跳到主要内容
Menu
贝博体育贝博体育

贝博体育

RSCC政策 & Guidelines
  1. RSCC HomeRSCC Home
  2. 关于贝博体育
  3. RSCC政策 & Guidelines
前进. 不要拖延你的未来! Apply now! 注册在线课程或传统课程.前进. 不要拖延你的未来! Apply now!. 注册在线课程或传统课程.
田纳西重新连接与承诺. 即将毕业的高中毕业生可以免交学费. 成人免学费.田纳西重新连接与承诺. 即将毕业的高中毕业生可以免交学费. 成人免学费.
提供在线学位. 在线教育可以让你灵活地选择适合自己的课程.提供在线学位. 在线教育可以让你灵活地选择适合自己的课程.

RSCC Policy GA-18-10; 资讯科技保安计划

贝博体育
保单号码: GA-18-10
Subject: 资讯科技保安计划
  1. Purpose
    贝博体育 (RSCC) will protect the college’s information resources as mandated by the Gramm- Leach-Bliley Act (“GLBA”) Standards for Safeguarding Customer Information Rule, 信息安全计划(“计划”)通过:
    1. 保护客户非公开财务信息的安全和机密性;
    2. Protection against any anticipated threats or hazards to the security or integrity of such information; and
    3. Protection against unauthorized access or use of such records or information in ways that could result in substantial harm or inconvenience to customers.
  2. Definitions
    1. 客户-与学院有持续关系以提供金融服务的人, 比如财政援助.
    2. 客户信息-任何包含客户的非公开个人财务信息的记录.
    3. Non-public financial information – any record not publicly available that RSCC obtains about a customer in the process of offering a financial product or service, 以及其他来源提供给学院的信息. 非公开财务信息包括个人提交申请经济援助的信息.g., 报税表及其他财务资料), 学院从第三方收取的与经济援助有关的费用(例如.g.(FAFSA信息),并且学院根据其拥有的客户信息创建.
    4. 安全事件-导致未经授权访问的事件, 或破坏或滥用, 信息系统, 存储在这种信息系统中的信息, 或以实物形式保存的客户信息.
  3. Policy
    1. 介绍
      TBR机构被GLBA覆盖,因为它们提供和处理经济援助申请, 为学生提供贷款, 并从学生和其他人那里接收与这些活动有关的客户信息.
    2. 贝博体育协调人
      1. The college Chief Information Office (CIO) will serve as the RSCC 贝博体育协调人 who shall be responsible for overseeing and implementing the Program. 协调员可以从其他来源获得协助, 但贝博体育的最终责任仍由协调员承担.
      2. 协调员应制定计划,包括但不限于:
        1. Consulting with the appropriate offices to identify units and areas of the college with access to customer information and maintaining a list of the same.
        2. Assist the appropriate offices of the college in identifying reasonably foreseeable internal and external risks to the security, 保密, and integrity of customer information and making certain that appropriate safeguards are designed and implemented in each office and throughout the college to safeguard the protected data.
        3. Work with the college contract officer(s) to guarantee that all contract with third party service providers that have access to and maintain customer information include a provision requiring that the service provider maintain appropriate safeguards for customer information.
        4. Work with responsible college officers to develop and deliver adequate training and education for all employees with access to customer information.
    3. 安全及私隐风险评估
      1. 贝博体育应识别合理可预见的外部和内部安全风险, 保密, 客户信息的完整性可能导致未经授权的泄露, misuse, alteration, 破坏, 或以其他方式泄露该等信息, 并评估控制这些风险的保障措施是否足够.
      2. 风险评估应包括考虑每个可以访问客户信息的办公室的风险.
      3. 风险评估必须写下来,并包括, 至少, 考虑以下方面的风险:
        1. 对已识别的安全风险和威胁进行评估和分类的标准.
        2. 保密评估标准, integrity, 以及信息系统和客户信息的可用性, 包括在已识别的风险和威胁背景下现有控制的充分性.
        3. Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Program will address the risks.
      4. The college will periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, 保密, 客户信息的完整性可能导致未经授权的泄露, misuse, alteration, 破坏, 或以其他方式泄露该等信息. 这种评估必须重新评估控制风险的保障措施是否足够.
    4. 信息安全人员和员工培训
      1. 罗安州立大学将使用合格的信息安全人员, 无论是由贝博体育还是通过供应商雇佣的, 足以管理信息安全风险并协助监督该计划. 必须为保安人员提供足够的安全更新和培训,以应对相关的安全风险. The college will verify that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.
      2. The 贝博体育协调人 will provide college employees with security awareness training that is updated 必要时 to reflect risks identified by the risk assessment. 这种培训可以与供应商一起开发和实施, 人力资源办公室, 以及总法律顾问办公室. 培训应定期进行, 如协调员认为适当, and it shall include education on relevant policies 和程序 and other safeguards in place or developed to protect customer information.
    5. 保障措施的设计和实施
      1. 该计划将包括控制通过风险评估确定的风险的保障措施, 包括:
        1. 实现并定期检查访问控制, 包括技术, 在适当的时候, 物理控制,用于身份验证和仅允许授权用户访问, and to limit authorized users’ access only to customer information that they need to perform their duties and functions (or in the case of customers, 访问自己的信息).
        2. 识别和管理数据, personnel, devices, systems, and facilities that enable the college to achieve operational purposes in accordance with their relative importance to operational objectives and risk strategy.
        3. Protecting by encryption all customer information held or transmitted by the college both in transit over external networks and at rest. 在一定程度上协调器确定客户信息的加密, 在运输中或静止中, 是不可行的, 协调者可以批准一种使用有效的替代补偿控制来保护此类客户信息的方法.
        4. 为内部开发的用于传输的应用程序采用安全的开发实践, access, 或存储客户信息和程序进行评估, assess, 或者测试用于传输的外部开发的应用程序的安全性, access, 或者存储客户信息.
        5. 为任何访问任何信息系统的个人实现多因素身份验证, 除非协调者书面同意使用相当或更安全的访问控制.
        6. 开发、实施和维护安全处理客户信息的程序. 必须定期审查这些程序,以尽量减少不必要的数据保留. Disposal must occur no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates unless:
          1. 根据TBR政策1,该等资料须保存较长时间.12.01.00, Records Retention and Disposal of Records; (Access the complete TBR policy at http://policies.tbr.edu/.)
          2. The information is necessary for operational purposes; or
          3. 由于保存信息的方式,有针对性的处置不合理可行.
        7. 采用变更管理程序.
        8. 实施政策, procedures, 和控制旨在监控和记录授权用户的活动,并检测未经授权的访问或使用, 或者篡改, 这些用户提供的客户信息.
      2. 本贝博体育必须定期测试或以其他方式监测保障措施关键控制措施的有效性, systems, 和程序, 包括检测实际攻击和企图攻击的那些, 或者是侵入, 信息系统.
      3. 用于信息系统, 监控和测试必须包括持续监控或定期渗透测试和漏洞评估. 在没有有效的连续监测或其他系统检测的情况下, 在持续的基础上, 信息系统中可能产生漏洞的变化, 学院必须进行:
        1. Annual penetration testing of 信息系统 based on relevant risks identified through risk assessments; and
        2. 漏洞评估, 包括任何系统扫描或审查信息系统,旨在识别公开已知的安全漏洞. Such vulnerability assessments must be conducted at least every six months and whenever there are material changes to college operations, 以及情况或事件可能对该计划产生重大影响.
    6. 服务提供者和合同的监督
      1. Roane State will take reasonable steps to select and retain third party service providers that are capable of maintaining appropriate safeguards for the customer information to which they have access. Service providers must be periodically assessed based on the risk they present and the continued adequacy of their safeguards.
      2. 大学将要求, 契约式, that current and potential service providers with access to customer information maintain sufficient procedures to detect and respond to security events.
      3. 大学将要求, 契约式, 所有适用的第三方服务提供商实施并维护适当的客户信息保护措施.
    7. 事件应变计划
      1. 该计划必须包括一份书面事件响应计划,旨在及时响应, 并从中恢复, 任何重大影响机密性的安全事件, integrity, 或者在学院控制下的客户信息的可用性.
      2. 在某种程度上,田纳西州的事件响应计划尚未要求以下要求, 协调员应确保事件响应计划涉及:
        1. 事件响应计划的目标
        2. 响应安全事件的内部流程
        3. 明确角色、职责和决策权级别的定义.
        4. 外部和内部的沟通和信息共享.
        5. Identification of requirements for the remediation of any identified weaknesses in 信息系统 and associated controls.
        6. 安全事件和相关事件响应活动的文档报告.
        7. 在安全事件发生后对事件响应计划进行必要的评估和修订.
    8. 贝博体育评估与修订
      1. 协调员必须根据测试和监测的结果对方案进行评估和调整, 任何对学院运作的重大改变, 风险评估的结果, 以及可能对本计划产生重大影响的任何其他情况.
      2. 该计划必须包括定期评估计划的计划和修订该计划的方法, 必要时, 为了持续有效.
  4. 信息安全计划的评估
    1. 协调器, 与适当的管理员一起, 应每年评估该计划的有效性.
    2. 协调器 shall make certain that necessary revisions to the Program are made at the time of the annual review to address any changes in the college organization that may affect the implementation and effectiveness of the Program.
  5. 向校董会提交年度报告
    The System Office Coordinator will prepare a form for college coordinators to complete and return in time sufficient for inclusion in the report to the Board.
  6. The CIO of Information Technology shall be responsible for development and maintenance of this policy for issuance by the 商务副总裁 & Finance.
修订历史:2018年1月25日
TBR政策参考: B-090
修订生效日期: 05/02/2023
修订批准人: 克里斯托弗·L. 惠利,总统
原生效日期: 12/14/2015
批准人: 克里斯托弗·L. 惠利,总统
办公室负责: 商务副总裁 & Finance
Reviewed: 04/13/2023

与我们联系

Twitter / XFacebookInstagramThreadsYoutube
©贝博体育

贝博体育不存在种族歧视, color, religion, creed, 种族或民族出身, sex, disability, age, status as protected veteran or any other class protected by Federal or State laws and regulation and by Tennessee board of Regents policies with respect to employment, programs, 和活动.​​​​​​​ 查看完整的非歧视政策.

田纳西州的社区学院

报告欺诈、浪费和滥用行为

1998年数字千年版权法案