Board of Governors - APPENDIX III - June 28, 2001
Recommended: That the Board approve the UWO Electronic Commerce Policy, attached as Annex 1.
Numerous units across campus have set up electronic commerce web sites and others have expressed an interest in doing so in the next year. It is expected that the demand for this service will continue to increase as departments offer more services through the Internet. E-commerce has the potential to reduce transaction costs and increase productivity while providing an easy-to-use interface from the customer perspective. While electronic commerce provides a convenient way to handle external transactions, there are high risks associated with processing transactions through the Internet. Critical elements to manage risks include:
Financial information, particularly credit card numbers are at highest risk in an e-commerce site because of the personal benefit an unauthorized individual could obtain by using the credit card numbers. In fact, Visa has formally warned that "if merchants are putting customers at risk, we will scrape the Visa decal off their site and cut them off."
The nature of e-commerce requires information about individuals to be collected. However, people are becoming concerned at the amount of information required and the security of the data the other party collects. If people or organizations are not confident that data is properly protected, they may be unwilling to provide it and therefore impact the success of the e-commerce site. Public confidence can be adversely impacted if information is accessed without proper authorization.
These risks not only impact the individual or department, but they also impact the entire university. For example, if credit card numbers were stolen from a department e-commerce site and used by a hacker, the result could be the loss of credit card privileges for the entire university. Therefore the action of one can impact the entire organization.
The Committee received the 2000-2001 report on the Internal Audit function for the period ended April 30, 2001. The report is attached as Annex 2.
The Committee approved the 2001-02 Internal Audit Work Plan shown in Annex 2, Schedule 1.
The Audit Committee has approved the following schedule for the review of the Audited Financial Statements for the year ended April 30, 2001, for UWO and Associated companies.
On May 31, 2001, the Audit Committee received a report on the progress in establishing a detailed Disaster Plan for the University. The table of contents of the Plan document is shown in Annex 3. The Committee was provided with drafts of several chapters. It is anticipated that the UWO Disaster Plan will be completed by the end of June 2001.
Ms. Jane O'Brien, Associate Vice-President (Human Resources), provided the Committee with an interim report of the Department of Occupational Health and Safety. The Annual Report will be provided to the Committee and to the Board in September.
The UNIVERSITY of WESTERN ONTARIO Annex 1
POLICIES and PROCEDURES
|By Authority of the President & Vice-Chancellor
Secretary, The Board of Governors
Electronic commerce provides a convenient way to handle external business transactions such as course/conference registration or the purchase/sale of goods and services. However, the electronic transmission and storage of information must be secure to protect the privacy and personal information of purchasers. Departments must meet the University's requirements for security and for integrating transaction information into the University's application systems.
Electronic commerce is defined as the electronic transmission and storage of financial transactions. Financial transactions include sales, purchasing, payment acceptance and settlement.
1.00 The development of web sites which propose the electronic payment of goods and services must be reviewed by the departments of Information Technology Services (ITS), Financial Services and Internal Audit prior to the implementation of the electronic commerce site and approved by the Vice-President (Administration).
2.00 Electronic commerce sites must have mechanisms to ensure information transmitted electronically and stored on the server is protected from unauthorized access.
3.00 Departments that provide electronic commerce sites may be subject to an external security audit, at the expense of the department.
4.00 An agreement to securely accept credit card payments has been negotiated between the University, an authorized electronic commerce provider and a financial institution. Separate banking arrangements must not be entered into by Departments.
5.00 Credit card information must be securely transmitted, stored and managed. Credit card information must travel in an encrypted format rather than in clear text format like e-mail and simple html forms.
6.00 Departments are responsible for retaining transaction records for audit purposes for a period of seven years.
7.00 Departments are responsible for safeguarding the confidentiality of sensitive data relating to the sale or purchase of goods and services. Information gathered about purchasers must be maintained in a secure manner and restricted to individuals who have a valid reason to know. Departments must comply with information privacy legislation and with University policies on information privacy.
8.00 Information gathered about customers must only be used for the purpose for which the information was given.
9.00 Departments interested in developing electronic commerce sites must contact UWOecommerce@uwo.ca. This will initiate contact with Information Technology Services, Internal Audit and Financial Services. These units have responsibilities to provide technical and financial consulting to aid in the secure implementation of electronic commerce sites.