《迪士尼彩乐园》法案
《迪士尼彩乐园》法案, (GLBA)于5月23日生效, 2003, addresses the safeguarding and confidentiality of 客户 information held in the possession of financial institutions such as banks and investment companies. GLBA不包括对学院或大学的豁免. 结果是, 从事财务活动的教育机构, 比如处理学生贷款, 都必须遵守. GLBA and other emerging legislation could result in standards of care for information security across all areas of data management practices both 电子 and physical (employee, 学生, 客户, 校友, 捐赠, 等.). 因此, 迪士尼彩乐园帕克斯堡分校 has adopted an Information 安全 Program for certain highly critical and private financial and related information. This Information 安全 Program applies to 客户 financial information the University receives in the course of business as required by GLBA as well as other confidential financial information included within its scope.
本计划的目的是:
- • Ensure the security and confidentiality of 客户 information in compliance with applicable GLBA rules as published by the Federal Trade Commission.
- • 防范受保护电子数据的安全或完整性可能受到的威胁.
- • Guard against unauthorized access to or use of protected data that could result in harm or inconvenience to any 客户.
项目的协调与责任
The coordinator of the Information 安全 Program is the Chief Information Officer of 迪士尼彩乐园帕克斯堡分校. 协调员负责开发, 实现, and oversight of 迪士尼彩乐园帕克斯堡分校’s compliance with the policies and procedures required by the GLBA Safeguards Rule. 尽管遵守的最终责任在于协调员, representatives from each of the operational areas are responsible for 实现 and maintenance of the specified requirements of the security program in their specific operation.
资讯保安管治委员会
The 资讯保安管治委员会 exists to ensure that this Information 安全 Program is kept current and to evaluate potential policy or procedural changes driven by GLBA. 委员会成员可不时变动,但至少包括首席信息官, 财务执行副总裁 & 行政人员,以及来自财政援助、商务办公室、档案和学院的代表. 必要时可以增加其他人员.
有关GLBA对业务流程和政策的影响的问题以及有关技术问题的问题, 风险评估, 信息技术安全政策应直接提交给信息安全项目协调员.
风险评估及保障措施
处理和存储任何必须保护的信息都存在固有的风险. 识别风险领域并维护适当的保障措施可以降低风险. Safeguards are designed to reduce the risk inherent in handling protected information and include safeguards for information systems and the storage of paper.
书面计划
The Safeguards Rule requires 迪士尼彩乐园帕克斯堡分校 and its affected units to develop a written information security plan that describes its program(s) to protect 客户 information. 该计划必须适合WVUP的规模和复杂性, 我们活动的性质和范围,以及我们所处理的客户信息的敏感性. 作为其计划的一部分,WVUP及其受影响的单位必须:
•指定一名或多名员工来协调其信息安全计划(首席信息官)
•识别和评估大学运营中每个相关领域的客户信息风险, 并评估当前控制已识别风险的保障措施的有效性
•设计和实施安全保障计划,并定期监控和测试该计划
•选择能够维护适当安全措施的第三方供应商, 确保与这些供应商签订的合同要求他们维护安全措施, 并允许大学监督他们对客户信息的处理
•根据相关情况定期评估和调整项目, 包括大学业务或运作的变化, 或者安全检测和监控的结果.
员工培训与教育
员工处理和访问受保护的信息是为了履行他们的工作职责. 这包括长期和临时雇员以及学生雇员, whose job duties require them to access protected information or who work in a location where there is access to protected information. Departments are responsible for maintaining a high level of awareness and sensitivity to safeguarding protected information and should periodically remind employees of its importance. Seemingly minor changes to office layout and practices could significantly compromise protected information if a culture of awareness is not present.
The department representative is responsible for ensuring that staff are trained in the relevant GLBA concepts and requirements. 有关GLBA和数据处理的培训材料可在网上找到. 经GLBA协调员批准后, these training templates and other materials may be tailored by each department to reflect their individual training needs. 培训可以以多种方式进行,以满足部门的目标. Departments are responsible for maintaining records of staff that have received training and must be able to produce written copies upon request.
服务提供者和合同的监督
GLBA requires the University to take reasonable steps to select and retain service providers who maintain appropriate safeguards for covered data and information. 应审查合同,以确保包括以下语言:
[Service Provider] agrees to implement and maintain a written comprehensive information security program containing administrative, technical and physical safeguards for the security and protection of 客户 information and further containing each of the elements set forth in § 314.《迪士尼彩乐园》(16 C)第4条.F.R. § 314). [Service Provider] further agrees to safeguard all 客户 information provided to it under this Agreement in accordance with its information security program and the Standards for Safeguarding 客户信息.
在合同谈判的各个方面都考虑到GLBA合同尽职调查, 包括安全控制审查.
信息安全计划的评估和修订
GLBA要求对该信息安全计划进行定期审查和调整. The most frequent of these reviews will occur within Information Technology 安全 and Policy where constantly changing technology and constantly evolving risks indicate the wisdom of regular reviews. Processes in other relevant offices of the University such as data access procedures and the training programs should undergo regular review.
This Information 安全 Program is reevaluated regularly in order to ensure ongoing compliance with existing and future laws and 监管s.
定义
• 覆盖组件
-帕克斯堡迪士尼彩乐园的任何区域, 哪些需要符合GLBA规定.
• 受控非机密信息
-法律信息, 监管, 或者政府范围内的政策要求有保障或传播控制, 不包括根据13526号行政命令分类的信息, 国家安全机密信息, 12月29日, 2009, 或者任何前驱或后继顺序, 或者1954年的原子能法案, 修订的.
• 客户信息
-任何包含16c中定义的非公开个人信息的记录.F.R. § 313.3(n), 关于一个金融机构的客户, 无论是在纸上, 电子, 或者其他形式, 由[金融机构]或[其]附属机构或其代表处理或维护的.
• 金融产品或服务
– (i) any product or service that a financial holding company could offer by engaging in a financial activity; and
– (ii) Financial Service includes your evaluation or brokerage of information that you collect in connection with a request or an application from a consumer for a financial product or service.
• 非公开个人信息
- (i)个人身份的财务信息和
-任何名单, 描述, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. 16 C.F.R. § 313.3(n) (1).
• 个人身份财务信息
-任何资料:
(i)消费者向您提供金融产品或服务;
(ii) 关于 a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii)您以其他方式获得与向消费者提供金融产品或服务有关的消费者信息.
• 受保护的信息
-个人身份财务信息或受保护的健康信息, 哪些是GLBA所涵盖的.
• 联邦贸易委员会可能认为是金融产品或服务的活动包括:
-学生(或其他)贷款, 包括接收申请信息, 贷款:提供或偿还此类贷款
-财务或投资咨询服务
-信贷谘询服务
-税务筹划或税务准备
-收回拖欠贷款及帐款
-销售汇票、储蓄债券或旅行支票
—支票兑现业务
-提供与金融服务有关的旅行社服务
——房地产结算服务
-汇款服务
-发放信用卡或涉及利息的长期付款计划
-个人财产和房地产评估
-为寻求在金融、会计或审计领域就业的人士提供职业咨询服务
-由委托人提供的服务, 人寿方面的经纪人或代理人, 健康, 责任或伤残保险产品
-从消费者报告中获取信息
-提供或发放年金