Introduction

希望国际大学 (HIU) Information Security Policy is intended as a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data maintained at the university to assist HIU in complying with applicable laws and regulations on the protection of personal information and nonpublic personal information, 在学校的档案和系统里也有.

Overview and Purpose

HIU Information Security Policy is implemented to comply with the California Consumer Privacy Act of 2018 (CCPA), 家庭教育权利和隐私法(FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and the financial customer information security provisions of the Gramm-Leach-Bliley Act (GLBA) 15 USC § 6801(b) and 6805(b)(2).

依照这些法律法规, HIU必须采取措施保护个人身份信息, 包括财务信息, and to provide notice about security breaches of protected information at the university to affected individuals and appropriate state agencies.

HIU is committed to protecting the confidentiality of all sensitive data that it maintains, 包括在大学工作或学习的个人信息. HIU has implemented policies to protect such information and should be read in conjunction with these policies that are cross-referenced at the end of this document.

GLBA

In compliance with Gramm-Leach-Bliley Act (GLBA) HIU documents and report our data protection policies and procedures. As part of GLBA, the 联邦贸易委员会 requires us to:

• 为HIU建立全面的信息安全计划, 并制订政策，以保障大学所保存的敏感资料, 遵守联邦和州法律法规.
• Establish employee responsibilities in safeguarding data according to its classification level.
• 建立行政, technical, 并进行物理防护，确保敏感数据的安全.

Scope

该计划适用于所有HIU员工, including faculty, staff, contract, and temporary workers, hired consultants, 实习生和胜博发体育app雇员.

此程序所涵盖的数据包括存储的任何信息, accessed, 或者是由大学收集的. HIU Information Security is not intended to supersede any existing policy that contains more specific requirements for safeguarding certain types of data.

Definitions

Data: 数据是指由大学存储、访问或收集的信息.

Data custodian: A party responsible for maintaining the technology infrastructure that supports access to and safe custody, transport, and storage of the data, 并为其使用提供技术支持. A data custodian is also responsible for implementation of the business rules established by the data owner.

Data owner: 负责数据内容和相关业务规则开发的一方, 包括授权访问数据.

Personal information: 根据CCPA的定义, 个人信息是识别身份的信息, relates to, 或者可能与你或你的家庭有关.¹

非公开个人信息: 根据GLBA 15 USC§6809(4)(A)定义, nonpublic personal information is personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.²

Data Classification

本政策所涵盖的所有数据将分为三类之一, 根据需要的安全级别.

Confidential: 任何未经授权访问的数据, use, alteration, 或披露可能对HIU构成重大风险, its faculty, staff, or students. Confidential data should be treated with the highest level of security to ensure the privacy of that data, 以及防止任何未经授权的访问, use, alteration, or disclosure. Confidential data includes data that is protected by federal or state laws and regulations.

Restricted: All other personal and institutional data where the loss of such data could harm an individual's right to privacy or negatively impact the finances, operations, or reputation of HIU. Any non-public data that is not explicitly designated as confidential should be treated as restricted data.

以下大学资料被列为限制资料:

• Social security number
• Bank account number
• Driver's license number
• 国家身份证号码
• Credit card number
• 受保护的健康信息(由HIPAA定义)

Restricted data includes data protected by FERPA, referred to as student education records. This data also includes, but is not limited to, donor information, 关于人类受试者的研究数据, 知识产权(专有研究), patents, etc.), 大学财务和投资记录, 员工工资信息, 或有关法律或纪律事宜的资料:

访问受限制的数据应限于由, or enrolled at HIU, and who have legitimate reasons for access as governed by FERPA or other applicable law or university policy:

Public: 不受分发限制的任何信息.

Policy

Responsibilities

HIU的所有数据都分配给数据所有者. 资料拥有人须负责批准查阅该等资料的所有要求.

Information Technology (IT) staff serve as the data custodians for all data stored centrally on HIU's servers and administrative systems, 他们对这些数据的安全负责.

Human Resources will inform IT staff about an employee's change of status or termination as soon as is practicable but before an employee's departure date from HIU. 状态的变化可能包括终止, leaves of absence, 职位职责发生重大变化, 调到其他部门, 或任何其他可能影响员工访问HIU数据的更改.

IT人员监督维护、更新和实现信息安全. The university's Director of Information Technology has overall responsibility for the Information Security.

All HIU personnel with access to university data are responsible for maintaining the privacy and integrity of all sensitive data as defined above, 并且必须保护数据不被未经授权的使用, access, disclosure, or alteration. 所有可以访问大学数据的人员也需要访问, store, and maintain records containing sensitive data in compliance with the HIU Information Security.

保护机密资料

保护大学机密资料, 制定了以下与获取有关的政策和程序, storage, transportation, 销毁记录:

• Only those requiring access to confidential data in the regular course of their duties are granted access to this data, 包括物理和电子记录.
• To the extent possible, all electronic records containing confidential data should only be stored on on-campus secure network storage and not on local machines or unsecured servers.
• Confidential data must not be stored on cloud-based storage solutions that are unsupported by HIU.
• 机密资料不应储存在手提电脑或其他流动装置(例如.g.、闪存盘、智能手机、外置硬盘). 如有必要以电子方式传送机密资料, 必须对包含数据的设备进行加密.
• Paper records containing confidential data must be kept in locked files or other secured areas when not in use.
• 终止雇佣或终止与HIU的关系, 电子和物理访问文件, 包含机密数据的系统或其他网络资源立即被终止.
• 在任何情况下都不是文件, electronic devices or digital media containing confidential data to be left unattended in any unsecure location.
• When there is a legitimate need to provide records containing confidential data to a third party outside HIU, 电子记录必须有密码保护和/或加密, 纸质记录应当标明“保密”，并密封.
• Records containing confidential data must be destroyed once they are no longer needed for business purposes, unless state or federal regulations require maintaining these records for a prescribed period.
• Paper and electronic records containing confidential data must be destroyed in a manner that prevents recovery of the data.

保障受限制资料

Access to restricted data should be limited to those who have a legitimate business need for the data. 其他保障措施如下:

• Restricted data may be stored on cloud-based storage solutions that are unsupported by HIU if they are in compliance with the requirements of any laws governing the protection of such data (e.g., FERPA).
• 包含受限数据的文件不应公开发布.

---

¹http://oag.ca.gov/privacy/ccpa

²http://www.govinfo.gov /内容/ pkg / uscode - 2011 title15 / html / uscode - 2011 - title15 chap94 subchapi sec6809.htm