跳到主要内容
Menu
贝博体育贝博体育

贝博体育

RSCC政策 & Guidelines
  1. RSCC HomeRSCC Home
  2. 关于贝博体育
  3. RSCC政策 & Guidelines
前进. 不要拖延你的未来! Apply now! 注册在线课程或传统课程.前进. 不要拖延你的未来! Apply now!. 注册在线课程或传统课程.
田纳西重新连接与承诺. 即将毕业的高中毕业生可以免交学费. 成人免学费.田纳西重新连接与承诺. 即将毕业的高中毕业生可以免交学费. 成人免学费.
提供在线学位. Online education gives you flexibility to take classes that fit your schedule.提供在线学位. Online education gives you flexibility to take classes that fit your schedule.

RSCC Policy GA-18-10; 资讯科技保安计划

贝博体育
保单号码: GA-18-10
Subject: 资讯科技保安计划
  1. Purpose
    罗安州立社区学院(RSCC)将根据《贝博体育》(“GLBA”)保护客户信息规则标准的规定,保护学院的信息资源, 信息安全计划(“计划”)通过:
    1. Protecting the security and 保密 of customers’ nonpublic financial information;
    2. Protection against any anticipated threats or hazards to the security or integrity of such information; and
    3. 防止未经授权的访问或使用这些记录或信息,从而可能对客户造成重大伤害或不便.
  2. Definitions
    1. Customer – person who has a continuing relationship with the college for provision of financial services, 比如财政援助.
    2. Customer Information - any record containing nonpublic personal financial information about a customer.
    3. 非公开的财务信息- RSCC在提供金融产品或服务的过程中获得的关于客户的任何未公开的记录, 以及其他来源提供给学院的信息. Nonpublic financial information includes information that a person submits to apply for financial aid (e.g., 报税表及其他财务资料), 学院从第三方收取的与经济援助有关的费用(例如.g., FAFSA information), and that the college creates based on customer information in its possession.
    4. 安全事件-导致未经授权访问的事件, 或破坏或滥用, 信息系统, 存储在这种信息系统中的信息, 或以实物形式保存的客户信息.
  3. Policy
    1. 介绍
      TBR institutions are covered by GLBA because they offer and process financial aid applications, 为学生提供贷款, and receive customer information from students and others in connection with those activities.
    2. 贝博体育协调人
      1. 学院首席信息办公室(CIO)将担任RSCC贝博体育协调员,负责监督和实施该贝博体育. 协调员可以从其他来源获得协助, 但贝博体育的最终责任仍由协调员承担.
      2. 协调器 shall develop the Program to include, but not be limited to:
        1. 与适当的办公室协商,确定学院的单位和区域可以访问客户信息,并维护相同的列表.
        2. 协助学院相关部门识别合理可预见的内部和外部安全风险, 保密, 确保客户信息的完整性确保每个办公室和整个学院都设计并实施了适当的保护措施来保护受保护的数据.
        3. 与学院合同官员合作,确保与有权访问和维护客户信息的第三方服务提供商签订的所有合同都包括要求服务提供商为客户信息维护适当保护措施的条款.
        4. 与负责任的学院官员合作,为所有员工提供充分的培训和教育,使其能够获得客户信息.
    3. 安全及私隐风险评估
      1. The Program shall identify reasonably foreseeable external and internal risks to the security, 保密, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, 或以其他方式泄露该等信息, and assess the sufficiency of the safeguards in place to control those risks.
      2. Risk assessments should include consideration of risks in each office that has access to customer information.
      3. 风险评估必须写下来,并包括, 至少, 考虑以下方面的风险:
        1. Criteria for the evaluation and categorization of the identified security risks and threats.
        2. 保密评估标准, integrity, 以及信息系统和客户信息的可用性, including the adequacy of existing controls in the context of identified risks and threats.
        3. 描述在风险评估的基础上如何减轻或接受已识别的风险,以及贝博体育将如何处理风险的要求.
      4. 学院将定期进行额外的风险评估,重新检查合理可预见的内部和外部安全风险, 保密, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, 或以其他方式泄露该等信息. Such assessments must reassess the sufficiency of safeguards in place to control the risks.
    4. 信息安全人员和员工培训
      1. 罗安州立大学将使用合格的信息安全人员, 无论是由贝博体育还是通过供应商雇佣的, sufficient to manage information security risks and to assist in oversight of the Program. Security personnel must be provided with security updates and training sufficient to address relevant security risks. 学院将验证关键信息安全人员采取措施,保持当前不断变化的信息安全威胁和对策的知识.
      2. 贝博体育协调员将为大学员工提供安全意识培训,必要时进行更新,以反映风险评估所识别的风险. 这种培训可以与供应商一起开发和实施, 人力资源办公室, 以及总法律顾问办公室. 培训应定期进行, 如协调员认为适当, 并应包括有关政策和程序的教育,以及为保护客户信息而制定或制定的其他保障措施.
    5. 保障措施的设计和实施
      1. The Program will include safeguards to control the risks identified through the risk assessments, 包括:
        1. 实现并定期检查访问控制, 包括技术, 在适当的时候, physical controls to authenticate and permit access only to authorized users, 并限制授权用户仅访问他们履行职责和功能(或在客户的情况下)所需的客户信息, 访问自己的信息).
        2. 识别和管理数据, personnel, devices, systems, 以及使学院能够根据其相对于运营目标和风险策略的重要性实现运营目的的设施.
        3. 通过加密保护学院持有或传输的所有客户信息,无论是通过外部网络传输的还是静态的. To the extent the coordinator determines that encryption of customer information, 在运输中或静止中, 是不可行的, the coordinator may approve a method to secure such customer information using effective alternative compensating controls.
        4. Adopting secure development practices for in-house developed applications used to transmit, access, 或存储客户信息和程序进行评估, assess, 或者测试用于传输的外部开发的应用程序的安全性, access, 或者存储客户信息.
        5. Implementing multi-factor authentication for any individual accessing any information system, unless the coordinator has approved in writing the use of reasonably equivalent or more secure access controls.
        6. Developing, implementing, and maintaining procedures for the secure disposal of customer information. These procedures must be periodically reviewed to minimize the unnecessary retention of data. 处置必须在信息最后一次用于向客户提供与之相关的产品或服务的日期之后不迟于两年,除非:
          1. The information is required to be kept for a longer period in accordance with TBR Policy 1.12.01.00, Records Retention and Disposal of Records; (Access the complete TBR policy at http://policies.tbr.edu/.)
          2. The information is necessary for operational purposes; or
          3. Targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
        7. 采用变更管理程序.
        8. 实施政策, procedures, and controls designed to monitor and log the activity of authorized users and to detect unauthorized access or use of, 或者篡改, 这些用户提供的客户信息.
      2. The Program must regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, 和程序, 包括检测实际攻击和企图攻击的那些, 或者是侵入, 信息系统.
      3. 用于信息系统, monitoring and testing must include continuous monitoring or periodic penetration testing and vulnerability assessments. In the absence of effective continuous monitoring or other systems to detect, 在持续的基础上, 信息系统中可能产生漏洞的变化, 学院必须进行:
        1. Annual penetration testing of 信息系统 based on relevant risks identified through risk assessments; and
        2. 漏洞评估, including any systemic scans or reviews of 信息系统 designed to identify publicly known security vulnerabilities. 这种脆弱性评估必须至少每六个月进行一次,并且在大学运作发生重大变化时进行, 以及情况或事件可能对该计划产生重大影响.
    6. 服务提供者和合同的监督
      1. Roane State将采取合理步骤选择并保留能够为其有权访问的客户信息维护适当保障措施的第三方服务提供商. 必须根据服务提供者存在的风险及其保障措施的持续充分性定期对其进行评估.
      2. 大学将要求, 契约式, 能够访问客户信息的当前和潜在服务提供商维护足够的程序来检测和响应安全事件.
      3. 大学将要求, 契约式, that all applicable third party service providers implement and maintain appropriate safeguards for customer information.
    7. 事件应变计划
      1. The Program must include a written incident response plan designed to promptly respond to, 并从中恢复, 任何重大影响机密性的安全事件, integrity, 或者在学院控制下的客户信息的可用性.
      2. To the extent the following requirements are not already required by the State of Tennessee’s incident response plan, 协调员应确保事件响应计划涉及:
        1. 事件响应计划的目标
        2. 响应安全事件的内部流程
        3. The definition of clear roles, responsibilities, and levels of decision making authority.
        4. 外部和内部的沟通和信息共享.
        5. 识别对信息系统和相关控制中已识别的弱点进行补救的需求.
        6. Documentation reporting of security events and related incident response activities.
        7. The evaluation and revision 必要时 of the incident response plan following a security event.
    8. 贝博体育评估与修订
      1. 协调器 must evaluate and adjust the Program in light of the results of testing and monitoring, 任何对学院运作的重大改变, 风险评估的结果, 以及可能对本计划产生重大影响的任何其他情况.
      2. The Program must include a plan by which it will be evaluated on a regular basis and a method to revise the Program, 必要时, 为了持续有效.
  4. 信息安全计划的评估
    1. 协调器, 与适当的管理员一起, 应每年评估该计划的有效性.
    2. 协调员应确保在年度审查时对计划进行必要的修订,以解决学院组织中可能影响计划实施和有效性的任何变化.
  5. 向校董会提交年度报告
    系统办公室协调员将准备一份表格,供学院协调员填写并及时返回,以便在提交给董事会的报告中包含.
  6. 信息技术CIO应负责制定和维护本政策,并由业务副总裁发布 & Finance.
修订历史:2018年1月25日
TBR政策参考: B-090
修订生效日期: 05/02/2023
修订批准人: 克里斯托弗·L. 惠利,总统
原生效日期: 12/14/2015
批准人: 克里斯托弗·L. 惠利,总统
办公室负责: 商务副总裁 & Finance
Reviewed: 04/13/2023

与我们联系

Twitter / XFacebookInstagramThreadsYoutube
©贝博体育

贝博体育不存在种族歧视, color, religion, creed, 种族或民族出身, sex, disability, age, 作为受保护的退伍军人或受联邦或州法律法规保护的任何其他阶层,以及田纳西州董事会在就业方面的政策, programs, 和活动.​​​​​​​ 查看完整的非歧视政策.

田纳西州的社区学院

报告欺诈、浪费和滥用行为

1998年数字千年版权法案