We are pleased to announce the new Computer Security Policy, which consolidates and replaces two existing policies, and the updated Social Security Policy. Both are aimed at protecting confidential University data. Highlights are presented below, but we encourage all faculty, staff, and students to read the policies in their entirety.
—Robin Beck, Vice President, Information Systems and Computing
—Mary Lee Brown, Associate Vice President, Audit, Compliance and Privacy
Protecting Confidential University Data
Despite increasing awareness about the importance of protecting confidential data, reports of damaging incidents still appear regularly in the media. And these are only the tip of the iceberg; incidents that don’t make it to major newspapers and other outlets occur regularly at organizations across the country.
Faculty and staff are therefore reminded that each of us is responsible for protecting confidential University data we have access to, including Social Security numbers, credit card data, bank account information, HIPAA-protected data, and more. Failure to do so can put members of our community at risk for possible identity theft and other privacy-related problems, and put Penn at risk for fines, lawsuits, and reputational damage.
Guidance on how to protect this data is contained in two recently published policies: the new Computer Security Policy and the updated Social Security Number Policy. Highlights of both policies are summarized below. However, faculty and staff are strongly encouraged to read the policies in their entirety. They can be found at www.net.isc.upenn.edu/policy/approved/20100308-computersecurity.html and www.net.isc.upenn.edu/policy/approved/20071120-ssnpol.html. Both are also linked from the Computing Policies and Guidelines page at www.upenn.edu/computing/policy/.
• The Computer Security Policy replaces the PennNet Computer Security Policy and the Critical PennNet Host Security Policy. The new policy contains important and specific technical, administrative, and physical requirements to safeguard confidential University data. In general terms, confidential University data includes sensitive personally identifiable information, proprietary information, and other data whose disclosure would cause significant harm to Penn or its constituents.
• The related Social Security Number Policy, originally published in December 2007, has been updated to align technical requirements with those in the new Computer Security Policy.
Some Highlights of the Computer Security Policy
Computing Devices and Servers:
• All computers, servers, and other devices that connect to PennNet (this includes home computers), must be protected by a strong password, have security patches applied on a timely basis, have built-in firewalls activated, and have supported anti-virus protection installed and set for regular updates.
• Servers with confidential University data must be managed by a full-time University staff member with an IT position designation. If system administration is delegated to an individual who does not meet these criteria, the School or Center must designate a staff member who does meet the criteria to oversee system administration. In addition, such servers must be registered, be housed in physically secure locations, be scanned quarterly for security vulnerabilities, and have a regular program of backup and recovery testing. Accounts must be disabled promptly when access is no longer required.
• Data that is subject to breach notification requirements (such as SSNs, credit card numbers, bank account numbers, HIPAA-protected data) and other sensitive health information must be encrypted at rest if it is stored on portable computing devices (e.g., laptops, notebooks, PDAs), storage devices (e.g., flash drives) or media (e.g., CDs, DVDs).
• System administrators are responsible for making encrypted services available when there is a reasonable expectation that the services are handling, or may be used to handle, confidential University data, and when such encryption would not impose an undue burden.
• Data custodians/users should consult with their Local Support Provider (LSP) to determine the most appropriate method for transmitting confidential University data (e.g., sending confidential data via e-mail is not permitted, but use of methods such as the Secure-Share service is).
Some Highlights of the SSN Policy
This policy establishes expectations around the use of Social Security numbers—sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. The policy calls on staff, faculty, contractors, and their respective agents to inventory their online and offline Social Security numbers and reduce the above risks by, in priority order: (1) eliminating this data altogether, (2) converting it to PennID, (3) truncating the data to capture and display only the last four digits, (4) when the complete SSN is clearly necessary, ensuring strict security controls to protect the full data.
In specified circumstances the policy requires that complete SSNs be encrypted at rest and/or in transmission. The policy has been revised to align these encryption requirements with those set forth in the Computer Security Policy.
Faculty and staff may wish to contact their LSP for assistance in meeting the requirements of these policies. (If you don’t know who your LSP is, see www.upenn.edu/computing/view/support/.) Other resources include ISC Information Security (firstname.lastname@example.org) and the Office of Audit, Compliance and Privacy (email@example.com).