Protecting the security and 保密 of customers’ nonpublic financial information;
Protection against any anticipated threats or hazards to the security or integrity of such information; and
防止未经授权的访问或使用这些记录或信息,从而可能对客户造成重大伤害或不便.
Definitions
Customer – person who has a continuing relationship with the college for provision of financial services, 比如财政援助.
Customer Information - any record containing nonpublic personal financial information about a customer.
非公开的财务信息- RSCC在提供金融产品或服务的过程中获得的关于客户的任何未公开的记录, 以及其他来源提供给学院的信息. Nonpublic financial information includes information that a person submits to apply for financial aid (e.g., 报税表及其他财务资料), 学院从第三方收取的与经济援助有关的费用(例如.g., FAFSA information), and that the college creates based on customer information in its possession.
介绍
TBR institutions are covered by GLBA because they offer and process financial aid applications, 为学生提供贷款, and receive customer information from students and others in connection with those activities.
The Program shall identify reasonably foreseeable external and internal risks to the security, 保密, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, 或以其他方式泄露该等信息, and assess the sufficiency of the safeguards in place to control those risks.
Risk assessments should include consideration of risks in each office that has access to customer information.
风险评估必须写下来,并包括, 至少, 考虑以下方面的风险:
Criteria for the evaluation and categorization of the identified security risks and threats.
保密评估标准, integrity, 以及信息系统和客户信息的可用性, including the adequacy of existing controls in the context of identified risks and threats.
描述在风险评估的基础上如何减轻或接受已识别的风险,以及贝博体育将如何处理风险的要求.
学院将定期进行额外的风险评估,重新检查合理可预见的内部和外部安全风险, 保密, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, 或以其他方式泄露该等信息. Such assessments must reassess the sufficiency of safeguards in place to control the risks.
信息安全人员和员工培训
罗安州立大学将使用合格的信息安全人员, 无论是由贝博体育还是通过供应商雇佣的, sufficient to manage information security risks and to assist in oversight of the Program. Security personnel must be provided with security updates and training sufficient to address relevant security risks. 学院将验证关键信息安全人员采取措施,保持当前不断变化的信息安全威胁和对策的知识.
The Program will include safeguards to control the risks identified through the risk assessments, 包括:
实现并定期检查访问控制, 包括技术, 在适当的时候, physical controls to authenticate and permit access only to authorized users, 并限制授权用户仅访问他们履行职责和功能(或在客户的情况下)所需的客户信息, 访问自己的信息).
通过加密保护学院持有或传输的所有客户信息,无论是通过外部网络传输的还是静态的. To the extent the coordinator determines that encryption of customer information, 在运输中或静止中, 是不可行的, the coordinator may approve a method to secure such customer information using effective alternative compensating controls.
Adopting secure development practices for in-house developed applications used to transmit, access, 或存储客户信息和程序进行评估, assess, 或者测试用于传输的外部开发的应用程序的安全性, access, 或者存储客户信息.
Implementing multi-factor authentication for any individual accessing any information system, unless the coordinator has approved in writing the use of reasonably equivalent or more secure access controls.
Developing, implementing, and maintaining procedures for the secure disposal of customer information. These procedures must be periodically reviewed to minimize the unnecessary retention of data. 处置必须在信息最后一次用于向客户提供与之相关的产品或服务的日期之后不迟于两年,除非:
The information is required to be kept for a longer period in accordance with TBR Policy 1.12.01.00, Records Retention and Disposal of Records; (Access the complete TBR policy at http://policies.tbr.edu/.)
The information is necessary for operational purposes; or
Targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
采用变更管理程序.
实施政策, procedures, and controls designed to monitor and log the activity of authorized users and to detect unauthorized access or use of, 或者篡改, 这些用户提供的客户信息.
The Program must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, 和程序, 包括检测实际攻击和企图攻击的那些, 或者是侵入, 信息系统.
用于信息系统, monitoring and testing must include continuous monitoring or periodic penetration testing and vulnerability assessments. In the absence of effective continuous monitoring or other systems to detect, 在持续的基础上, 信息系统中可能产生漏洞的变化, 学院必须进行:
Annual penetration testing of 信息系统 based on relevant risks identified through risk assessments; and
漏洞评估, including any systemic scans or reviews of 信息系统 designed to identify publicly known security vulnerabilities. 这种脆弱性评估必须至少每六个月进行一次,并且在大学运作发生重大变化时进行, 以及情况或事件可能对该计划产生重大影响.