信息安全 Policy

政策的名字:  信息安全 Policy

保单号码: IT-6001

有效: 遗产

修改后: 2020/02  

政策声明

 The University grants to assigned individuals the reasonable and appropriate, 实现其机构或教学目标所需的最少信息获取途径. 大学社区的所有成员都有责任保护安全, 保密, 委托给他们的信息的完整性和可用性，防止未经授权的访问, use or disclosure in accordance with the following requirements:

Immediately report any actual or suspected Information security breaches, or evidence of potential illegal activity, to the Information Technology 帮助台.  Suspected breaches of any 大学系统, or inappropriate disclosure of Confidential Information, must be reported directly to the Chief Information Officer.

1. 所有信息的基本要求:大学社区的所有成员都必须:
   1. 熟悉并遵守学校电子通讯可接受使用政策的要求. 参见政策#2.8.1
   2. 将访问大学系统(定义如下)的凭据视为机密. Such credentials are non-transferable.
   3. 在所有用于大学业务的系统上使用足够长度和复杂的密码，以合理地保护它们不被人类或计算机猜到. Passwords must be changed immediately if there is suspicion of compromise.
   4. Never write down passwords where they are easily accessible to others.
   5. Never 分享 usernames and passwords, including your own.
   6. 切勿将访问大学系统(定义见下文)的密码保存在公共计算机上.
   7. Avoid 存储 passwords wherever possible. Some 应用程序 permit users to script or store their ID and password. Web浏览器有时会拦截登录，并根据之前输入的内容填写用户名和密码，自动完成登录.  Such features should be avoided since they expose passwords to theft.
   8. 当您完成工作或离开计算机时，锁定或注销您的计算机.
   9. Never download email attachments from unknown senders.
   10. Never download or install computer programs, 应用程序, 或其他软件，未经资讯科技署事先批准，不得擅自进入任何大学系统.

    

   If you have questions about any 软件, hardware or any 大学系统, consult with the Information Technology 帮助台.
2. Additional Requirements for Protecting Confidential Information:
   1. 除非您已被明确授权访问且您有合法需要了解该等机密信息，否则请勿访问任何机密信息(如本协议所定义).
   2. 不共享机密信息(通过电子邮件或其他方式)，除非这种共享完全符合大学的所有政策, 并且仅对那些有合法需要知道该等机密信息的人. 保密信息只能在完全符合适用法律或根据大学批准的合同的情况下披露给第三方，其中第三方被要求实施和维护大学批准的保护措施.
   3. 避免使用与其他家庭成员共享的家用电脑来远程访问机密信息. 而, 使用一台安全的电脑，安装适当的防病毒和软件防火墙，不与他人共用.
   4. Only scan or make copies of Confidential Information to the extent necessary.
   5. Do not post Confidential Information on a publicly accessible computer or website.
   6. 不要把包含机密信息的文件放在其他人可以看到的地方. 此类文件应存储在物理上安全的区域，如安全或上锁的套房, 办公室, 桌子上, 或者文件柜.
   7. 在可能的情况下, Confidential Information should be emailed in an encrypted format, especially when exchanging Confidential Information externally.
   8. Do not fax Confidential Information unless no other options exist. If faxing Confidential Information is necessary, 使用封面页，告知收件人该信息为机密信息，并设置传真机在发送传真后打印确认页
   9. If you are unsure whether you are authorized to access, 分享, transmit or otherwise use Confidential Information, seek appropriate permission.
3. Additional Best Practices for 移动设备s and Off-Campus Computing:
   1. 移动设备(定义见下文)由于其可移植性而增加了安全风险. Always take extra care to secure such devices, particularly when traveling. Take the following steps in order to minimize the risk of theft or loss of data:
      1. Secure all 移动设备s out of sight, 在一个锁着的房间里, 办公室还是抽屉, or use a locking cable where possible.
      2. If accessing Information of the University using 移动设备s, 使用强密码保护这些设备，并遵循移动安全最佳实践.
      3. 将机密信息文件或其他对大学运营至关重要的数据存储在定期维护(备份)的服务器或其他大学存储资源(如网络文件共享)上, OneDrive, 谷歌驱动, 或SharePoint. Do not store Confidential Information only on 移动设备s with no back-up.
      4. 及时向信息技术服务部报告所有丢失或被盗的大学自有移动设备.
4. Reporting Potential 信息安全 Breaches:
5. Data and 媒体 Disposal:
   1. When the University retires or otherwise removes computing, 网络, or 办公室 equipment (including telephones, 复印机或传真机)或其他可能包含来自企业的机密信息的信息资产, specific steps must be taken to scrub or otherwise render the media unreadable.
   2. Deleting files or reformatting disks is not sufficient to prevent data recovery. Either physically destroy media, according to applicable waste disposal regulations, 或者使用符合普遍接受的数据销毁标准的数据擦除软件来清除它.
6. 制裁:
   1. 任何违反本政策的行为都可能导致纪律处分或其他制裁. 制裁可能包括(根据适用法律)拒绝或取消对大学系统的访问权限, 悬架, work assignment limitations, or more severe penalties up to and including termination or expulsion. If the University suspects illegal activities, 它可以向有关当局报告，并协助对有关个人的任何调查或起诉.
   2. 大学可能会将任何绕过或规避安全控制的企图视为违反本政策. 例如, 共享密码, deactivating anti-virus 软件, removing or modifying secure configurations, 或创建未经授权的网络连接是被禁止的，除非信息技术帮助台已批准例外.
7. 其他的定义:
   1. Confidential Information refers to all Information collected by, 与, 或在其业务或活动过程中向大学报告，受当地法律保护, 州或联邦法律, or that may cause harm to the University, 员工, or other entities or individuals if improperly disclosed, or that is not otherwise publicly available. Harms may relate to an individual’s privacy or legal or regulatory liabilities. Confidential Information includes:
      1. 与个人有关的信息，合理地识别个人和, 如果妥协, could cause harm to that individual or to the University. 例子包括, 社会安全号码, driver license numbers or identification card numbers, credit or debit card numbers, bank account information, and student grades or disciplinary information;
      2. University financial data;
      3. employee, student, and alumni lists;
      4. University program or project plans;
      5. University contracts, including contracts with employees and external parties;
      6. communications or records regarding internal University matters and assets, including operational details and audits;
      7. University policies, procedures, standards, and processes;
      8. 任何被外部方指定为“机密”的信息或其他受保护的信息分类，并受当前保密或其他协议的约束;
      9. information regarding employees, 包括工资记录和就业或人事信息(如健康或残疾信息), disciplinary or grievance information, annual review information);
      10. any summaries, reports, or other documents that contain Confidential Information; and
      11. drafts, summaries, or other working versions of any of the above.
   2. 移动设备 means an electronic device that is easily transportable and capable of accessing, 存储, or transmitting information. 例子包括笔记本电脑、平板电脑、移动电话和便携式存储设备.
   3. 大学系统 include University-owned or controlled computing 网络s, 软件, 数据库, 服务, facilities or other computing devices.