XXIII. Interim Policy Regarding Access to and Saving of Social Security Numbers and Credit Card Numbers

I. Purpose

To establish an interim policy prohibiting the saving of Social Security Numbers or Credit Card numbers on laptop computers or other mobile computing devices including portable data storage devices.

II. Scope

This policy applies to all Metropolitan State College of Denver personnel.

III. Policy Statements

Some business activities may require storing SSN data or Credit Card data in a secured folder on a secured IT server. Authorization to store SSN data or Credit Card data on a secured IT server, outside of the BANNER database, requires written authorization from the employee’s area Vice President and the Vice President of Information Technology. Access to such data will be limited to those individuals having obtained the required written authorization.

SSN data and Credit Card data will be stored inside of the BANNER database. Access to enter, view, or modify SSN data or Credit Card data will be limited to those individuals having obtained written authorization from the employee’s area Vice President.

Neither Social Security numbers nor Credit Card numbers may be saved on a mobile computing device including, but not limited to, laptop computers, PDAs, Smart Phones, USB drives, CD/DVDs, or diskettes.

Neither SSN data nor Credit Card data may be sent through Email. Authorization to transmit SSN data or Credit Card data into or out of the MSCD.EDU network, by other electronic means, requires the written authorization of the employee’s area Vice President as well as the Vice President of Information Technology. These electronic transmissions, when authorized, will require that the data be encrypted.

Neither SSN data nor Credit Card data, regardless of form (electronic or print), may be removed from the workplace.

Authorization to deviate from these requirements requires the written approval of the College President, the employee’s area Vice President and the Vice President of Information Technology. The business case for granting such a waiver must be documented.

IV. Reporting Violations

Any suspected violations of these policies, or unauthorized access to computing resources, or any other condition which could compromise the security of MSCD computing resources must be reported to the Department of Information Technology, Security and Disaster Recovery Coordinator, http://www.mscd.edu/~infotech/security/, 1-877-35AskIT (1-877-352-7548)

V. Remedies for Non-Compliance

Failure to comply with these policies may result in one or more of the following actions: a) suspension of access to the network for the individual, educational or administrative unit violating the policy, b) when appropriate, disciplinary action ranging from warning to termination and (for students) expulsion from the College, depending on circumstances, in accordance with applicable policies and procedures, c) when appropriate, initiation of civil or criminal proceedings.

VI. Authority

The College President grants authority to the Vice President of Information Technology to oversee compliance with this policy.

Questions regarding this policy, or requests for variances from the policy, should be directed to the Vice President of Information Technology at (303) 556-2441.

Approved February 19, 2007

Next Review Date: November 2007