符合联邦贸易委员会的保障规则和格雷姆-里奇-比利利法案(GLBA), 澳门威尼斯人平台官网大学(LU)创建了这个文档来总结我们的信息安全计划(ISP). 本文件描述了GLBA标准保护信息的目标(i)确保学生信息的安全性和保密性, (ii)防范对该等信息安全的任何预期威胁或危害, (iii)防止未经授权访问或使用这些信息,以免对任何学生或个人造成重大伤害或不便.
On December 9, 2021, the Federal Trade Commission (FTC) issued final regulations (最终规则)修订保障客户资料标准(保障规则), 这是《澳门威尼斯人平台官网》(GLBA)要求保护消费者隐私和个人信息的重要组成部分. 保障措施规则的大部分变更将于2023年6月9日生效.
Other Related Rules and Clarification
Definition of “Customer” for the purpose of GLBA Compliance
The regulations at 16 C.F.R. Part 314 use the terms “customer” and “customer information.” For the purpose of an institution or servicer’s compliance with GLBA, 客户信息是由于向学生(过去或现在)提供金融服务而获得的信息. Institutions or servicers provide a financial service when they, among other things, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.
Requirements in the GLBA Safeguards Rule
GLBA保护信息标准的目标是
- Ensure the security and confidentiality of student information.
- Protect against any anticipated threats or hazards to the security or integrity of such information; and
- 防止未经授权的访问或使用这些信息,可能对任何学生造成重大伤害或不便(16 C.F.R. 314.3(b)).
To achieve the GLBA objectives, LU and servicers are required to develop, implement, and maintain a written, comprehensive information security program. 联邦贸易委员会的规定要求信息安全项目包含行政管理, technical, 以及与机构或服务的规模和复杂程度相适应的物理保障措施, the nature and scope of their activities, and the sensitivity of any student information.
Scope
LU的书面信息安全计划(ISP)包括以下九个必需元素 16 CFR 314.4.
Element 1 – 16 CFR 314.4(a)
LU已指定首席信息官(CIO)作为负责监督和实施LU的ISP的合格个人(QI).
Element 2 – 16 CFR 314.4(b)
LU intends, as part of the ISP, 负责识别和评估外部和内部的安全风险, confidentiality, 以及可能导致未经授权披露的非公开财务信息的完整性, misuse, alteration, 通过风险评估销毁或以其他方式泄露此类信息. In implementing the ISP, 安全评估小组制定和维持程序,以识别和评估机构运作各相关领域的风险, including:
Element 3 – 16 CFR 314.4(c) (1) through (8)
LU will continue to monitor/provide each of the following:
- Access controls and user limits on accessible data.
- Management of data, users, and systems consistent with risk strategy.
- 通过外部网络传输和静止的客户信息的加密 .
- 为内部开发的访问或传输客户信息的软件和应用程序提供安全的开发实践.
- 实现多因素身份验证或相当等效的访问控制 .
- 定期和安全地处理客户信息和审查数据保留政策的程序 .
- Procedures for secure change management of systems .
- 用于监视和记录用户活动以及检测未授权访问的控件 .
Element 4 – 16 CFR 314.4(d)
卢科会定期测试和监察保障措施的主要控制措施的成效, systems, and procedures. 这将通过年度渗透测试和每两年进行一次的脆弱性评估来完成.
Element 5 – 16 CFR 314.4(e)
本处只会聘用有能力的资讯保安专业人员,并向他们提供足够的培训,以处理相关的保安风险,同时跟上不断发展的资讯保安环境. 大学亦会为经风险评估确定的人员提供有关的资讯保安培训.
Element 6 – 16 CFR 314.4(f)
QI将确保大学只选择和保留那些能够为学生和其他第三方的非公开财务信息提供适当保护的服务提供商. In addition, QI与大学法律顾问一起制定和纳入标准, contractual protections applicable to third-party service providers, 要求这些提供者实施和维护适当的保障措施.
Element 7 – 16 CFR 314.4(g)
QI负责根据从测试中识别的任何风险评估和调整ISP, monitoring, and/or assessment activities.
Element 8 – 16 CFR 314.4(h)
LU有一个定期更新和记录的事件响应计划,以解决:
- The goals of the incident response plan.
- The internal processes for responding to a security event.
- 明确角色、职责和决策权级别的定义.
- External and internal communications and information sharing.
- 识别对信息系统和相关控制中已识别的弱点进行补救的需求.
- Documentation and reporting regarding security events and related incident response activities; and
- 在安全事件发生后对事件响应计划进行必要的评估和修订 .
Element 9 – 16 CFR 314.4(i)
评估小组将至少每年向大学校董会提交一份书面报告. The report will cover the overall status of the ISP and its compliance. The report will also cover material matters related to the ISP, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the ISP.
Last revised: May 2023
