Page tree
Skip to end of metadata
Go to start of metadata



Find Policy by Category


Click here to view faculty-only policies

Physical Security - Media Policy

Introduction

Issuing Office

Cashiering and Treasury Services

Affected Parties

LU employees who handle PCI data; any physical media containing PCI data.

Policy Rationale

On-site locations where physical PCI data is stored before processing must provide access controls and protection which will reduce the risk of loss or damage to an acceptable level. This policy should serve as a reminder to treat any PCI data in any location with the highest level of security reasonably possible. Although Liberty University does not electronically store cardholder data, we do have temporary storage of physical paper media before processing and disposal. Many times, when the topic of the protection of data (in this case, PCI data) arises, the focus is generally on the access to the actual site where the data is stored, or the level of access employees have within programs. It would be remiss to omit the actual storage areas in the direct control of employees who handle data every day. Misplacing or wrong handling of any of these items when they contain PCI data could lead to adverse results and thus need to be protected.

Definition of Glossary Terms

Media: For the purpose of this policy, media can be defined as including, but not limited to, computers, removable electronic media, paper receipts, paper reports and faxes.

Policy Information

Policy Statements

Note: Issuing Office is responsible for documentation of LU compliance with the following statements:

Physically secure all media.

  • Store media in a secure location.

Maintain strict control over the internal or external distribution of any kind of media, by doing the following:

  • Classify media so the sensitivity of the data can be determined
  • Send the media by secured courier or other delivery method that can be accurately tracked
  • Ensure department management works with Cashiering and Treasury Services to approve of any and all media that is moved from a secured area (including when media is distributed to individuals)

Note: Cashiering and Treasury Services will maintain a log of media movement for quarterly review.

Maintain strict control over the storage and accessibility of media.

Destroy media when it is no longer needed for business or legal reasons as follows:

  • Cross-cut shred hard copy materials so that cardholder data cannot be reconstructed.
  • Secure storage containers used for materials that are to be destroyed.

Movement of media between the University’s locations is to be strictly controlled by department management and Cashiering and Treasury Services.

Note: Authorized personnel is management or employees with PCI training and relevant business need. For confirmation as to who is authorized, please contact a member of Cashiering and Treasury Services.

Sanctions

Failure to adhere to this policy could result in disciplinary action up to and including termination.

Exceptions

None specified

Date Approved

6/30/2022

Date for Review

6/30/2023