介绍

希望国际大学(HIU)信息安全政策旨在作为一套全面的指导方针和政策，旨在保护大学维护的所有机密和受限数据，以协助HIU遵守有关保护个人信息和非公开个人信息的适用法律和法规, as well as in records and in systems owned by the university.

概述及目的

HIU信息安全政策的实施是为了遵守2018年加州消费者隐私法(CCPA)。, the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), 以及《胜博发体育app》(GLBA) 15 USC§6801(b)和6805(b)(2)中的金融客户信息安全条款。.

In accordance with these laws and regulations, HIU is required to take measures to safeguard personally identifiable information, including financial information, 并向受影响的个人和适当的州机构提供有关大学受保护信息安全漏洞的通知.

HIU致力于保护其所维护的所有敏感数据的机密性, including information about individuals who work or study at the university. HIU已经实施了保护此类信息的政策，并应与本文件末尾交叉引用的这些政策一起阅读.

GLBA

遵守格莱姆-里奇-比利利法案(GLBA) HIU文件并报告我们的数据保护政策和程序. 作为GLBA的一部分 Federal Trade Commission 要求我们:

• Establish a comprehensive information security program for HIU, with policies designed to safeguard sensitive data that is maintained by the University, in compliance with federal and state laws and regulations.
• 根据数据的分类级别，建立员工保护数据的责任.
• Establish administrative, 技术, and physical safeguards to ensure the security of sensitive data.

范围

This program applies to all HIU employees, 包括教师, 工作人员, 合同, 还有临时工, 聘请顾问, interns and student employees.

The data covered by this program includes any information 商店d, 访问, or collected by and for the university. HIU信息安全并不打算取代任何现有的包含保护某些类型数据的更具体要求的政策.

定义

数据: Data refers to information 商店d, 访问, or collected, by and for the university.

数据保管: 负责维护支持访问和安全保管的技术基础设施的一方, 运输, 以及数据的存储, and which provides 技术 support for its 使用. 数据管理员还负责实现由数据所有者建立的业务规则.

数据所有者: A party responsible for the data content and development of associated business rules, including authorizing 访问 to the data.

个人信息: As defined under the CCPA, personal information is information that identifies, 涉及到, or could reasonably be linked with you or your ho使用hold.¹

Nonpublic personal information: As defined by the GLBA 15 USC § 6809(4)(A), nonpublic personal information is personally identifiable financial information (i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.²

数据分类

All data covered by this policy will be classified into one of three categories, based on the level of security required.

保密: Any data where unauthorized 访问, 使用, 变更, 或披露 could present a significant level of risk to HIU, 她的老师, 工作人员, 或胜博发体育app. 机密数据应以最高的安全级别处理，以确保该数据的私密性, as well as to prevent any unauthorized 访问, 使用, 变更, 或披露. 机密数据包括受联邦或州法律法规保护的数据.

限制: 所有其他个人和机构数据，这些数据的丢失可能损害个人隐私权或对财务产生负面影响, 操作, 或HIU的声誉. 任何未明确指定为机密的非公开数据应被视为受限数据.

The following University Information is classified as 限制:

• 社会保险号
• 银行账号
• 驾驶执照号码
• State identity card number
• 信用卡号
• Protected health information (as defined by HIPAA)

受限制的数据包括FERPA保护的数据，即胜博发体育app教育记录. 这些数据还包括, 但不限于, 捐赠者的信息, research data on human subjects, intellectual property (proprietary research, 专利, 等.), university financial and investment records, employee salary information, or information related to legal or disciplinary matters:

Access to restricted data should be limited to individuals who are employed by, 或就读于HIU, 并且根据FERPA或其他适用法律或大学政策的规定，有合法理由访问:

公众: Any information for which there is no restriction to its distribution.

政策

责任

All data at HIU is assigned to a data owner. Data owners are responsible for approval of all requests for 访问 to such data.

资讯科技人员作为数据保管人，集中保管存放在HIU的服务器和管理系统上的所有数据, and they are responsible for the security of such data.

人力资源部将在员工离开HIU之前尽快通知IT员工其身份的改变或解雇. Changes in status may include terminations, 休假, significant changes in position responsibilities, transfer to another department, or any other change that might affect an employee's 访问 to HIU data.

IT 工作人员 oversees maintaining, updating, and implementing the Information 安全. 大学的信息技术主任全面负责信息安全.

所有访问大学数据的HIU人员都有责任维护上述所有敏感数据的隐私和完整性, and must protect the data from unauthorized 使用, 访问, 信息披露, 或者变更. All personnel with 访问 to university data are also required to 访问, 商店, 并维护包含敏感数据的记录，以符合HIU信息安全.

Safeguarding Confidential Data

To protect college data classified as confidential, the following policies and procedures were developed that relate to 访问, 存储, 运输, and destruction of records:

• 只有在正常执行职务过程中需要查阅机密资料的人员才可查阅这些资料, including both physical and electronic records.
• 尽可能地, 所有包含机密资料的电子纪录，只应存放在校园内安全的网络储存设施内，切勿存放在本地电脑或不安全的伺服器内.
• 机密数据不能存储在HIU不支持的基于云的存储解决方案上.
• Confidential data should not be 商店d on laptops or on other mobile devices (e.g., flash drives, smart phones, external hard drives). If it is necessary to 运输 confidential data electronically, the device containing the data must be encrypted.
• 包含机密数据的纸质记录在不使用时必须保存在上锁的文件或其他安全区域.
• Upon termination of employment or relationship with HIU, electronic and physical 访问 to documents, systems or other network resources containing confidential data is immediately terminated.
• Under no circumstances are documents, 包含机密数据的电子设备或数字媒体将无人看管地放在任何不安全的地方.
• 正当需要向HIU以外的第三方提供包含机密数据的记录时, electronic records shall be password-protected and/or encrypted, and paper records shall be marked "confidential" and securely sealed.
• 一旦商业用途不再需要包含机密数据的记录，就必须销毁, 除非州或联邦法规要求在规定期限内保存这些记录.
• 包含机密数据的纸质和电子记录必须以防止数据恢复的方式销毁.

Safeguarding Restricted Data

对受限制数据的访问应该仅限于那些对数据有合法业务需求的人. Additional safeguards are as follows:

• 受限制的数据可以存储在不受HIU支持的基于云的存储解决方案上，但前提是这些解决方案符合有关保护此类数据的任何法律的要求(例如.g.FERPA).
• Documents containing restricted data should not be posted publicly.

---

¹http://oag.ca.gov /隐私/ ccpa

²http://www.govinfo.gov/content/pkg/USCODE-2011-title15/html/USCODE-2011-title15-chap94-subchapI-sec6809.htm