I. 目的
《推荐全球十大博彩公司排行榜》(GLB)于1999年颁布,影响所有金融机构. 作为金融贷款和校友流程的一部分,学院和大学属于GLB. GLB金融隐私规则要求金融机构提供隐私 建立消费者关系时通知,此后每年通知一次. It defines the protection of non-public personal information (NPI). 它还要求 机构要实施彻底的行政、技术和物质保障 to protect against any anticipated threats or hazards to the security or integrity 这些信息.
II. 范围
本政策适用于所有收集、存取、维护、分发、处理、 protect, store, use, transmit, dispose of, or otherwise h和le 覆盖信息. These offices specifically include, but are not limited to Information Technology 服务(ITS),学生金融服务,注册办公室,财务办公室,宿舍 生活、业务运作、校友关系及人力资源(“涵盖办事处”).
3. 定义
A “客户是指任何个人(学生、家长、教师、员工或其他第三方) (大学相互作用)谁从大学获得金融服务和 在接受这项服务的过程中,为大学提供了敏感的, non-public, personal information about themselves.
“覆盖信息” is sensitive, non-public, personally identifiable information includes, but may 不限于,个人姓名与以下任何一项一起:
- social security number
- credit card information
- income 和 credit history
- bank account information
- 纳税申报表
- 资产声明
覆盖信息 includes both paper 和 electronic records.
A "金融服务" is defined by federal law to include, but not be limited to, such activities as the lending of money; investing for others; providing or underwriting insurance; giving financial, investment or economic advisory 服务; marketing securities 和 the 就像.
IV. 政策 & 过程
The goals for this program are as follows:
- 确保员工只能访问大学所需的相关数据 业务;
- To ensure the security 和 confidentiality of 客户 records 和 information;
- To safeguard 和 prevent unauthorized access to personally identifiable financial records 和 information maintained by the university;
- 遵守大学现行的政策、标准、指引及程序; 和
- To comply with applicable federal, state 和 local regulations.
Information Security Plan Coordinator
主管是负责协调和监督本政策的指定员工 行政 & Enterprise Services or his/her designee (“Information Security Plan Coordinator” or “coordinator”). The coordinator works with all relevant areas 1)识别合理可预见的内外部风险 2)评估所涵盖信息的安全性、保密性和完整性 the effectiveness of the current safeguards for controlling these risks, 3) design 并实施保障计划,4)对员工实施培训计划 谁有权访问覆盖信息,5)监督服务提供商和合同 合规, 和 6) to evaluate 和 adjust the security plan periodically.
The coordinator, with guidance from the assistant vice president of operations & 合规, may establish a Gramm-Leach-Bliley working committee to work with the coordinator to carry out elements of the policy. The coordinator may also designate other university officials to oversee 和 coordinate particular elements of the policy. 所有评论 询问学校的格雷姆-里奇-比利利政策应该通过电子邮件发送 to the coordinator at 杰拉尔德.korea@chertok-film.com.
风险评估
协调员向所涉办事处提供指导,以确定和评估内部 以及涉及信息的安全性、保密性和完整性的外部风险 这可能导致未经授权的访问,披露,滥用,更改,销毁 or other compromise 这些信息
Each Covered Office is responsible for securing 覆盖信息 in accordance 有了这个政策. Covered Offices must develop 和 document their own information safeguards for 覆盖信息. The scope of such assessment 和 evaluation may 包括但不限于员工(包括学生)的管理和培训 employees) 和 volunteers; information systems (including network 和 software design, 以及信息的处理、存储、传输和处理,兼备纸张 和 electronic records); procedures for detecting, preventing 和 responding to attacks, 入侵或其他系统故障(包括数据处理和电话通信); 和 contingency planning 和 business continuity.
员工培训
每个承保办事处对其雇员进行有关政策和程序的培训和教育 for safeguarding 覆盖信息. The coordinator, along with the office of Risk & Compliance management, helps each Covered Office develop procedures to evaluate the effectiveness of its procedures 和 practices regarding employee training.
信息系统
协调员或其指定人员制定评估承保风险的程序 与大学信息系统相关的信息包括网络 以及软件设计,以及信息的处理、存储、传输、检索、 和 disposal of 覆盖信息. This assessment includes a review of the university’s information technology practices 和 procedures. In addition, the coordinator assesses 监视与潜在信息安全威胁相关的程序 软件系统和更新这样的系统,除其他事项外,实施 patches or other software fixes designed to deal with security flaws.
Physical Security of Paper Records
Covered Offices should develop 和 maintain procedures that reasonably assure the 纸质记录的安全,包括与大学记录有关的指导方针 retention 和 disposal policy. Periodic evaluation of these procedures regarding physical paper records should be conducted.
Managing System Failures
大学维护系统,以防止,检测和响应攻击,入侵, 和 other system failures. The coordinator, or his/her designee, maintains plans for detecting, preventing 和 responding to attacks or other system failures; 和 reviews 网络访问有安全策略和程序,以及相应的协议 network attacks 和 intrusions.
Designing 和 Implementing Safeguards
本文所述的风险评估和分析应适用于所有处理方法 or disposing of 覆盖信息, whether in electronic, paper, or other forms. 协调人应定期实施防范措施,控制风险 identified through such assessments 和 to regularly test or otherwise monitor the effectiveness of such safeguards. The level of monitoring will be appropriate based upon the potential impact 和 probability of the risks identified, as well as the sensitivity of the information provided.
Service Providers 和 Contracts
大学可能会不时与第三方共享涵盖信息 in the normal course of business. These activities may include debt collection activities, 传送文件、销毁文件或设备,或其他类似行为 服务. All contracts must include provisions that address third-party Gramm-Leach Bliley合规.
协调者与负责第三方服务采购的人员一起工作 活动和覆盖办事处,以提高认识,并制定方法 只选择和保留那些有能力维护适当的 safeguards for 覆盖信息.
V.异常
本政策的任何例外情况均应由信息安全部门审查和批准 Plan Coordinator in consultation with the office of Risk & Compliance Management, 根据需要.
V. 责任
信息安全计划协调员负责实施这些规定 这个政策.
有权访问涵盖信息的员工必须遵守大学政策和 管理“承保信息”的程序,以及任何其他做法或程序 established in their units.
VI. 交叉引用
This policy is supported by the following policies, procedures, 和/or guidelines.
- Account Creation 和 Removal 政策 (.pdf)
- 接受able Use 政策
- 电脑 & Electronic 资源 政策
- 电子邮件策略
- 安全策略 (.pdf)
- 文档保留 & 毁灭的政策
- 健康保险流通与责任法案政策
7. 资源
Effective: 06/01/2018 | Updated: 6/01/2020