NACUBO

My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business Officer Magazine
Loading

Business Briefs

Short news articles based on research surveys and peers’ business experiences that can benefit institutions

CAMPUS OPERATIONS
Resources to Make Your Campus H1N1-Ready

Fewer Offers to Foreign Students

-3%

The change from 2008 to 2009 in number of prospective international students who were offered admission to U.S. graduate schools.

+2%

The median change in admissions offers to graduate students who were U.S. citizens or permanent residents during the same time period.

276k+

The number of foreign graduate students enrolled at U.S. graduate schools in academic year 2007–08.

$15.5B

The estimated economic contribution of international graduate students to the U.S. economy during 2007-08.

Sources: Council of Graduate Schools, Findings from the 2009 CGS International Graduate Admissions Survey Phase II: Final Applications and Initial Offers of Admission, August 2009; Institute of International Education, Open Doors, 2008.

Outbreaks of the 2009 H1N1 (“swine flu”) virus are already being reported. Is your institution prepared to continue functioning effectively should the virus hit your campus?

To address the many operational challenges a pandemic raises for higher education institutions, NACUBO, CUPA-HR, and ACHA presented the September 15 webcast “H1N1 Campus Management: Perspectives from Human Resources, the Business Office, and Student Health Services." James E. Lyons Sr., secretary of higher education for the Maryland Higher Education Commission, moderated the event, which featured three representatives of Carnegie Mellon, Pittsburgh: Anita Barkin, director of student health services; Barbara Smith, associate vice president and chief human resources officer; and Deborah Moon, vice president for finance and chief financial officer. All three offered recommendations for managing and maintaining a safe and healthy campus, and they emphasized the need for effective communication across all levels of campus management.

Social-Distancing Practices

To help contain the H1N1 virus, Barkin recommended postponement of large social gatherings whenever possible and offered techniques for social distancing, such as refraining from shaking hands, and modifying work and classroom spaces by moving desks further apart. She cited examples of different responses—and their related effects—taken by various cities during the 1918 outbreak, including the following:

New York City. An early and sustained response, as advised by the NYC Public Health Response Team, called for strictly enforced isolation and quarantine and staggered business hours over a 10-week period. These practices resulted in the lowest excess death rate (that is, deaths that occur before average life expectancy) for any city on the East Coast during the time period reviewed. Although the city did not officially close schools, absentee rates were greater than 45 percent during the peak of the pandemic.

St. Louis. The city minimized fatalities through layered and sustained interventions early in the pandemic, including school closures, quarantines, bans on public gatherings, and so forth.

Pittsburgh. In contrast, the city was well into its outbreak before implementing interventions. As a result, it experienced the highest excess death rate of any of the 43 cities reviewed.

The Case for Isolation

Barkin underscored how critical it is for students and faculty to understand that isolation and self-isolation will flatten the surge of the illness. Campuses nationwide should prepare to offer sick students accommodations on campus with alternative, isolated living quarters and access to meals and health care. At Carnegie Mellon, for example, ill students who live off campus are urged to stay home and avoid contact with others, while students in residential housing who do not come from areas near Pittsburgh are being taken care of by staff members in student health services, housing, dining, and student affairs.

Among other tips for caring for ill students, Barkin recommended (1) determining a screening protocol for use by emergency personnel, (2) setting up with resident life staff an H1N1 dispatch alert system, and (3) securing infirmary locations and determining additional areas and resources within your community that can be used, if necessary.

Staffing Protocols

More on H1N1

Take advantage of the many resources available to help you plan for potential flu outbreaks, including the following:

  • Read an expanded report on the webcast, “H1N1 Campus Management: Perspectives from Human Resources, the Business Office, and Student Health Services,” in October 2009 HR Horizons, NACUBO's online newsletter.

Smith noted that the impact of H1N1 on faculty and staff may mean an increased workload for all employees, coupled with a reduction in the staff available to accomplish the work. She encouraged campuses to identify essential functions and key staff members, begin “depth charting” to determine backup staffing, examine short-term staffing solutions and the possibility for employees to work outside their job descriptions, and develop return-to-work guidelines.

Smith also encouraged campuses to review internal policies surrounding emergency closings, flextime, working from home, and the family medical leave (FMLA) and fair labor standards acts. With regard to FMLA and FLSA in particular, ensure that HR staff are equipped to monitor and document these situations. Finally, campuses with child-care facilities require special protocols to limit exposure to young children and must establish real expectations among family and staff regarding the institution's response in the event of an outbreak.

Facilities and Financial Functions

Moon emphasized the need for sound facility planning, including developing temporary, permanent, or leased infirmaries for isolated students and making sure facilities are available for quick and deliberate repurposing.

On the financial operations side, advised Moon, address systems infrastructure and key areas of continuity (payroll and accounts payable, for example) sooner rather than later. Ask the following questions to direct your efforts: Do students, faculty, and staff have remote access to university information? Who can replace the roles of functional and technical staff if they become ill? Are practices in place to keep payments and payroll running and to meet regulatory and contractual obligations?

Keep Everyone in the Loop

Ultimately, communication is essential to restraining a pandemic. Moon advised the following:

  • Ensure that campus police and emergency personnel have the proper communication tools, training, and equipment.
  • Create a phone bank using social media tools such as Twitter and Facebook.
  • Develop strong messaging early, and distribute ongoing messages about good hygiene and emergency planning.
  • Become a partner with the larger community in an effort to mitigate the spread of the virus. For instance, your campus can become a flu surveillance site and a point of distribution for the vaccine. Contact your local health department to learn more.

Finally, Barkin reminded participants not to overlook the obvious. Secure surgical masks, hand sanitizers, and other important supplies, since these items tend to become scarce once an outbreak hits, and since the prices only inflate with demand.

SUBMITTED BY Tadu Yimam, policy analyst, NACUBO, 202.861.2541

^ Top

SPOTLIGHT: SMALL INSTITUTIONS
Despite Economy, Donors Keep Giving

Randolph-Macon College (R-MC) received more than $7.7 million in private support from alumni, parents, and friends of the college during the 2008–09 academic year, an annual jump of more than $1.2 million. “Given the current economic climate, this increase in giving is remarkable,” says Randolph-Macon College President Robert R. Lindgren.

More importantly, 33 percent of R-MC alumni chose to make contributions to the college. This is the highest alumni giving participation rate in nearly a decade. We were particularly pleased to see our outreach to graduates from the 1990s classes yield an increase in participation to 25 percent compared to approximately 17 percent in recent years. At the same time, we learned a few things with this campaign that should help in our future fundraising efforts.

Speak Their Language

Much of our growth in donations can be attributed to an increase in the number of alumni volunteers soliciting their classmates on behalf of the college. Peer-to-peer solicitation methods are oftentimes the most successful ones. More than 175 alumni volunteers were recruited for this special effort, and they reached out to thousands of our graduates.

We've been increasingly aggressive in recruitment, adding 25 to 30 new volunteers each year. With little attrition, our cultivation efforts have a cumulative effect.

The process to manage such a large group was fairly staff-intensive. For each alumnus serving as a graduating-class “agent” we provided:

  • Resources, such as sample scripts.
  • Unlimited access to a dedicated point of contact, with a specific staff member assigned to serve volunteer agents from the various class years (2000s, 1990s, and so on).
  • Continuous updates from our office on the status of campaign goals.
  • Personal thank-you notes from the president.

Provide Training and Tools

Initially, the dedicated staff liaison contacts his or her volunteer group via e-mail. We host a sizable training session each year in conjunction with homecoming weekend. We train volunteers on the details of different gifts and the ways they can be contributed. Along with sample scripts, we provide common objections and how to handle them. And, we continue adding tools to make fundraising efforts easier. For example, new software enables volunteers to customize a Web page within our site to more easily communicate with former classmates electronically.

Appeal to Favorite Areas or Activities

When contacting potential donors, alumni offer the opportunity to specify particular areas to which contributions could be directed, including endowed professorships, renovations of campus facilities, endowed scholarships, construction funds for new athletic facilities, and the college's annual fund. The largest number of donors, by far, contributes to the annual fund.

The annual fund contributions totaled $1,141,000, which represents the largest total in the college's history. Support for the 2008-09 fund was especially important because all donations to the annual fund were used to provide financial aid support for deserving R-MC students. “This sort of increase in alumni giving is almost unheard of in higher education,” notes Lindgren. “Randolph-Macon is very lucky to have such dedicated and committed alumni who have stepped up in a big way this past year despite a year of financial uncertainty.”

SUBMITTED BY Laura E. Doherty, executive director of development, Randolph-Macon College, Ashland, Virginia

^ Top

BUSINESS CONTINUITY
High-Water Response

No sooner had Mount Mercy College, Cedar Rapids, Iowa, finished creating its emergency plan in June 2008 than a severe weather event sent the local river 12 feet above flood stage. The campus itself sat on the highest point in the county and was unaffected by the flooding, but college faculty and staff immediately pitched in to help. Molly Altorfer, Mount Mercy's director of communications and marketing, and Barbara Pooley, vice president for finance and business operations, shared details of the event at the NACUBO 2009 Annual Meeting session, “Waterlogged: Iowa Floods Test College's Emergency Plan.”

One hundred members of the campus community helped with the sandbag efforts, while Mount Mercy College became the community operational headquarters, hosting 600 National Guard and Red Cross staff, plus local nurses. The campus actually closed for a short time, during which the National Guard operated from the student financial aid office. Mount Mercy was also able to accommodate 10 local businesses in a classroom building until August 1, when they had to evacuate in preparation for student arrivals. Campus employees volunteered their time during the closure, even to the extent of taking the Guard's laundry to their homes where the water supply was not limited.

Keys to the effective implementation of the emergency plan, said Altorfer and Pooley, included the following:

  • Training on incident command structure. Conducted by the Federal Emergency Management Agency, this step was critical to securing FEMA reimbursement of expenses or loss. Such payments are based on thorough, clear documentation-including the time spent preparing the documents—which, in this case, was significant.
  • Independent evaluation by incident experts. This step identifies weaknesses in the emergency plan.
  • Purchase of additional Web site URLs. These were needed when the Internet service provider was flooded with messages and rendered unavailable. The college created an emergency Web site to field the additional e-mail traffic.
  • Partnerships established before the crisis. For example, an agreement with nearby Coe College, also in Cedar Rapids, called for each college to house the other's students, when necessary.

Pooley and Altorfer also noted that the college expressed gratitude to the National Guard and other emergency workers with T-shirts, DVDs, and an ad in the local newspaper after the event.

SUBMITTED BY Maryann Terrana, director, constituent programs, NACUBO

^ Top

DATA SECURITY
Noteworthy Outcomes From 2009 PCI Community Meeting

The Payment Card Industry (PCI) Council held its third PCI Community Meeting, September 22–24 in Las Vegas. As a participating organization in the PCI Security Standards Council, NACUBO ensures that higher education has a voice in setting and revising the PCI Data Security Standard (DSS). NACUBO invited us to represent the association at the recent meeting, the outcomes of which will affect every NACUBO member institution, as the PCI Council revises the Data Security Standard in the coming year to reflect new threats and emerging technologies.

Specifically, an updated version of the Payment Card Industry Data Security Standard (PCI DSS) will become effective Oct. 1, 2010. The PCI Council is currently in its “feedback” stage that lasts until April 2010. A revised or new version—it's not yet clear which it will be—of the DSS will be published in May 2010 and open to final comment until August 2010. The updated version will be discussed at the next PCI Community Meeting in September 2010 and implemented immediately afterward. (For an overview of the current standard, see the earlier article, “Straight Talk About Data Security,” in the December 2007 issue of Business Officer.)

From the many presentations and open microphone question-and-answer sessions at the meeting, we gathered some insights as to revisions that might or might not be included in the updated standard. Early feedback can be grouped into three areas: evolving requirements (technologies and trends) that might affect PCI standards; clarifications to existing standards, training, and supporting documentation; and requests for more detailed guidance.

Emerging Technologies

The PCI Council commissioned Pricewaterhouse Coopers (PwC) to identify technologies in the marketplace that have the potential to reduce the scope for PCI DSS. Specifically, the council asked the company to describe technologies that had the capability to:

  • Improve PCI DSS adoption rates.
  • Reduce costs of standards implementation.
  • Accelerate a broader effort to protect cardholder data.
  • Enhance cardholder data security and compliance with PCI DSS.
  • Reduce or eliminate storing, processing, and transmitting of cardholder data.
  • Improve efficiency and effectiveness to meet PCI DSS requirements.

The findings PwC presented—which PCI Council members themselves had seen only the day before—were preliminary and not intended to be an endorsement or dismissal of any technology. Starting with 12 technology solutions, PwC narrowed its focus to the following:

  • End-to-end encryption. By encrypting cardholder data from one point (generally the point of sale) to another (such as a point beyond the merchant's network), using secure encryption devices in an end-to-end solution, the merchant never sees the cardholder data once it's encrypted.
  • Magnetic stripe imaging. Unique, random traits in each card's magnetic stripe are used to authenticate and verify the legitimacy of the card.
  • Tokenization. A token, or unique, nonPCI-relevant value is substituted for the cardholder data. The cardholder data cannot be derived from only the token, and the only association between the cardholder data and the token is through a reference table stored in a secure repository.
  • Virtual terminals. An online service allows merchants to accept payment cards without a dedicated hardware terminal or point of sale (POS) system.

Each of these technologies is in the marketplace in one or more forms today, although they do not collectively represent a “silver bullet” that can address all PCI issues and requirements. The impact of any of them is highly variable depending on the way—and the environment—in which they are implemented. Other considerations include the business case for adopting the tools (none of the technologies is free); integration of the applications with the existing payment environment; and the impact on staff and customers.

PwC offered some final meeting insights:

  • Each technology represents a shifting of the PCI compliance burden from the merchant to a service provider of some kind.
  • The PCI Council will need to identify the impact, if any, that each technology might have on the Data Security Standard.
  • Merchants may explore layering two or more of these technologies to protect cardholder data; for example, combining a virtual terminal with end-to-end encryption.
  • Institutions should ignore the need to justify the investment in any of these technologies and, rather, assess the possible shifts in liability of financial consequences for each party.

The PCI Council is evaluating PwC's findings, some of which may be reflected in the updated DSS due in October 2010. In the meantime, the council may decide to publish implementation guidelines on some of the applications. We will continue to monitor the council's deliberations and report back to NACUBO on any reports, conclusions, or recommendations.

Special Interest Groups Advise and Clarify

Ad hoc teams of representatives from participating organizations have been assembled by special interest group (SIG) to research and advise the PCI Council on specific topics. A member of the PCI Advisory Board chairs each group. SIGs can develop guidance for implementing a technology or make recommendations on possible clarification to or changes in the data security standard. Each of the four current SIGs reported its findings as follows:

Wireless. This group issued its report on implementing wireless technology in the payment environment; members plan to look next at Bluetooth technology and how it might be incorporated in the credit card area.

Virtualization. The PCI Council chartered this SIG last February, with the goal of producing an information supplement to the DSS that will likely be in two parts. The first part calls for a white paper defining “virtualization,” articulating the risks, and describing some common use cases. The second is a mapping tool, providing “practical guidance that aligns the DSS with virtualization, indicating where virtualization achieves DSS objectives, where compliance cannot be achieved with virtualization, and where virtualization presents a compensating control.” The group has drafted its white paper, which is under review by the PCI Council. We hope to see it in January, at which time the SIG expects to have its mapping tool ready for review.

Preauthorization data. Established last year, this group is charged with finding a way to deal with retaining sensitive authentication data, a practice common in industries and applications such as hospitality, recurring payments, and gasoline stations. The group's findings are important to the many NACUBO institutions that operate hotels and process recurring payments.

This SIG's draft report, sent to the PCI Council in September, has not yet been released. Based on the meeting presentation, we expect a two-part recommendation: (1) pressuring acquirers and processors to change their requirements to eliminate the need for merchants to retain the sensitive data; and (2) a DSS change that would allow merchants to retain the data briefly, if it is encrypted, and delete them when no longer needed. Whether either recommendation will be accepted is unclear at this time.

Scoping. One of the first challenges in achieving PCI compliance is limiting the institution's PCI scope. That is, minimizing the systems and data that are subject to (“in scope” for) PCI DSS. The PCI Scoping SIG aims “to provide a standardized, formal methodology approved by the council and consistently used by Qualified Security Assessors (QSAs) and customers.” This newest SIG, which generated a great deal of interest and comment, seems to be taking its charter quite seriously; members are challenging the very definition of “cardholder data,” something that has been defined from the beginnings of PCI DSS activity.

PIN Transaction Security

If your campus has devices into which customers enter their personal identification number (PIN) to complete a transaction, you will be interested in this SIG. Its charter includes both attended devices (such as those used for debit cards) and unattended devices (such as kiosks for parking, vending, and ticketing). It was clear from this session that a wide range of such vendors and products exists in the marketplace, and not all of them are compliant with current or expected standards. If you are implementing any PIN-based transaction hardware on your campus, it is advisable to consider one of the PCI PIN transaction security devices.

Parting Thoughts

Bob Russo, general manager of the PCI Council, closed the three days of meetings by summarizing the event's major points:

  • Recognized the success of the SIGs and the many suggestions made throughout the meeting for additional groups to address other issues—and perhaps even other industries (expect to see several more SIGs in the coming year).
  • Noted ongoing opportunities for the PCI Council to simplify, clarify, and interpret parts of the DSS. (This will likely include additional guidance documents from the council.)
  • Acknowledged that properly defining the scope of an institution's PCI compliance effort is critical, as is minimizing that scope.

As a participating organization, NACUBO has the opportunity to comment in advance of proposed changes to the DSS. Contact us with your comments or suggestions.

SUBMITTED BY Walt Conway, QSA, CPISM, manager, 403 Labs LLC, Milwaukee, and Tom Davis, CISSP, CISM, chief information security officer, Information and Infrastructure Assurance, Indiana University, Bloomington

RESOURCE LINK For more information addressing the unique PCI compliance challenges for higher education, read Walt Conway's PCI blog for the Treasury Institute.

^ Top