资讯保安计划

Compliance with various regulatory demand compliance with 1) the privacy provisions of the act and 2) provisions regarding the safeguarding of customer information. 这些保障措施旨在:

• 确保所涵盖资料及资料的安全及保密;
• Protect against anticipated threats or hazards to the security or integrity of such information; and
• Protect against unauthorized access to or use of covered data and information that could result in substantial harm or inconvenience to any customer.

The FTC has said that colleges are deemed in compliance with the privacy provisions of GLB if they are in compliance with the Family Educational Rights and Privacy Act (FERPA). 关于大学能够保护非公开的客户信息, 例如家庭财务信息和社会安全及身份证号, the FTC recognizes compliance by having an institutional security program and security plans in specific offices of the college that handle such information.

就FERPA及GLB而言, 学院考虑学生, 员工, 和校友或任何其他与十大正规网赌平台进行财务交易的“客户”. Customer information that must be safeguarded is “any record containing nonpublic personal information about a customer, 无论是在纸上, 电子, 或者其他形式.“它包括财务信息, 学术和就业信息, 以及其他私人纸质和电子记录.

资讯保安及私隐

关于GLB法案的隐私条款, 十大正规网赌平台遵守FERPA. 目录信息(例如, 名字, address, 学院招生及学位信息, 名单每年都会在学生手册中公布, 被认为是公开的(除非学生另有书面要求). 所有非目录信息都是受限的或机密的，或“非公开的”."根据FERPA, 限制信息(例如, 学术或财务记录)只有在学生书面同意的情况下才能在校外公布. 指定学校官员, 包括教师, 主要员工，偶尔还有外部服务提供商, 有访问受限的权限, “非公开”信息，只在需要知道的基础上. 机密信息(例如, 教员或院长的私人笔记甚至比限制信息更受保护, 并仅在FERPA中概述的某些特殊情况下发布. 虽然FERPA的狭义解释只适用于在校生和过去的学生, 符合GLB和长期以来的良好做法, 学院将FERPA隐私保护扩展到学院的所有客户.

注册办公室将提供指导，以遵守所有FERPA隐私法规. 除了, the College also complies with HIPAA (Health Insurance Portability and Accountability Act of 1996) with the Emmons Student 健康 Center and Human 资源 providing guidance. Each college department is responsible for securing customer information in accordance with all privacy guidelines.

计划内容

十大正规网赌平台信息安全计划包括以下内容:

1. 指定一名信息安全项目协调员
2. 可能的安全和隐私风险的风险评估
3. Design and 实现ation of safeguards 包括 a training program for all 员工 who have access to Covered Data and Information
4. 服务提供者和合同指南
5. 持续评估和调整信息安全计划的过程
6. 本信息安全计划中包含的政策适用于所有学院部门. 除了, 在这种情况下，个别部门可能有额外的安全规定, they will maintain written documentation of these and will make them available to the Security Program Coordinator.

资讯安全计划协调员

十大正规网赌平台指定的信息安全项目协调员是首席信息官詹姆斯·乌里奇. 所有关于十大正规网赌平台信息安全计划的信件和询问都应该直接发给他.

风险评估

十大正规网赌平台承认存在未经授权使用或访问所涵盖数据和信息的风险, 包括, 但不限于:

• Unauthorized access of covered data and information by someone other than the owner of the covered data and information
• 由于未经授权的人员访问系统而危及系统安全性
• 在传输过程中截取数据
• 数据完整性丢失
• 灾难中物理数据的丢失
• 引入系统的错误
• 数据或系统的损坏
• 员工未经授权访问受保护的数据和信息
• 对所涵盖数据和信息的未经授权的请求
• 通过硬拷贝文件或报告进行未经授权的访问
• 未经授权通过第三方转移所涵盖的数据和信息

十大正规网赌平台 recognizes that this list of the risks associated with the protection of Covered Data and Information is not exhaustive. New risks of unauthorized use or access to Covered Information and Data are regularly created because technology growth is not static. 相应的, ITS将积极参与和监测诸如EDUCAUSE安全研究所等咨询小组, the Internet2 Security Working Group and SANS for identification of new risks to safeguarding Covered Data and Information.

保障措施的设计和实施

员工管理与培训

References of new 员工 working in areas that regularly work with Covered Data and Information (such as the Controller's Office, 注册商, 学生应收帐款, 机构发展, 检查住宿教育/住房服务和经济援助).  员工手册, 哪些是提供给所有员工的, 指出违反安全政策可能导致终止雇用或采取法律行动, 或两个.

物理安全措施

十大正规网赌平台 has addressed the physical security of Covered Data and Information by limiting access to only those 员工 who have a business reason to know such information. 例如, 客户个人信息, 账户, balances and transactional information are available only to 十大正规网赌平台 员工 with an appropriate business need for such information. 信息是否以纸质形式或任何电子可访问格式存储, 保存部门的非公开资料, 存储, 在学院授权员工的直接个人控制下传送或处理.

经济援助记录, account information and other paper documents are kept in file cabinets or rooms that are locked at the end of each business day. 机密材料是保密的. 办公室的门上了锁，用钥匙限制出入. 当办公室对业务开放时，机密信息被保存在访客看不到的地方. 当办公室长时间空置时，办公室和/或电脑将被关闭. 包含覆盖数据和信息的纸质文件在处理时被粉碎.

技术保障措施

Access to covered data and information via 十大正规网赌平台’s computer information system is limited to those 员工 who have a business reason to know such information. The College relies on the Information Technology 服务 Department to provide each employee with a unique user名字 and password. ITS管理学院网络, 服务器和管理系统符合行业标准. 部门台式计算机也需要使用用户登录凭据和密码进行访问.

网络安全, 包括防火墙技术, has been 实现ed to protect administrative servers and departmental workstations from unauthorized access through the Internet. 行政和教师办公室的工作人员连接到校园网上的安全计算机. 校外访问这个子网是通过一个安全终端服务连接提供的.

十大正规网赌平台 takes reasonable and appropriate steps consistent with current technological developments to ensure that all covered data and information is secure and to safeguard the integrity of records in storage and transmission. ITS维护操作系统和应用程序, 包括及时应用适当的补丁和更新.

外部服务提供商

由于需要专门的专业知识来设计, 实现, 为新技术服务, 可能需要供应商提供十大正规网赌平台决定不自己提供的资源. In the process of choosing a service provider that will maintain or regularly access covered data and information, the evaluation process shall include the ability of the service provider to safeguard Covered Data and Information. 与服务提供商签订的合同可包括以下条款:

• 明确承认合同允许合同伙伴获取机密信息;
• 对所提供的保密信息的具体定义或者说明;
• A stipulation that the confidential information will be held in strict confidence and accessed only for the explicit business purpose of the contract;
• An assurance from the contract partner that the partner will protect the confidential information it receives according to commercially acceptable standards and no less rigorously than no less rigorously than it protects its own customers' confidential information;
• A provision providing for the return or destruction of all confidential information received by the contract provider upon completion or termination of the contract;
• An agreement that any violation of the contract's confidentiality conditions may constitute a material breach of the contract and entitles 十大正规网赌平台 to terminate the contract without penalty; and
• 确保合同的保密要求在任何终止协议后仍然有效的条款.

持续评估与调整

本信息安全计划将定期审查和调整. 这些审查中最频繁的将发生在信息技术服务部门, 在不断变化的技术和不断演变的风险要求提高警惕的地方.  也许有必要调整计划以反映技术的变化, 学生/客户资料的敏感性，以及内部或外部对资讯安全的威胁.

审查/更新2022年9月