Procedures & Policies • Information Technology Services • Penn Nursing

Security Procedures

Security and Privacy Impact Assessment (SPIA) : A tool designed by the Office of Audit Compliance and Privacy and Information Systems and Computing to address privacy and security risks associated with data stored on our systems.
Vendor Security Technical Assessment of Risk (V-STAR) : Tools and guidance help you navigate when it is permissible and advisable to share Penn data with a third party.
Data Incident Reporting: This includes, but is not limited to a data breach, computer or email compromises and lost/stolen equipment.

Security Policies

ITS Computing Policy : Defines the access to and retention of all systems, accounts, and data, maintained in systems owned by ITS or for which ITS is responsible.
ITS Vulnerability Remediation Policy : Establishes a framework for identifying, assessing and remediating security vulnerabilities on all managed systems connected to School or University networks.
Information Security and Privacy Program Charter : University policy regarding the protection and responsible use of information collected from and about its students, faculty, staff, business partners and others who have provided such information to the University.
Penn Data Risk Classification : The University of Pennsylvania data is classified into three categories based on the level of data sensitivity, government regulations, and the University policies.
Policy on Security of Electronic Protected Health Information (ePHI) : This security policy outlines minimum standards for ensuring the confidentiality, integrity and availability of electronic protected health information (ePHI) received, maintained or transmitted.
Cloud Computing: Acceptable Use Guidelines : Guidance to describe opportunities, issues, safeguards and requirements regarding the use of certain third-party services (often called “cloud computing” services) involving University data.
Acceptable Use of Electronic Resources : Defines the boundaries of “acceptable use” of limited University electronic resources, including computers, networks, electronic mail services and electronic information sources.
Policy on Confidentiality of Student Records : Policy to describe the rights and responsibilities of students, faculty and staff regarding the confidentiality of student records, including as specified under the Family Educational Rights and Privacy Act (FERPA).
HHS Guidance Regarding Methods for De-identification of PHI : Guidance about methods and approaches to achieve de-identification in accordance with the HIPAA Privacy Rule.
Social Security Number Policy : Establishes expectations around the use of SSNs to reduce privacy and security risks.
Records Retention Schedule : Guideline that sets forth the length of time records are recommended to be retained.
Disposition of Documents and Data of Faculty/Staff Leaving Penn : Guidance to highlight the importance of coordinating the review and disposition of materials of faculty and staff who leave the University, and to highlight issues that may require special attention.