I. 目的
The Gramm-Leach-Bliley Act (GLB) was enacted in 1999 和 affects all financial institutions. Colleges 和 universities fall under GLB as part of financial lending 和 alumni processes. The GLB Financial 隐私 Rule requires financial institutions to provide a privacy notice at the time the consumer relationship is established 和 annually thereafter. It defines the protection of non-public personal information (NPI). 它还要求 institutions to implement thorough administrative, technical 和 physical safeguards to protect against any anticipated threats or hazards to the security or integrity 这些信息.
II. 范围
This policy applies to all offices that collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise h和le 覆盖信息. These offices specifically include, but are not limited to Information Technology Services (ITS), Student Financial Services, Registrar’s Office, Finance Office, Residence Life, Business Operations, 校友 Relations, 和 人力资源 (“Covered Offices”).
3. 定义
A “客户” is any individual (student, parent, faculty, staff, or other third party with whom the university interacts) who receives a 金融服务 from the university 和 who, in the course of receiving that service, provides the university with sensitive, non-public, personal information about themselves.
“覆盖信息” is sensitive, non-public, personally identifiable information includes, but may not be limited to, 和 individual’s name in conjunction with any of the following:
- social security number
- credit card information
- income 和 credit history
- bank account information
- 纳税申报表
- 资产声明
覆盖信息 includes both paper 和 electronic records.
A "金融服务" is defined by federal law to include, but not be limited to, such activities as the lending of money; investing for others; providing or underwriting insurance; giving financial, investment or economic advisory 服务; marketing securities 和 the 就像.
IV. 政策 & 过程
The goals for this program are as follows:
- To ensure employees have access only to the relevant data needed to conduct university 业务;
- To ensure the security 和 confidentiality of 客户 records 和 information;
- To safeguard 和 prevent unauthorized access to personally identifiable financial records 和 information maintained by the university;
- To comply with existing university policies, st和ards, guidelines 和 procedures; 和
- To comply with applicable federal, state 和 local regulations.
Information Security Plan Coordinator
The designated employee for the coordination 和 oversight 这个政策 is the Director 行政 & Enterprise Services or his/her designee (“Information Security Plan Coordinator” or “coordinator”). The coordinator works with all relevant areas of the university: 1) to identify reasonably foreseeable internal 和 external risks to the security, confidentiality, 和 integrity of 覆盖信息, 2) to evaluate the effectiveness of the current safeguards for controlling these risks, 3) design 和 implement a safeguards program, 4) to implement a training program for employees who have access to 覆盖信息, 5) to oversee service provider(s) 和 contract 合规, 和 6) to evaluate 和 adjust the security plan periodically.
The coordinator, with guidance from the assistant vice president of operations & 合规, may establish a Gramm-Leach-Bliley working committee to work with the coordinator to carry out elements of the policy. The coordinator may also designate other university officials to oversee 和 coordinate particular elements of the policy. 所有评论 和 inquiries about the university’s Gramm-Leach-Bliley 政策 should be sent by e-mail to the coordinator at 杰拉尔德.korea@443693.com.
风险评估
The coordinator provides guidance to Covered Offices to identify 和 assess internal 和 external risks to the security, confidentiality, 和 integrity of 覆盖信息 that could result in unauthorized access, disclosure, misuse, alteration, destruction or other compromise 这些信息
Each Covered Office is responsible for securing 覆盖信息 in accordance 有了这个政策. Covered Offices must develop 和 document their own information safeguards for 覆盖信息. The scope of such assessment 和 evaluation may include but is not limited to management 和 training of employees (including student employees) 和 volunteers; information systems (including network 和 software design, as well as information processing, storage, transmission 和 disposal for both paper 和 electronic records); procedures for detecting, preventing 和 responding to attacks, intrusions, or other system failures (including data processing, 和 telephone communication), 和 contingency planning 和 business continuity.
员工培训
Each Covered Office trains 和 educates its employees on relevant policies 和 procedures for safeguarding 覆盖信息. The coordinator, along with the office of Risk & Compliance management, helps each Covered Office develop procedures to evaluate the effectiveness of its procedures 和 practices regarding employee training.
信息系统
The coordinator, or his/her designee, develops procedures to assess the risks to Covered Information associated with the university’s information systems including network 和 software design, as well as information processing, storage, transmission, retrieval, 和 disposal of 覆盖信息. This assessment includes a review of the university’s information technology practices 和 procedures. In addition, the coordinator assesses the procedures for monitoring potential information security threats associated with software systems 和 for updating such systems by, among other things, implementing patches or other software fixes designed to deal with security flaws.
Physical Security of Paper Records
Covered Offices should develop 和 maintain procedures that reasonably assure the security of paper records 和 include guidelines relating to the university’s records retention 和 disposal policy. Periodic evaluation of these procedures regarding physical paper records should be conducted.
Managing System Failures
The university maintains systems to prevent, detect, 和 respond to attacks, intrusions, 和 other system failures. The coordinator, or his/her designee, maintains plans for detecting, preventing 和 responding to attacks or other system failures; 和 reviews network access an security policies 和 procedures, 和 protocols for responding to network attacks 和 intrusions.
Designing 和 Implementing Safeguards
The risk assessment 和 analysis described herein shall apply to all methods of h和ling or disposing of 覆盖信息, whether in electronic, paper, or other forms. On a regular basis, the coordinator shall implement safeguards to control the risks identified through such assessments 和 to regularly test or otherwise monitor the effectiveness of such safeguards. The level of monitoring will be appropriate based upon the potential impact 和 probability of the risks identified, as well as the sensitivity of the information provided.
Service Providers 和 Contracts
From time to time, the university may share 覆盖信息 with third parties in the normal course of business. These activities may include debt collection activities, transmission of documents, destruction of documents or equipment, or other similar 服务. All contracts must include provisions that address third-party Gramm-Leach Bliley合规.
The coordinator works with those responsible for the third-party service procurement activities 和 Covered Offices to raise awareness of, 和 to institute methods for selecting 和 retaining only those providers that are capable of maintaining appropriate safeguards for 覆盖信息.
V.异常
Any exceptions to this policy are to be reviewed 和 approved by the Information Security Plan Coordinator in consultation with the office of Risk & Compliance Management, 根据需要.
V. 责任
The Information Security Plan Coordinator is responsible for implementing the provisions 这个政策.
Employees with access to 覆盖信息 must abide by university policies 和 procedures governing 覆盖信息, as well as any additional practices or procedures established in their units.
VI. 交叉引用
This policy is supported by the following policies, procedures, 和/or guidelines.
- Account Creation 和 Removal 政策 (.pdf)
- 接受able Use 政策
- 电脑 & Electronic 资源 政策
- 电子邮件策略
- 安全策略 (.pdf)
- 文档保留 & 毁灭的政策
- 健康保险流通与责任法案政策
7. 资源
Effective: 06/01/2018 | Updated: 6/01/2020