University Technology (UTech)
Administrative Offices: 309/298-2517
Computer Information Center: 309/298-1177
Help Desk: 309/298-2704 Fax: 309/298-2880
Help Desk E-Mail: email@example.com
- Anti-Malware Policy
- Remote Access Policy
- Server Lockdown and Hardening Policy
- Electronic Mail Accounts & Web Accounts
- File Server Accounts
- Microcomputer Repair
- Connecting to the Local Area Network (LAN)
- Hardware & Software Problems
- Research & Instructional Consultants
- Scheduling of Computer Labs
- Test Scoring & Data Analysis Service
- Training on Demand
University Data Management Procedures (PDF) - This document describes procedures intended to manage the movement of sensitive data between computers. Including when computers are transferred between individuals, when data is transferred between computers, when computers are disposed and when computers are located off campus for extended periods of time.
University Computer Support Services has primary responsibility for support of microcomputers and data networks. However, its central mission is the support of instructional computing. This support is provided through various services.
A wide variety of current hardware and software information is available on the World Wide Web through University Computer Support Services Home Page. For further information on the Home Page or its address, contact the Computer Information Center.
The university supports an approved anti-malware product. Using a non approved solution will not be University supported and is not recommended.
The following minimum requirements shall remain in force:
- The anti-malware product shall be operated in real time on all client computers and Windows server computers. The product shall be configured for real time protection.
- The anti-malware library definitions shall be checked at least once per day and updated as available.
- Anti-malware scans shall be done a minimum of once per week on all university controlled workstations and servers.
- Removing or permanently disabling anti-malware protection violates this policy.
- WIU supports a centralized anti-malware model and advocates that clients receive anti-malware updates from official University sources managed by University Technology.
Remote Access Policy
A remote user shall use either dial-in or virtual private networking (VPN). VPN uses a secure tunnel through the local ISP connection to the University network. VPN is recommended over modems for remote access.
- Vice President or higher approval is required to download sensitive data to remote computers. Furthermore, it is prohibited to download sensitive data such a credit card data to a remote computer or media. This also includes but is not limited to printing, faxing, cut-and-paste, etc.
- Users with administrative rights to servers, network/telecom infrastructure equipment or applications must use a University approved multi-factor authentication solutions (such as tokens, certificates) when connecting remotely.
- Connecting computers should be properly patched and running current antivirus and anti-malware.
- Remote access for vendors must only be allowed during a maintenance window and with proper and approved change control. It is highly recommended that there be WIU oversight of the session.
- All data transmitted must be encrypted.
- Split-tunneling or accessing the Internet through your local Internet Service Provider while connected to WIU is prohibited.
Server Lockdown and Hardening Policy
All University owned or operated servers must be consistently and systematically locked-down (a method used to protect computers by restricting functionality of a system to its core functions thereby reducing the ways a system can be attacked). However, servers with access to sensitive data or exposed to public networks (such as the Internet) may require additional precautions based on associated risk. The office of the CTSO maintains lockdown standards, for Windows and UNIX/Linux/Mac servers.
Electronic Mail Accounts and Web Accounts
Every faculty member, staff member, and student is provided an e-mail account and web space. The WIU e-mail account is accessible through standard e-mail clients or the Web. The account is activated by following the instructions at www.wiu.edu/guava/ . Contact the University Computer Support Services Help Desk if problems occur when activating your account.
File Server Accounts
WIU faculty and staff have access to the Local Area Network (LAN). When employees leave or when new employees are hired, the department should contact the University Computer Support Services Help Desk and have an electronic service request created.
Credit Card Data Retention and Disposal Policy
Payment Card Industry (PCI) Data Security Standard (DSS) requirement 3.1 requires that the university maintain and adhere to a data retention and disposal policy 1 . The purpose of this policy is to ensure that records that are no longer needed are discarded appropriately and in a timely fashion. Each area that takes credit cards as payment must periodically (minimally annually) review this policy to determine any circumstances that necessitate changes in the way they retain or dispose of cardholder data.
The state of Illinois defines credit card records as receipts and defines the following retention guidelines.
|Cardholder Data Transmission, Retention and Disposal||State of Illinois Guidance|
|Credit/Debit card data (Name, Authorization Code, Authorization Date)||3 years|
|Credit/Debit card data (Last 4 digits of account number)||3 years|
|Full credit card account number||3 years (encryption required prior to storage)|
|Credit/Debit card data (magnetic stripe track data, card validation code, PIN)||Never stored|
|Cardholder data over electronic mail, instant messaging, text messaging, chat, blogging and voice-mail||Encryption required prior to transmission|
|Cardholder data over a wireless network||May only be transmitted over secure wireless|
|Cardholder data over unsecure protocols (telnet, ftp, etc.)||Encryption required prior to transmission|
Credit Card Data Disposal:
Cardholder data maintained on paper should be shredded as soon as business conditions allow but not more than the guidance provided by the state of Illinois. If cardholder data must be maintained on paper for any period of time caution must be taken to ensure control and protection of the document. Including:
- Minimizing who has access to the document,
- ensuring that disallowed data (card validation code, PIN) is not present,
- obfuscating all but the last four (4) digits of the cardholder account number and
- Maintaining the paper document in a locked secure area with limited controlled access.
Cardholder data maintained electronically should be eliminated as soon as business conditions allow but not more than the guidance provided by the state of Illinois. If cardholder data must be maintained electronically for any period of time caution must be taken to ensure control and protection of the document. Electronic cardholder data presents additional challenges to data maintained on paper. So in addition to the items mentioned for cardholder data maintained on paper the following require consideration for cardholder data maintained electronically:
- If business conditions allow eliminate the electronic retention of cardholder data.
- If business conditions allow obfuscate or remove as much of the cardholder data as possible (for example, removing all but the last 4 digits of the cardholder account number).
- Encrypt or one-way hash cardholder data prior to storage.
- Do not make backup copies of unencrypted cardholder data 2 .
- Cardholder data must NOT be transmitted via or stored on electronic mail, instant messaging, text messaging, blogging and voice-mail.
- Cardholder data must NOT be transmitted via unsecure protocols (such as telnet, FTP, etc.).
- Cardholder data must NOT be transmitted over an unsecure wireless network.
- Regardless if you think your old computer holds or does not hold cardholder data, ensure proper disposal of end of life computer equipment by adhering to WIU's computer disposal policy.
Credit Card Handling & Compliance Procedures
The following procedures are intended to support the universities Payment Card Industry (PCI) Data Security Standard (DSS) compliance efforts and must be reviewed annually and updated as appropriate:
- An annual risk assessment of all areas (and corresponding vendors) taking credit cards as payment or supporting the credit card payment environment will be coordinated through the office of the CTSO and the business office. Policies, procedures and training will be updated as appropriate.
- Vendors processing, transmitting or storing cardholder data on behalf of the university must provide annual evidence of their compliance with PCI DSS.
- Information security contract language must be added to all contracts that provide access to university systems, data, sensitive areas (such as data centers, wiring closets, etc.) or provide custom development on behalf of the university. The agreement should include an acknowledgement that the service provider is responsible for the security of cardholder data the provider possesses.
- Non-encrypted cardholder data may not be taken outside the university and may not be provided to non-approved outside entities (such as 3rd party vendors providing processing, analysis, etc.). Work with the business office to get a vendor approved. University approved vendors are: Skipjack, Paypal, Global Payments and Illinois Funds E-PAY.
- Areas wishing to purchase applications that process, transmit or store cardholder data must insist that the vendor provide evidence that the application has been assessed against PCI Payment Application Data Security Standards (PA-DSS) and that the vendor has provided a PA-DSS implementation guide (where configuration options are provided) that shows how the application needs to be configured to maintain or achieve compliance.
- Quarterly network scans conducted by a PCI Approved Scanning Vendor (ASV) are required.
- Performing an external penetration testing at least once a year and after any significant infrastructure or application upgrade or modification. Including both a Network-layer penetration test and an Application-layer penetration test.
- Ensure that web-facing applications are protected against known attacks by having custom application code reviewed for common vulnerabilities by an organization that specializes in application security or installing an application layer firewall in front of web-facing applications.
- The business office and office of the CTSO will provide annual (and new employee) training on the proper use of credit cards. All employees that work in areas that take credit cards as payment must signoff annually that they’ve received this training.
- Adherence to the university password policy.
- Adherence to the university credit card data retention and disposal policy.
- Adherence to the university remote access policy.
- Adherence to the university perimeter security policy.
- Adherence to the university wireless policy.
Lack of compliance may result in fines of up to $25,000 per merchant per month and may eventually result in the revocation of credit card merchant privileges.
2 Backups containing cardholder data must be properly handled, controlled and disposed.
Microcomputer repair of university-owned equipment may be handled on-site by University Computer Support Services technicians or completed in the Hardware Repair Center, depending on the nature of the repair. In either case, an electronic Service Request form is used to track the progress of the repair. Departments and offices are charged for any equipment parts which are necessary to complete the repair. To initiate a service request contact the University Computer Support Services Help Desk.
Connecting to the Local Area Network (LAN)
Requests for connections to the Western Illinois University Local Area Network (LAN) must be initiated by calling University Computer Support Services Help Desk. Information concerning current networking costs and project schedules can be obtained by calling the University Computer Support Services Administrative Office. Prior approval by University Computer Support Services must be obtained before attaching any device to the LAN.
Hardware and Software Problems
Hardware and software problems should be reported to the University Computer Support Services Help Desk. Problems which cannot be solved within the duration of the call will be entered into University Computer Support Services Service Request database. The request for service will be tracked by a unique number assigned to that request. Please ask for this number as it is the work request identification number.
Research and Instructional Consultants
Research and Instructional Consultants are available to discuss software problems or hardware needs. Requests may be made by calling the University Computer Support Services Help Desk.
Scheduling of Computer Labs
Questions about the scheduling of computer labs should be directed to University Computer Support Services Administrative Office.
Test Scoring and Data Analysis Service
University Computer Support Services operates a test scoring and data analysis service. It is physically located within the Computer Information Center, Stipes Hall 126. Inquiries about this service should be directed to the Computer Information Center.
Training on Demand
University Computer Support Services has a limited training on-demand capability in such areas as word processing, Internet use, microcomputer database applications, and microcomputer operating systems. An effort will be made to provide training whenever a department or office has an identifiable need.