Procedures & Policies

Security Procedures

• Security and Privacy Impact Assessment (SPIA) : A tool designed by the Office of Audit Compliance and Privacy and Information Systems and Computing to address privacy and security risks associated with data stored on our systems.
• Vendor Security Technical Assessment of Risk (V-STAR) : Tools and guidance help you navigate when it is permissible and advisable to share Penn data with a third party.
• Data Incident Reporting: This includes, but is not limited to a data breach, computer or email compromises and lost/stolen equipment.

Security Policies

• ITS Computing Policy : Defines the access to and retention of all systems, accounts, and data, maintained in systems owned by ITS or for which ITS is responsible.

• ITS Vulnerability Remediation Policy : Establishes a framework for identifying, assessing and remediating security vulnerabilities on all managed systems connected to School or University networks.

• Information Security and Privacy Program Charter : University policy regarding the protection and responsible use of information collected from and about its students, faculty, staff, business partners and others who have provided such information to the University.

• Penn Data Risk Classification : The University of Pennsylvania data is classified into three categories based on the level of data sensitivity, government regulations, and the University policies.
• Policy on Security of Electronic Protected Health Information (ePHI) : This security policy outlines minimum standards for ensuring the confidentiality, integrity and availability of electronic protected health information (ePHI) received, maintained or transmitted.
• Cloud Computing:  Acceptable Use Guidelines : Guidance to describe opportunities, issues, safeguards and requirements regarding the use of certain third-party services (often called “cloud computing” services) involving University data.
• Acceptable Use of Electronic Resources : Defines the boundaries of “acceptable use” of limited University electronic resources, including computers, networks, electronic mail services and electronic information sources.
• Policy on Confidentiality of Student Records : Policy to describe the rights and responsibilities of students, faculty and staff regarding the confidentiality of student records, including as specified under the Family Educational Rights and Privacy Act (FERPA).
• HHS Guidance Regarding Methods for De-identification of PHI : Guidance about methods and approaches to achieve de-identification in accordance with the HIPAA Privacy Rule.
• Social Security Number Policy : Establishes expectations around the use of SSNs to reduce privacy and security risks.
• Records Retention Schedule : Guideline that sets forth the length of time records are recommended to be retained.
• Disposition of Documents and Data of Faculty/Staff Leaving Penn : Guidance to highlight the importance of coordinating the review and disposition of materials of faculty and staff who leave the University, and to highlight issues that may require special attention.