RSCC Policy GA-18-08; 数据和个人身份信息(PII)安全

贝博体育

保单号码: GA-18-08

主题: 数据和个人身份信息(PII)安全

目的
The purpose of this policy is to establish a standard for managing Personally Identifiable Information (PII) data on college-owned computers or devices that are used to store or transport sensitive or confidential information. 除了, this policy outlines responsibilities for Roane State employees who have access to such information.
范围
这项政策的适用范围包括所有大学员工, 承包商, 或有权访问PII信息的顾问.
定义
1. 敏感信息 is defined as any information that provides PII on a 贝博体育 (RSCC) student, 教师, 或者工作人员. PII是可用于唯一标识的信息, 联系, or locate a single person or can be used with other sources to uniquely identify a single individual. 这包括, 但不限于, 社会安全号码等信息, 出生日期和地点, 还有母亲的娘家姓. Directory information is determined by each intuition and is not considered PII.
2. 便携式大容量存储设备 is defined as any device which is capable of transporting digital files outside the internal stor年龄 device of a Roane State computer or network. 它们包括软盘之类的设备, CD / DVD的, 闪存, zip驱动器, 或者外置硬盘.
3. 加密 is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, 通常被称为钥匙. The result of the process is encrypted information (in cryptography, referred to as cipher text). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “加密软件”通常也可以执行解密), 使加密的信息再次可读(i.e. 使其未加密).
4. 数据管理者 are institutional designees who are responsible for establishing data man年龄ment procedures and the assignment of access to the data for which they are responsible. Representatives will be designated from the flowing functional area as 数据管理者.
5. 目录信息 is that information which constitutes a basic profile based on information contained within student education records that generally is not considered harmful or an invasion of privacy if released. RSCC的目录信息包括:
  1. 业务办公室
  2. 学生记录
  3. 金融援助
  4. 工资
  5. 人力资源
  6. 学生的名字
  7. Address
  8. 电子邮件地址
  9. 电话清单
  10. 出生日期
  11. 参加官方认可的活动和体育运动
  12. 运动员的体重和身高
  13. 出席日期
  14. 注册状态-兼职，全职
  15. 所获学位及奖项
  16. 主修领域
  17. 最近以前的教育机构或机构
程序
1. 一般
  Access to data residing in administrative systems and applications at RSCC is to be granted only to those individuals who must, 在履行职责的过程中, 使用特定的信息. 数据管理员负责授予对信息的访问权限.
  
  复制, 下载, FTP传输, 或以其他方式在计算机上复制PII数据, 网站, 软盘, CD / DVD, 磁带, USB设备, or other such mobile stor年龄 device for purposes other than backup by authorized personnel is prohibited unless granted written permission by the Assistant Vice President, 信息技术.
2. 敏感信息的控制
  Under no circumstance should sensitive or confidential information be transferred to or stored on any personally-owned laptops, 可移动媒体, 或者家用电脑. 而访问班纳是允许从个人拥有的电脑, 不得在该等设备上下载或存储PII数据.
  
  One may access administrative systems and work with sensitive or confidential information from college-owned computing devices, but may not make a copy of that information and store it locally on the device. Any file containing personally identifiable information must be stored on the individual’s “U” drive on the network.
  
  Unsecure laptops or removable stor年龄 devices will not be used to transport or store sensitive information. Should a requirement exist for sensitive or confidential information to be stored on a laptop or 可移动媒体, 当无人值守时，设备必须进行加密和物理保护. 除非得到书面许可, 如上所述, 已被批准, 可移动媒体，如USB驱动器或光盘(e.g., CD-ROM or DVD-ROM) should not be used to transport sensitive or confidential information.
  
  Laptop users are responsible for securing laptops at all times, but especially when traveling. (参见下面的笔记本电脑安全.)
3. 个人资料的电子邮件转移
  个人资料不应以电子方式传送(i.e.，从Outlook, BDMS等系统发送的电子邮件. 或通过任何其他电子传输方法)，除非加密. Transmittal of information containing the Campus Wide ID (CWID) is permitted. (However, it is recognized that even this practice is being debated and may change in the future.)
4. 加密
  Laptop computers owned by the college and assigned to 教师 and staff are to be configured to use hard drive encryption. 如果您认为您的笔记本电脑需要加密，请联系帮助台.
  
  加密 methods used will be dependent on host operating system and whether or not the laptop hardware includes a Trusted Platform Module (TPM).
  
  加密 techniques requiring password authentication allowing a host operating system to load will conform to strong password standards See GA-18-09, 强密码. 访问完整详细的RSCC策略GA-18-09 esa3pv.wsslj.net/policies/. 在微软检查你的密码强度创建强密码.
笔记本电脑的安全

Campus Offices - Laptops must be secured in a locked office when unattended for an extended length of time or left overnight.

离开办公室——笔记本电脑被带出办公室, 笔记本电脑必须保持在主人的积极控制之下. 它应该在手边，在视线范围内，或者一直锁在一个安全的地方.
扫描
Roane State will conduct annual vulnerability scans of its outward facing firewall and annual scans of its internal credit card payment network in accordance with the Payment Card Industry Data Security Standards (PCI-DSS). 所有扫描将由经批准的扫描供应商或ASV执行. Any discrepancies will be corrected and a follow-up scan performed until the system is compliant. 在网络发生任何重大变化后，也将执行扫描.

无线网络将被监控，以防出现非法接入点, unauthorized WLAN cards or other unauthorized devices connected to Roane State’s network.
培训
对于需要从管理系统访问PII的员工, Roane State 信息技术 Division will provide training information annually on the proper handling and safeguarding of PII.
执行
Any employee found to have violated this policy may be subject to disciplinary action.

修订历史:2014年5月3日、2018年1月25日、2019年7月22日

TBR政策参考: 1.08.04.00

修订生效日期: 07/22/2019

修订批准人: 克里斯托弗·L. 惠利,总统

原生效日期: 02/01/2013

批准人: 克里斯托弗·L. 惠利,总统

办公室负责: 商务副总裁 & 金融

综述: 07/07/2019

贝博体育

RSCC Policy GA-18-08; 数据和个人身份信息(PII)安全

与我们联系