February 14, 2017
, Volume 63, No. 23
The University of Pennsylvania is committed to the protection and responsible use of information collected from and about its many constituents. The Information Security and Privacy Program Charter was created to establish principles regarding the responsible use and protection of information by the Penn community. This Charter also serves to outline the roles and responsibilities of those University officials tasked with overseeing University programs designed to protect individual privacy as well as the confidentiality, integrity and availability of Penn’s information resources and data. Questions about the Charter can be directed to the University’s Information Security Officer (Joshua Beeman, firstname.lastname@example.org) and/or the University’s Privacy Officer (Scott Schafer, email@example.com)
—Vincent Price, Provost
—Craig Carnaroli, Executive Vice President
—Scott Schafer, University Privacy Officer
—Joshua Beeman, University Information Security Officer
Information Security and Privacy Program Charter
The University of Pennsylvania (the “University” or “Penn”) is committed to the protection and responsible use of information collected from and about its students, faculty, staff, business partners and others who have provided such information to the University. The responsible use and protection of such information requires that Penn and members of the Penn community respect individual privacy, ensure the confidentiality, integrity and availability of Penn’s information resources and comply fully with all laws and government regulations.
The purpose of this Charter is to set forth certain principles regarding the responsible use of information by the Penn community. This Charter also serves to outline the roles and responsibilities of those University officials tasked with overseeing University programs designed to protect individual privacy as well as the confidentiality, integrity, and availability of Penn’s information resources and data.
Penn is committed to preeminence in research, teaching and service. As a result, Penn owns significant assets in the form of information. Penn’s informational assets include, but are not limited to, student education records, employment records, financial information, research data, protected health information, alumni and donor information, Penn operational data, Penn intellectual property, and other data relating to Penn’s infrastructure, technology resources and information security. The improper use of such information, the unauthorized or inadvertent disclosure, alteration or destruction of information assets, or a significant interruption in their availability, can disrupt Penn’s ability to fulfill its mission. Such actions can also result in regulatory, legal, financial and/or reputational risk to Penn and to the individuals whose data Penn maintains.
This Charter applies to all members of the Penn community including students, staff, faculty members, officers and employees of the University as well as other individuals authorized to use and/or access University technology resources and data.
Statement of Principles
Information security and privacy protection serve as the cornerstones by which members of the Penn community (defined in Scope, above) can demonstrate that they are good stewards of the data entrusted to them.
The Information Security and Privacy programs strive to ensure that information security and privacy efforts consistently demonstrate a commitment to the core mission and principles of the University while protecting the overall security and privacy of information at Penn.
It is understood that successful information security and privacy programs at Penn will involve not only the protection of University data and systems, but also the appropriate preservation of personal privacy.
This Charter and Penn’s information security and data privacy policies (identified in Policies below) define the principles and terms of the Penn’s Information Security and Privacy programs as well as the responsibilities of the members of the Penn community in carrying out and adhering to the respective program requirements.
• Applicant Data Policy
• Closed Circuit Television Monitoring and Recording of Public Areas for Safety and Security Purposes
• Confidentiality of Health Records under HIPAA
• Confidentiality of Faculty & Staff Records–HR Policy 201
• Confiscation of Publications on Campus
• Confidentiality of Student Records
• Computer Security Policy
• Guidelines on Open Expression
• Information Systems Security Incident Responses
• Photocopying for Educational Use
• Policy on Acceptable Use of Electronic Resources
• Policy on Computer Disconnection from PennNet
• Policy on Requirements for Authenticated Access to PennNet
• Policy on Security of Electronic Protected Health Information (ePHI)
• Policy on Unauthorized Copying of Copyrighted Media
• Privacy in the Electronic Environment
• Privacy of Alumni Data
• Protocols for the University Archives and Records Center
• Red Flag Rule
• Relationships Between Members of the University Community and Intelligence Organizations
• Social Security Numbers
Roles & Responsibilities
All members of the Penn community have a responsibility to help ensure that Penn’s information assets are used only in the proper pursuit of the University’s mission and that the confidentiality, integrity and availability of Penn’s information is maintained, regardless of where it is processed or stored.
All members of the Penn community have an obligation to appropriately use and protect information in a manner that is respectful of personal privacy. Members of the Penn community also must use and protect information in compliance with applicable laws.
The Information Security program and Privacy program described below are charged with assisting and supporting members of the Penn community in meeting these responsibilities and strengthening accountability.
The Information Systems and Computing (ISC) Information Security program is charged with overseeing University efforts to preserve the confidentiality, integrity and availability of Penn’s digital assets, the University network, systems and data. This includes coordinating School and Center security-related activities, developing and implementing proactive technical and non-technical measures to help detect and prevent security risks, establishing policy, standards and guidance, and providing effective incident response when necessary.
The University Information Security Officer is responsible for overseeing the ISC Information Security program.
The Vice President of Information Technology (IT) and University Chief Information Officer (CIO) is responsible for identifying and delegating the responsibility for information security, for approving security policies, standards and guidelines, overseeing incident response as necessary, and reporting periodically to senior University administration and the Board of Trustees on matters of Information Security.
The Office of Audit, Compliance and Privacy (OACP) University Privacy Program is responsible for developing an overall privacy framework to: 1) establish governance, implementation and accountability structures across the University with respect to privacy; 2) ensure compliance with federal and state privacy laws as well as Penn’s privacy-related policies and procedures; 3) raise awareness about privacy risks and how to mitigate those risks; 4) and provide effective incident response when necessary.
The University Privacy Officer is responsible for overseeing the OACP University Privacy program.
The Associate Vice President for Audit Compliance and Privacy is responsible for identifying and delegating the responsibility for implementation of the University Privacy program, providing senior-level review of privacy-related policies and key privacy initiatives, overseeing incident response as necessary and reporting periodically to senior University administration and the Board of Trustees on matters involving University Privacy.
Schools and Centers are responsible for establishing local Security and Privacy mechanisms in order to ensure compliance with University policies and guidelines, protect data, systems and networks, implement security- and privacy-related controls, and to cooperate with the Office of Information Security and the Office of Privacy in responding to incidents.
The Information Security program and the Privacy program maintain strong relationships with the Office of General Counsel, Division of Public Safety, Information Systems and Computing, the Office of Audit, Compliance and Privacy, the Provost and EVP offices, the Office of Student Conduct and many other offices handling confidential University data. These partners are essential to the provision of information security services and privacy protections to the Penn community.
Security & Privacy Steering and Governance
The following have been established to provide input, support and steering to the Information Security program and the Privacy program:
• Privacy & Security Executive Committee (PSEC)–Broad-based membership of senior Penn leaders providing input to ensure that the implementation of security and privacy controls and policy requirements remain strong, appropriate and in alignment with the University mission.
• IT Roundtable (ITR) and the IT Security Council (IT-SEC)–The role of ITR is to share knowledge across Penn IT organizations and provide input to IT decisions and policies that have University-wide implications. IT-SEC, a sub-group of ITR, is responsible for providing feedback to ISC Information Security on matters relating to the execution and operation of their respective local information security programs.
• Network Policy Committee (NPC)-The NPC’s charge is to develop, review and recommend IT- or data-related policies for approval to IT Roundtable, and ultimately to the Vice President for IT and University CIO.
• Senior Incident Response Team (SIRT)–SIRT is made up of senior Penn leaders who provide input on the approach to handling significant privacy or security incidents.
Violations of any Information Security and/or Privacy policies identified above may result in corrective actions as set forth in the applicable policy.
Program Review & Renewal
The Information Security program, the Privacy program and this Charter are evaluated on an ongoing basis by the Provost and the Executive Vice President of the University.