Purpose
贝博体育 (RSCC) will protect the college’s information resources as mandated by the Gramm- Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information Rule, 信息安全计划(“计划”)通过:
保护客户非公开财务信息的安全和机密性;
Protection against any anticipated threats or hazards to the security or integrity of such information; and
Protection against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
Definitions
客户-与学院有持续关系以提供金融服务的人, 比如财政援助.
客户信息-任何包含客户的非公开个人财务信息的记录.
Non-public financial information – any record not publicly available that RSCC obtains about a customer in the process of offering a financial product or service, 以及其他来源提供给学院的信息. 非公开财务信息包括个人提交申请经济援助的信息.g., 报税表及其他财务资料), 学院从第三方收取的与经济援助有关的费用(例如.g.(FAFSA信息),并且学院根据其拥有的客户信息创建.
The college Chief Information Office (CIO) will serve as the RSCC 贝博体育协调人 who shall be responsible for overseeing and implementing the Program. 协调员可以从其他来源获得协助, 但贝博体育的最终责任仍由协调员承担.
协调员应制定计划,包括但不限于:
Consulting with the appropriate offices to identify units and areas of the college with access to customer information and maintaining a list of the same.
Assist the appropriate offices of the college in identifying reasonably foreseeable internal and external risks to the security, 保密, and integrity of customer information and making certain that appropriate safeguards are designed and implemented in each office and throughout the college to safeguard the protected data.
Work with the college contract officer(s) to guarantee that all contract with third party service providers that have access to and maintain customer information include a provision requiring that the service provider maintain appropriate safeguards for customer information.
Work with responsible college officers to develop and deliver adequate training and education for all employees with access to customer information.
Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Program will address the risks.
The college will periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, 保密, 客户信息的完整性可能导致未经授权的泄露, misuse, alteration, 破坏, 或以其他方式泄露该等信息. 这种评估必须重新评估控制风险的保障措施是否足够.
信息安全人员和员工培训
罗安州立大学将使用合格的信息安全人员, 无论是由贝博体育还是通过供应商雇佣的, 足以管理信息安全风险并协助监督该计划. 必须为保安人员提供足够的安全更新和培训,以应对相关的安全风险. The college will verify that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.
The 贝博体育协调人 will provide college employees with security awareness training that is updated 必要时 to reflect risks identified by the risk assessment. 这种培训可以与供应商一起开发和实施, 人力资源办公室, 以及总法律顾问办公室. 培训应定期进行, 如协调员认为适当, and it shall include education on relevant policies 和程序 and other safeguards in place or developed to protect customer information.
保障措施的设计和实施
该计划将包括控制通过风险评估确定的风险的保障措施, 包括:
实现并定期检查访问控制, 包括技术, 在适当的时候, 物理控制,用于身份验证和仅允许授权用户访问, and to limit authorized users’ access only to customer information that they need to perform their duties and functions (or in the case of customers, 访问自己的信息).
识别和管理数据, personnel, devices, systems, and facilities that enable the college to achieve operational purposes in accordance with their relative importance to operational objectives and risk strategy.
Protecting by encryption all customer information held or transmitted by the college both in transit over external networks and at rest. 在一定程度上协调器确定客户信息的加密, 在运输中或静止中, 是不可行的, 协调者可以批准一种使用有效的替代补偿控制来保护此类客户信息的方法.
开发、实施和维护安全处理客户信息的程序. 必须定期审查这些程序,以尽量减少不必要的数据保留. Disposal must occur no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates unless:
根据TBR政策1,该等资料须保存较长时间.12.01.00, Records Retention and Disposal of Records; (Access the complete TBR policy at http://policies.tbr.edu/.)
The information is necessary for operational purposes; or
Annual penetration testing of 信息系统 based on relevant risks identified through risk assessments; and
漏洞评估, 包括任何系统扫描或审查信息系统,旨在识别公开已知的安全漏洞. Such vulnerability assessments must be conducted at least every six months and whenever there are material changes to college operations, 以及情况或事件可能对该计划产生重大影响.
服务提供者和合同的监督
Roane State will take reasonable steps to select and retain third party service providers that are capable of maintaining appropriate safeguards for the customer information to which they have access. Service providers must be periodically assessed based on the risk they present and the continued adequacy of their safeguards.
大学将要求, 契约式, that current and potential service providers with access to customer information maintain sufficient procedures to detect and respond to security events.
协调器 shall make certain that necessary revisions to the Program are made at the time of the annual review to address any changes in the college organization that may affect the implementation and effectiveness of the Program.
向校董会提交年度报告
The System Office Coordinator will prepare a form for college coordinators to complete and return in time sufficient for inclusion in the report to the Board.
The CIO of Information Technology shall be responsible for development and maintenance of this policy for issuance by the 商务副总裁 & Finance.
贝博体育不存在种族歧视, color, religion, creed, 种族或民族出身, sex, disability, age, status as protected veteran or any other class protected by Federal or State laws and regulation and by Tennessee board of Regents policies with respect to employment, programs, 和活动. 查看完整的非歧视政策.