信息技术

格雷姆-里奇-比利利法案(GLBA) -概述

格雷姆-里奇-比利利法案(GLBA) -概述

In compliance with the Federal Trade Commission’s Safeguards Rule and the 格雷姆-里奇-比利利法案(GLBA), 澳门威尼斯人平台官网 (LU) created this document to summarize our 信息安全 Program (ISP).  This document describes the objectives of the GLBA standards safeguarding information (i) ensuring the security and 保密 of student information, (ii) protecting against any anticipated threats or hazards to the security of such information, and (iii) protecting against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student or individual.   

2021年12月9日,美国联邦贸易委员会(FTC)发布 最终的规定 (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule), an important component of the Gramm-Leach-Bliley Act’s (GLBA) requirements for protecting the privacy and personal information of consumers. The effective date for most of the changes to the Safeguards Rule is June 9, 2023.

其他相关规则及澄清

为符合GLBA,“客户”的定义

16摄氏度的规定.F.R. 第314部分使用术语“客户”和“客户信息”.“为了机构或服务机构遵守《澳门威尼斯人平台官网》的目的, customer information is information obtained as a result of providing a financial service to a student (past or present). 机构或服务机构提供金融服务时,他们, 除此之外, administer or aid in the administration of the Title IV programs; make institutional loans, including income share agreements; or certify or service a private education loan on behalf of a student.   

GLBA保障规则中的要求  

The objectives of the GLBA standards for safeguarding information are to –   

  • 确保学生信息的安全性和保密性. 
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and 
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any student (16 C.F.R. 314.3(b)).   

实现全球业务联盟的目标, 需要开发逻辑单元和服务, 实现, 并保持书面记录, 综合信息安全计划. The FTC’s regulations require that the information security program contains administrative, 技术, and physical safeguards that are appropriate to the size and complexity of the institution or servicer, 他们活动的性质和范围, 以及任何学生信息的敏感性. 

范围 

LU’s written 信息安全 Program (ISP) includes the nine required elements included in 《澳门威尼斯人平台官网》第16卷第314条.4.

要素1 - 《澳门威尼斯人平台官网》第16卷第314条.4(a)

LU has designated the Chief Information Officer (CIO) as the Qualified Individual (QI) responsible for overseeing and 实现ing LU’s ISP.   

要素2 - 《澳门威尼斯人平台官网》第16卷第314条.4(b)

陆计划, 作为ISP的一部分, to undertake to identify and assess external and internal risks to the security, 保密, and integrity of nonpublic financial information that could result in the unauthorized disclosure, 滥用, 变更, destruction or other compromises of such information through a risk assessment.  在实施ISP时, the QI establishes and maintains procedures for identifying and assessing such risks in each relevant area of the Institution’s operations, 包括:

要素3 - 《澳门威尼斯人平台官网》第16卷第314条.4(c)(1)至(8)   

民政事务局会继续监察/提供下列各项服务:   

  • 对可访问数据的访问控制和用户限制.
  • 与风险策略一致的数据、用户和系统管理.
  • Encryption of customer information in transit over external networks and at rest .
  • Secure development practices for in-house developed software and applications that access or transmit customer information.
  • Implementation of multifactor authentication or reasonably equivalent access controls .
  • Procedures for the periodic and secure disposal of customer information and review of data retention policies .
  • 系统安全变更管理程序 .
  • Controls to monitor and log activities of users and detect unauthorized access .

元素4 - 《澳门威尼斯人平台官网》第16卷第314条.4(d)   

LU will regularly test and monitor the effectiveness of the safeguards’ key controls, 系统, 和程序.  This will be accomplished through annual penetration testing and vulnerability assessments preformed bi-yearly.   

元素5 - 《澳门威尼斯人平台官网》第16卷第314条.4(e)   

LU will employ only capable information security professionals who will be provided with training sufficient to address relevant security risks while staying current with the evolving information security environment.  LU will also provide relevant information security training to personnel at the University identified from the risk assessment.   

元素6 - 《澳门威尼斯人平台官网》第16卷第314条.4(f)   

The QI will ensure that LU will only select and retain those service providers that are capable of maintaining appropriate safeguards for nonpublic financial information of students and other third parties to which they will have access.  除了, the QI works with University Legal Counsel to develop and incorporate standard, 适用于第三方服务提供商的合同保护, that require such providers to 实现 and maintain appropriate safeguards.   

元素7 - 《澳门威尼斯人平台官网》第16卷第314条.4(g)   

The QI is responsible for evaluating and adjusting the ISP based on any risks identified from testing, 监控, 和/或评估活动.     

元素8 - 《澳门威尼斯人平台官网》第16卷第314条.4(h)   

LU has a regularly updated and documented incident response plan that addresses:   

  • 事件响应计划的目标. 
  • 响应安全事件的内部流程. 
  • The definition of clear roles, responsibilities, and levels of decision-making authority.  
  • 外部和内部的沟通和信息共享. 
  • Identification of requirements for the remediation of any identified weaknesses in information 系统 and associated controls. 
  • Documentation and reporting regarding security events and related incident response activities; and 
  • The evaluation and revision as necessary of the incident response plan following a security event .

元素9 - 《澳门威尼斯人平台官网》第16卷第314条.4(i)   

The QI will create a written report to be presented to the LU Board of Trustees at least annually.  该报告将涵盖ISP的总体状况及其合规情况.  报告亦会涵盖与互联网服务供应商有关的重要事项, 解决风险评估等问题, 风险管理和控制决策, 服务提供者安排, 测试结果, 安全事件或违规行为及管理层对此的回应, 以及对互联网服务提供商的更改建议.    

最后修订日期:2023年5月