Procedures & Policies
- Security and Privacy Impact Assessment (SPIA): A tool designed by the Office of Audit Compliance and Privacy and Information Systems and Computing to address privacy and security risks associated with data stored on our systems.
- Vendor Security Technical Assessment of Risk (V-STAR): Tools and guidance help you navigate when it is permissible and advisable to share Penn data with a third party.
- Data Incident Reporting: This includes, but is not limited to a data breach, computer or email compromises and lost/stolen equipment.
ITS Computing Policy: Defines the access to and retention of all systems, accounts, and data, maintained in systems owned by ITS or for which ITS is responsible.
Information Security and Privacy Program Charter: University policy regarding the protection and responsible use of information collected from and about its students, faculty, staff, business partners and others who have provided such information to the University.
- Penn Data Risk Classification: The University of Pennsylvania data is classified into three categories based on the level of data sensitivity, government regulations, and the University policies.
- Policy on Security of Electronic Protected Health Information (ePHI): This security policy outlines minimum standards for ensuring the confidentiality, integrity and availability of electronic protected health information (ePHI) received, maintained or transmitted.
- Cloud Computing: Acceptable Use Guidelines: Guidance to describe opportunities, issues, safeguards and requirements regarding the use of certain third-party services (often called “cloud computing” services) involving University data.
- Acceptable Use of Electronic Resources: Defines the boundaries of “acceptable use” of limited University electronic resources, including computers, networks, electronic mail services and electronic information sources.
- Policy on Confidentiality of Student Records: Policy to describe the rights and responsibilities of students, faculty and staff regarding the confidentiality of student records, including as specified under the Family Educational Rights and Privacy Act (FERPA).
- Social Security Number Policy: Establishes expectations around the use of SSNs to reduce privacy and security risks.
- Records Retention Schedule: Guideline that sets forth the length of time records are recommended to be retained.
- Disposition of Documents and Data of Faculty/Staff Leaving Penn: Guidance to highlight the importance of coordinating the review and disposition of materials of faculty and staff who leave the University, and to highlight issues that may require special attention.