CSU Personal Information Protection Procedure

PURPOSE: CSU个人信息保护程序的目的是实施所有 程序和通知程序符合并根据个人 Information Protection Act, 815 ILCS 530. The act is designed to ensure uniform notification 致所有个人信息可能被泄露的人 an unauthorized entity.

本程序适用于所有提供、接收或接触个人资料的人员 在188bet金宝搏官网登录网址履行职责的过程中获取信息.

Definition:

Data Collector Chicago State University, a public university, is considered a "data collector".

Breach 指未经授权获取危及安全的计算机数据; 数据收集者所维护的个人信息的保密性或完整性. “违反系统数据安全”不包括善意获取 数据收集者的雇员或代理人为合法的 数据收集者的目的，前提是不使用个人信息 为与资料收集者的业务无关或可能进一步未经授权的目的 disclosure.

Personal information 是指个人的名字或名字的首字母和姓氏的组合 任何一个或多个以下数据元素，当名称或数据元素 are not encrypted or redacted:

1. Social Security Number.
2. Driver's license number or State identification card number.
3. 帐户号码或信用卡或借记卡号码，或帐户号码或信用卡 与任何必需的安全码、访问码或密码组合的数字 would permit access to an individual's financial account.

A breach may include any or all of the following:

1. 一种活跃的恶意软件感染，恶意软件允许未经授权的远程访问 系统或允许从未授权的机器中检索数据 known to contain personal information. This does not include the quarantine of incoming malware that does not actually execute on the system in question.
2. 任何计算设备(如笔记本电脑、个人电脑或备份介质)的丢失或被盗 containing unencrypted personal information.
3. The loss of theft of any printout containing personal information.

Information Technology Department (ITD) Responsibility

1. (1)当可以确定主动妥协时，过渡段将及时采取行动 通过采取诸如断开受影响系统的连接之类的操作来控制事件。 从校园网，执行网络封锁，或其他必要的行动.
2. 大学官员、部门主管和部门计算机技术人员 应尽快通过电子邮件和电话通知ITD员工 is made aware of a likely security compromise. ITD will document the incident and provide logs of the systems as evidence of the breach.

Departmental Responsibility:

1. Systems maintained by the Department will fall under this category.
2. 部门必须维护包含个人信息的系统清单. The inventory should only be accessible to authorized parties.
3. 如果任何事件符合分类标准，部门将进行认证 a security compromise and inform ITD immediately. ITD will then follow the course of action stated as a follow-up to this logged incident.
4. 如果事件需要执法干预，适当的执法 必须立即与机构联系，并将指导保存过程 evidence. If law enforcement is to be involved then the chain of custody of information 相关的安全妥协必须通过特殊的程序来保存 are above and beyond the offerings of the ITD. ITD and the Department will follow the procedures set by the law enforcement agency under their guidance.
5. 如果该事件不值得执法部门干预，那么由本地计算机管理员 或者可以利用其他技术人员来确定安全事件的深度 and recover from it.
6. Department will develop and implement a plan to prevent future incidents.

该程序是根据伊利诺伊州的个人信息保护实施的 Act, 815 ILCS 530

Notification Process:

1. 如有未经授权取得电脑资料，将发出通知 危及个人信息的安全性、保密性或完整性的数据 maintained by CSU.
2. 通知应是适当的，不得无故延误(除非通知 will interfere with a criminal investigation).
3. 通知应包括:消费者的免费电话号码和地址 reporting agencies; the toll-free number, address and website address for the Federal Trade Commission; and a statement that the individual can obtain information from these sources about fraud alerts and security freezes.  Notifications shall not include 伊利诺斯州居民或CSU社区受影响人数的信息 by the breach.
4. 适当的通知可以是一致的书面或电子形式 with USC Title 155, Section 7001.
5. 通知也可以通过替代通知发出，但该通知应包括 all of the following:
   1. Email notice if we have an email for the persons;
   2. Conspicuous posting of the Notice on the data collector's web site; and
   3. Notification to major statewide media.
   如果提供通知的费用将超过250,000美元或受影响的主题类别 需要通知的人数超过50万，或罪案组没有足够的联络资料; the university has the option of using substitute service.
6. 一旦发生违规行为，必须在5个工作日内向 大会列出违反和概述纠正措施，以防止未来 breaches. 
7. 每年必须提交一份年度报告，列出所有违反安全的行为 系统或书面材料及已采取的纠正措施 prevent future breaches. 
8. 材料的处理必须使信息不可读、不可用和不可破译.
   1. 电子材料可能被销毁或删除，使个人信息不能 be read or reconstructed.
   2. 纸质文件可能被编辑、烧毁、粉碎或粉碎，使个人信息 cannot be read or reconstructed.
9. 如果违规行为影响超过1000人，犯罪现场调查组也应尽快通知 所有国家消费者报告机构的时间，分布和内容 of the notices.  CSU shall not be required to identity the number or names of the affected parties.