I. 目的
The Gramm-Leach-Bliley Act (GLB) was enacted in 1999 和 affects all financial institutions. Colleges 和 universities fall under GLB as part of financial lending 和 alumni processes. The GLB Financial 隐私 Rule requires financial institutions to provide a privacy notice at the time the consumer relationship is established 和 annually thereafter. 它定义了对非公开个人信息(NPI)的保护. 它还要求 institutions to implement thorough administrative, technical 和 physical safeguards 防止任何对安全或完整性的预期威胁或危害 这些信息.
II. 范围
This policy applies to all offices that collect, access, maintain, distribute, process, 保护、存储、使用、传输、处置或以其他方式处理“涵盖信息”. 这些办公室具体包括但不限于信息技术部门 Services (ITS), Student Financial Services, Registrar’s Office, Finance Office, Residence Life, Business Operations, 校友 Relations, 和 人力资源 (“Covered Offices”).
3. 定义
A “客户” is any individual (student, parent, faculty, staff, or other third party with whom (大学相互作用)谁从大学获得金融服务和 who, in the course of receiving that service, provides the university with sensitive, 关于自己的非公开的个人信息.
“覆盖信息是敏感的,非公开的,个人身份信息包括,但可以 not be limited to, 和 individual’s name in conjunction with any of the following:
- 社会保险号
- 信用卡信息
- 收入和信用记录
- 银行账户信息
- 纳税申报表
- 资产声明
承保信息包括纸质和电子记录.
A "金融服务是由联邦法律定义的,包括但不限于下列活动 the lending of money; investing for others; providing or underwriting insurance; giving financial, investment or economic advisory 服务; marketing securities 和 the 就像.
IV. 政策 & 过程
该计划的目标如下:
- To ensure employees have access only to the relevant data needed to conduct university 业务;
- 确保客户记录和信息的安全性和保密性;
- 保护和防止未经授权的访问个人身份的财务 大学保存的纪录及资料;
- To comply with existing university policies, st和ards, guidelines 和 procedures; 和
- 遵守适用的联邦、州和地方法规.
资讯安全计划协调员
The designated employee for the coordination 和 oversight 这个政策 is the Director 行政 & 企业服务部或其指定人员(“信息安全 计划协调员”或“协调员”). 协调员负责所有相关领域的工作 of the university: 1) to identify reasonably foreseeable internal 和 external risks to the security, confidentiality, 和 integrity of 覆盖信息, 2) to evaluate the effectiveness of the current safeguards for controlling these risks, 3) design 和 implement a safeguards program, 4) to implement a training program for employees who have access to 覆盖信息, 5) to oversee service provider(s) 和 contract 6)定期评估和调整安全计划.
协调员,在运营助理副总裁的指导下 & 合规, 是否可以成立一个格雷姆-里奇-比利利工作委员会与协调员一起工作 执行政策的各项内容. 协调员也可指定其他大学 官员监督和协调政策的具体内容. 所有评论 和 inquiries about the university’s Gramm-Leach-Bliley 政策 should be sent by e-mail 给协调员 杰拉尔德.korea@39y8.net.
风险评估
The coordinator provides guidance to Covered Offices to identify 和 assess internal 和 external risks to the security, confidentiality, 和 integrity of 覆盖信息 that could result in unauthorized access, disclosure, misuse, alteration, destruction 或以其他方式泄露该等信息
每个承保办事处负责按照规定确保承保信息的安全 有了这个政策. 受保办事处必须开发和记录自己的信息 所涵盖资料的保障措施. 这种评估和评价的范围可以 include but is not limited to management 和 training of employees (including student employees) 和 volunteers; information systems (including network 和 software design, as well as information processing, storage, transmission 和 disposal for both paper 和 electronic records); procedures for detecting, preventing 和 responding to attacks, intrusions, or other system failures (including data processing, 和 telephone communication), 以及应急计划和业务连续性.
员工培训
Each Covered Office trains 和 educates its employees on relevant policies 和 procedures 保障所涵盖的资料. 协调员,还有风险办公室 & 合规管理,帮助各办事处制定评估程序 有关员工培训的程序和做法的有效性.
信息系统
The coordinator, or his/her designee, develops procedures to assess the risks to Covered Information associated with the university’s information systems including network 和 software design, as well as information processing, storage, transmission, retrieval, 及有关资料的处理. 这项评估包括对该大学的 资讯科技实务及程序. 此外,协调器进行评估 the procedures for monitoring potential information security threats associated with software systems 和 for updating such systems by, among other things, implementing 为处理安全漏洞而设计的补丁或其他软件修复程序.
纸质记录的物理安全
承保办事处应制定和维持程序,合理地保证 security of paper records 和 include guidelines relating to the university’s records 保留和处置政策. 定期对这些程序进行物理评估 应进行纸质记录.
管理系统故障
The university maintains systems to prevent, detect, 和 respond to attacks, intrusions, 以及其他系统故障. 协调员,或他/她指定的人,维护的计划 detecting, preventing 和 responding to attacks or other system failures; 和 reviews network access an security policies 和 procedures, 和 protocols for responding to 网络攻击和入侵.
设计和实施保障措施
The risk assessment 和 analysis described herein shall apply to all methods of h和ling 或以电子、纸张或其他形式处置被掩盖的信息. On a regular basis, the coordinator shall implement safeguards to control the risks identified through such assessments 和 to regularly test or otherwise monitor the 这些保障措施的有效性. 监测的水平将是适当的基础 所识别的风险的潜在影响和可能性,以及风险 所提供信息的敏感性.
服务供应商及合约
From time to time, the university may share 覆盖信息 with third parties 在正常的业务过程中. 这些活动可能包括收债活动、 transmission of documents, destruction of documents or equipment, or other similar 服务. 所有合同必须包括针对第三方的条款 Bliley合规.
The coordinator works with those responsible for the third-party service procurement 活动和覆盖办事处,以提高认识,并制定方法 selecting 和 retaining only those providers that are capable of maintaining appropriate 所涵盖资料的保障措施.
V.异常
Any exceptions to this policy are to be reviewed 和 approved by the Information Security 计划协调员与风险办公室协商 & 合规管理, 根据需要.
V. 责任
The 资讯安全计划协调员 is responsible for implementing the provisions 这个政策.
Employees with access to 覆盖信息 must abide by university policies 和 procedures governing 覆盖信息, as well as any additional practices or procedures 在他们的单位建立.
VI. 交叉引用
该策略由以下政策、程序和/或指导方针支持.
- 帐户创建和删除策略 (.pdf)
- 可接受使用政策
- 电脑 & 电子资源政策
- 电子邮件策略
- 安全策略 (.pdf)
- 文档保留 & 毁灭的政策
- 健康保险流通与责任法案政策
7. 资源
生效日期:2018年6月1日|更新日期:2020年6月1日