PCard Sensitive and Protected Information Procedures

1. PCardSensitive and Protected Information Procedures

2. Sensitive and Protected Information • HSC or Main Information Security Office Must review and approve any transaction where a vendor will access, modify, store or transmit Sensitive and Protected Information • HIPAA • FERPA (Student Grades and all personal information) • PCI (Credit Card Number) • SSN • Direct Deposit Information; • Student Loan Information; • HIPAA • Banner ID

3. Sensitive and Protected Information • Examples of transactions that are flagged when security approval is not included with the PCard Log • Cloud Services • Conference Calling • Online Data Storage • Online Meetings (Webex) • Transcription Services • Web Hosting

4. HSC Security Office Complete the Preliminary Security Review Form and submit it to the HSC Information Security Office using the email address below. Please indicate the nature of the information that the vendor will access, modify, store or transmit (i.e., confidential data or data subject to HIPAA, FERPA, PCI, or other security requirements). The HSC Information Security Office will assess the submitted information and advise you with regard to IT security requirements that apply. When the identified security requirements have been met the HSC Information Security Office will notify you along with the PCard Office of the outcome of the completed IT security review. UNM Health Sciences Center Information Security Office *             Website: http://hscsecurity.unm.edu *             HSC Information Security Office: HSC-ISO@salud.unm.edu *             HSC ISO: bmetzner@salud.unm.edu Note: Purchases involving the sharing of UNM/HSC data with third parties may require an agreement, for example, a Data Use Agreement (DUA), to define responsibilities, allowed data uses and disposal of data at the end of the contract period. Purchases that require legal agreements are not supported using a PCard.

5. Main Security Office To request a review, open a Help.UNM service request Help.UNM -> Information Security and Account Access-> IT Security Compliance or Forensics Request Be sure to attach the completed Security Questionnaire for vendors to the service request, available from the link below: Login: \colleges\NetId Password: NetId Password https://collaborate.unm.edu/teamsites/infosec/Shared%20with%20Everyone/Preliminary%20Security%20Questionnaire.docx Purchase requests involving third party/ vendor access to SSN also require the following form to be completed and attached to the request: https://collaborate.unm.edu/teamsites/infosec/Shared%20with%20Everyone/UNM%20Vendor%20Security%20Questionnaire.docx Purchasing requests involving SPI must attach the approval of the appropriate data steward for any SPI to the service request. For Health Sciences Systems purchase requests, please be sure to indicate the nature of the sensitive information that will be shared with the third party. Healthcare/HIPAA related requests for the Health Sciences System are reviewed by the HSC Information Security Office. Please contact HSC-ISO@salud.unm.edufor more information, or see http://hscsecurity.unm.eduHSC-ISO@salud.unm.edu In addition, at the end of the contract period, vendors with access to private data must certify in writing that all confidential data was either returned to UNM in a form approved by UNM or that all confidential data was destroyed. For HSC requests, once a Security Review has been completed have the HSC Information Security Office reply to this email with a copy of the completed Security Review. If all other Purchasing requirements have been met your request will be processed.