资讯保安计划

遵守各种监管要求遵守1)该法案的隐私条款和2)有关保护客户信息的条款. 这些保障措施旨在:

• Ensure the security and confidentiality of covered data and information;
• Protect against anticipated threats or hazards to the security or integrity of such information; and
• 防止未经授权访问或使用所涵盖的数据和信息，从而可能对任何客户造成重大伤害或不便.

联邦贸易委员会表示，如果大学遵守《十大正规网赌平台》(FERPA)，就被视为遵守了GLB的隐私条款。. With respect to colleges being able to safeguard non-public customer information, such as family financial information and social security and identification numbers, 联邦贸易委员会通过在学院处理此类信息的特定办公室制定机构安全计划和安全计划来确认遵守规定.

就FERPA及GLB而言, 学院考虑学生, 员工, and alumni or any other third party engaged in a financial transaction with 十大正规网赌平台 as “customers". 必须保护的客户信息是“包含有关客户的非公开个人信息的任何记录”, 无论是在纸上, 电子, 或者其他形式.“它包括财务信息, 学术和就业信息, 以及其他私人纸质和电子记录.

资讯保安及私隐

With respect to the privacy provisions of the GLB Act, 十大正规网赌平台遵守FERPA. 目录信息(例如, 名字, address, 学院招生及学位信息, the list of which is published yearly in the 学生手册, is considered public (unless a student has requested otherwise in writing). All non-directory information is restricted or confidential, or "non-public."根据FERPA, 限制信息(例如, academic or financial records) is released outside the college only with the student's written consent. 指定学校官员, 包括教师, key 员工 and occasionally outside service providers, 有访问受限的权限, “非公开”信息，只在需要知道的基础上. 机密信息(例如, a faculty member's or dean's private notes) is even more protected than restricted information, and released only in certain unusual circumstances as outlined in FERPA. Although FERPA if narrowly construed only applies to enrolled students and past students, in compliance with GLB and long standing good practice, the College extends FERPA privacy protections to all customers of the college.

The 注册商’s Office will provide guidance in complying with all FERPA privacy regulations. 除了, 学院也符合HIPAA(1996年健康保险携带和责任法案)，埃蒙斯学生健康中心和人力资源提供指导. 每个学院部门都有责任根据所有隐私准则保护客户信息.

计划内容

The 十大正规网赌平台 资讯保安计划 includes the following:

1. Designation of an 资讯安全计划协调员
2. A risk assessment of likely security and privacy risks
3. 设计和实施保障措施，包括为所有有权访问所涵盖数据和信息的员工提供培训计划
4. 服务提供者和合同指南
5. Process for continued evaluation and adjustment of the 资讯保安计划
6. The policies incorporated in this 资讯保安计划 apply to all College departments. 除了, in the case that individual departments may have additional security provisions, 他们将保留这些书面文件，并将其提供给安全项目协调员.

资讯安全计划协调员

The designated 资讯安全计划协调员 for 十大正规网赌平台 is James Uhrich, CIO. All correspondence and inquiries about the 十大正规网赌平台 资讯保安计划 should be directed to him.

风险评估

十大正规网赌平台 recognizes that risks of unauthorized use of or access to Covered Data and Information exist, 包括, 但不限于:

• 非所涵盖的数据和信息的所有者对所涵盖的数据和信息的未经授权的访问
• Compromised system security as a result of system access by an unauthorized person
• 在传输过程中截取数据
• 数据完整性丢失
• 灾难中物理数据的丢失
• 引入系统的错误
• 数据或系统的损坏
• Unauthorized access of covered data and information by 员工
• Unauthorized requests for covered data and information
• Unauthorized access through hardcopy files or reports
• Unauthorized transfer of covered data and information through third parties

十大正规网赌平台认识到，与保护所涵盖的数据和信息相关的风险列表并不详尽. 由于技术的发展不是静态的，因此经常会产生未经授权使用或访问所涵盖的信息和数据的新风险. 相应的, ITS will actively participate and monitor advisory groups such as the EDUCAUSE Security Institute, 第二代互联网安全工作小组和SANS，以识别保护涵盖数据和信息的新风险.

保障措施的设计和实施

员工管理与培训

新员工在经常使用数据和信息的领域工作的推荐信(如财务总监办公室), 注册商, 学生应收帐款, 机构发展, Residential Education/住房 服务 and 金融援助) are checked.  员工手册, 哪些是提供给所有员工的, states that violation of security policies could result in termination of employment or legal action, 或两个.

物理安全措施

十大正规网赌平台通过限制只有那些有商业理由知道这些信息的员工才能访问这些信息来解决覆盖数据和信息的物理安全问题. 例如, 客户个人信息, 账户, 余额和交易信息仅提供给具有适当业务需求的十大正规网赌平台员工. Whether the information is 存储 in paper form or any 电子ally accessible format, 保存部门的非公开资料, 存储, transmitted and otherwise handled under the direct personal control of an authorized employee of the College.

经济援助记录, 账户信息和其他纸质文件保存在文件柜或房间里，在每个工作日结束时上锁. 机密材料是保密的. 办公室的门上了锁，用钥匙限制出入. When offices are open for business, confidential information is kept out of sight from visitors. 办公室 and/or computers are shut down when the office will be vacant for an extended length of time. Paper documents that contain covered data and information are shredded at time of disposal.

技术保障措施

通过十大正规网赌平台的计算机信息系统访问所涵盖的数据和信息仅限于那些有商业理由知道这些信息的员工. 书院由资讯科技署为每位员工提供唯一的用户名及密码. ITS管理学院网络, servers and administrative systems according to industry standards. Departmental desktop computers also require use of the user login credential and password for access.

网络安全, 包括防火墙技术, 有否采取措施，防止行政伺服器及部门工作站被未经授权人士透过互联网接达. Staff in administrative and faculty offices connect to secured computers on the campus network. Off campus access to this subnet is provided through a secure terminal services connection.

十大正规网赌平台采取合理和适当的步骤，与当前的技术发展相一致，以确保所有涉及的数据和信息是安全的，并保护存储和传输记录的完整性. ITS维护操作系统和应用程序, 包括 application of appropriate patches and updates in a timely fashion.

外部服务提供商

由于需要专门的专业知识来设计, 实现, 为新技术服务, vendors may be needed to provide resources that 十大正规网赌平台 determines not to provide on its own. 在选择将维护或定期访问所涵盖的数据和信息的服务提供商的过程中, 评估过程应包括服务提供者保护涵盖数据和信息的能力. Contracts with service providers may include the following provisions:

• An explicit acknowledgement that the contract allows the contract partner access to confidential information;
• A specific definition or description of the confidential information being provided;
• 关于保密信息将严格保密并仅为合同明确的商业目的而访问的规定;
• 合同合作伙伴保证其将按照商业上可接受的标准保护其收到的机密信息，其严格程度不低于其保护自己客户机密信息的严格程度;
• 一项规定在合同完成或终止时归还或销毁合同提供方收到的所有机密资料的规定;
• An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles 十大正规网赌平台 to terminate the contract without penalty; and
• A provision ensuring that the contract's confidentiality requirements shall survive any termination agreement.

持续评估与调整

This 资讯保安计划 will be subject to periodic review and adjustment. The most frequent of these reviews will occur within Information Technology 服务, where constantly changing technology and evolving risks mandate increased vigilance.  It may be necessary to adjust the plan to reflect changes in technology, the sensitivity of student/customer data and internal or external threats to information security.

审查/更新2022年9月