email.
Authorization to transmit SSN data or Credit Card data into or out of the
MSCD.EDU network, by other electronic means, requires the written authorization
of the employee’s area Vice President as well as the Vice President of
Information Technology. These electronic transmissions, when authorized, will
require that the data be encrypted.
Neither SSN data nor Credit Card data, regardless of form (electronic or
print), may be removed from the workplace.
Authorization to deviate from these requirements requires the written
approval of the College President, the employee’s area Vice President and the
Vice President of Information Technology. The business case for granting such a
waiver must be documented.
IV. Reporting Violations
Any suspected violations of these policies, or unauthorized access to
computing resources, or any other condition which could compromise the security
of Metro State computing resources must be reported to the Director of
Information Security at 1-877-35AskIT (1-877-352-7548)
V. Remedies for Non-Compliance
Failure to comply with these policies may result in one or more of the
following actions: a) suspension of access to the network for the individual,
educational or administrative unit violating the policy, b) when appropriate,
disciplinary action ranging from warning to termination and (for students)
expulsion from the College, depending on circumstances, in accordance with
applicable policies and procedures, c) when appropriate, initiation of civil or
criminal proceedings.
VI. Authority
The College President grants authority to the Vice President of Information
Technology to oversee compliance with this policy.
Questions regarding this policy, or requests for variances from the policy,
should be directed to the Vice President of Information Technology at (303)
556-2441.
Approved February 19, 2007
Revised: August 2008
