I'm an IT administrator at a community college and am gearing up for the New Year. Many students have their social security numbers on file and also use their credit cards to pay for classes online. What approaches should I make to ensure others can't take this data and use it as their own?

My answer won't be the cure-all solution, but I am providing you with some tips that will assist you in working towards your goal.

Some of the basics you want to cover include, but are not limited to, the following:

* Encrypting the sensitive data
* Knowing where the sensitive data resides
* Using secure firewall(s) and current configurations
* Using a DMZ to protect the internal network from the external network
* Using strong authentication on equipment
* Using Intrusion detection/monitoring for critical applications
* Using virus checking with current updates
* Limiting access to the data (access management)

These are just basic steps taken to protect data on the computing side. Knowing where sensitive data resides is a hot topic for many reasons, including electronic discovery issues, loss of sensitive data, and employer liability. Where data resides and who has access to it has taken many administrators by surprise when the business has received discovery notification for litigation purposes.

Aside from the technical aspects, if you are rusty or have not stayed current with your policies or regulations, now is a good time to brush up on them and begin educating others. If your school deals with Title IV funding, talk to your internal compliance team to see if you need to adhere to any special requirements. In your situation, you will really want to review the Payment Card Industry Data Security Standard (PCI DSS). It applies to any organization that processes credit or debit card information, including merchants and third-party service providers that store, process, or transmit credit card/debit card data. Be aware that if the school is housing the primary account number (PAN), compliance with the standards of PCI is not optional.
Even if you are not storing PANs, the PCI requirements have useful information that will help you conduct a self-audit of your existing processes. If you can pass the audit, you are in pretty good shape. Just by reading the PCI requirements, you will quickly see that securing data is much more daunting and detailed than just applying an encryption technology and calling it a completed project. If you find the necessary technical skills are not employed in your school, look towards a consulting service to assist you.