PCI Guidelines
- Electronic PCI must be encrypted as specified by SSU/IT when not in use or on central SSU/IT servers.
- PCI must not be emailed or transferred unencrypted across shared networks.
- Computers with PCI must adhere to SSU’s “Computer & Network” Blue Paper Policy.
- PCI (whether in electronic or other form) must be kept in a physically secure environment. Paper –based PCI must be kept in a locked, physically secure storage. Laptop computers must be locked down. Unattended offices must be locked to ensure the physical security of computers with access to personal confidential information. Computers must use a password protected screen saver to prevent unauthorized access when unattended.
- Data files with PCI must be purged from computers after a three-year retention.
- Removable media, such as CDs, thumb drives, etc. containing Personal Confidential Information must be handled and stored in a secure manner.
- Any suspected loss of Personal Confidential information must be reported immediately to both the Campus Police and the Information Security Officer.
- PCI must not be removed from campus.
Exceptions to the guidelines must be documented and approved by the Information Security Officer.