《迪士尼彩乐园》法案

《迪士尼彩乐园》法案

《迪士尼彩乐园》法案, (GLBA)于5月23日生效, 2003, 解决银行和投资公司等金融机构持有的客户信息的保护和保密问题. GLBA contains no exemption for colleges or universities. 结果是, educational entities that engage in financial activities, 比如处理学生贷款, 都必须遵守. 《迪士尼3彩乐园》和其他新兴立法可能导致在所有数据管理实践领域(包括电子和实体)制定信息安全注意标准, 学生, 客户, 校友, 捐赠, 等.). 因此, 位于帕克斯堡的迪士尼彩乐园采用了一项信息安全计划,用于某些高度关键的私人金融和相关信息. 本信息安全计划适用于大学根据GLBA的要求在业务过程中收到的客户财务信息,以及其范围内的其他机密财务信息.
本计划的目的是:

  • 确保客户信息的安全性和保密性符合联邦贸易委员会发布的适用的GLBA规则.
  • Safeguard against anticipated threats to the security or integrity of protected 电子 data.
  • 防止未经授权访问或使用受保护的数据,以免给任何客户造成伤害或不便.

项目的协调与责任

信息安全项目的协调员是位于帕克斯堡的迪士尼彩乐园的首席信息官. The coordinator is responsible for the development, 实现, 监督迪士尼彩乐园帕克斯堡分校遵守GLBA保障规则所要求的政策和程序. Although ultimate responsibility for compliance lies with the Coordinator, 每个操作区域的代表负责在其具体操作中实施和维护安全程序的规定要求.

资讯保安管治委员会
信息安全治理委员会的存在是为了确保本信息安全计划保持最新状态,并评估GLBA推动的潜在政策或程序变化. Committee membership may change from time-to-time but will minimally include the Chief Information Officer, 财务执行副总裁 & Administration, and representatives from 金融援助, 业务办公室, Records, and Faculty. Other individuals may be added as deemed necessary.

Questions regarding GLBA impacts on business processes and policies and questions regarding technical issues, 风险评估, and information technology security policy should be directed to the Coordinator of the Information 安全 Program.

风险评估及保障措施

There is an inherent risk in handling and storing any information that must be protected. Identifying areas of risk and maintaining appropriate safeguards can reduce risk. 安全措施旨在减少处理受保护信息的固有风险,包括对信息系统和纸张存储的安全措施.

书面计划
保障规则要求迪士尼彩乐园帕克斯堡分校及其受影响的单位制定书面信息安全计划,描述其保护客户信息的计划. The plan must be appropriate to WVUP’s size and complexity, the nature and scope of our activities and the sensitivity of the 客户 information it handles. As part of its plan, WVUP and its affected units must:

• designate one or more employees to coordinate its information security program (the Chief Information Officer)
• identify and assess the risks to 客户 information in each relevant area of the University’s operation, and evaluate the effectiveness of the current safeguards for controlling the identified risks
• design and implement a safeguards program, and regularly monitor and test that program
• select third party vendors that can maintain appropriate safeguards, making sure that contracts with these vendors require them to maintain safeguards, and allow the University to oversee their handling of 客户 information
• regularly evaluate and adjust the program in light of relevant circumstances, including changes in the University’s business or operations, or the results of security testing and monitoring.

员工培训与教育

Employees handle and have access to protected information in order to perform their job duties. This includes permanent and temporary employees as well as 学生 employees, 谁的工作职责要求他们访问受保护的信息,或者谁的工作地点可以访问受保护的信息. 各部门有责任保持对保护受保护信息的高度意识和敏感性,并应定期提醒员工其重要性. 如果没有一种意识文化,办公室布局和实践的微小变化可能会严重损害受保护的信息.
部门代表负责确保员工接受GLBA相关概念和要求的培训. Training materials relative to GLBA and data handling are available on the web. 经GLBA协调员批准后, 这些培训模板和其他材料可以由每个部门量身定制,以反映他们的个人培训需求. Training may be delivered in a variety of ways that meet the department’s objectives. 各部门负责保存接受过培训的员工的记录,并且必须能够根据要求提供书面副本.

Oversight of Service Providers and Contracts

GLBA要求大学采取合理的步骤选择和保留对所涵盖的数据和信息进行适当保护的服务提供商. Contracts should be reviewed to ensure the following language is included:

[服务提供商]同意实施并维护一份书面的综合信息安全计划,该计划包含以下内容, 客户信息安全和保护的技术和物理保障措施,并进一步包含§314中规定的每个要素.4 of the Gramm Leach Bliley Standards for Safeguarding 客户信息 (16 C.F.R. § 314). [服务提供商]进一步同意根据其信息安全计划和《迪士尼彩乐园》保护在本协议项下提供给其的所有客户信息.
The GLBA contract due diligence is considered in various aspects of contract negotiation, 包括安全控制审查.

Evaluation and Revision of the Information 安全 Program

GLBA mandates that this Information 安全 Program be subject to periodic review and adjustment. 这些审查中最频繁的将发生在信息技术安全和政策中,其中不断变化的技术和不断发展的风险表明定期审查是明智的. 大学其他有关办事处的程序,例如资料查阅程序和培训计划,应定期检讨.

本信息安全计划定期重新评估,以确保持续符合现行和未来的法律法规.

定义

覆盖组件
– any area of 迪士尼彩乐园帕克斯堡分校, which is required to be compliant with either GLBA 监管s.

受控非机密信息
-法律信息, 监管, or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, 国家安全机密信息, 12月29日, 2009, 或者任何前驱或后继顺序, 或者1954年的原子能法案, 修订的.

客户信息
– any record containing nonpublic personal information as defined in 16 C.F.R. § 313.3(n), about a 客户 of a financial institution, 无论是在纸上, 电子, 或者其他形式, that is handled or maintained by or on behalf of [the financial institution] or [its] affiliates.

金融产品或服务
– (i) any product or service that a financial holding company could offer by engaging in a financial activity; and
- (ii)金融服务包括您对您根据消费者对金融产品或服务的请求或申请而收集的信息进行评估或经纪.

非公开个人信息
– (i) Personally identifiable financial information and
-任何名单, 描述, 或其他消费者分组(以及与他们相关的公开可用信息),这些信息是使用任何未公开可用的个人可识别财务信息派生的. 16 C.F.R. § 313.3(n) (1).

Personally Identifiable Financial Information
-任何资料:
(i) A consumer provides to you to obtain a financial product or service from you;
(ii) 关于 a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
(iii) You otherwise obtain about a consumer in connection with providing a financial product or service to the consumer.

受保护的信息
– either personally identifiable financial information or protected 健康 information, 哪些是GLBA所涵盖的.

Examples of Activities the FTC is Likely to Consider as a 金融产品或服务 include:
-学生(或其他)贷款, 包括接收申请信息, 贷款:提供或偿还此类贷款
– Financial or investment advisory services
-信贷谘询服务
-税务筹划或税务准备
– Collection of delinquent loans and accounts
– Sale of money orders, savings bonds or traveler’s checks
—支票兑现业务
– Travel agency services provided in connection with financial services
——房地产结算服务
-汇款服务
– Issuing credit cards or long term payment plans involving interest charges
– Personal property and real estate appraisals
– Career counseling services for those seeking employment in finance, accounting or auditing
-由委托人提供的服务, 人寿方面的经纪人或代理人, 健康, 责任或伤残保险产品
– Obtaining information from a consumer report
-提供或发放年金

马上申请