Computing Policies and Guidelines

Collected here are University information security policies, privacy policies, network policies, and guidelines. Each person with access to the University's computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations.

University Information Security Policies

• PennNet Computer Security Policy - This policy describes the requirements and constraints for attaching and securing a computer to PennNet. It also provides "best practice" recommendations to guide systems administrators in further steps to protect PennNet-connected systems.
• Policy on Acceptable Use of Electronic Resources - This policy, often referred to as the Acceptable Use Policy or AUP, defines the boundaries of acceptable use of limited University electronic resources, including computers, networks, electronic mail services and electronic information sources.
• Policy on Unauthorized Copying of Copyrighted Media - This policy states the disciplinary sanctions for violation of copyrights.
• Policy on Computer Disconnection from PennNet - This policy describes the circumstances under which computers will be disconnected from PennNet.
• Critical PennNet Host Security Policy - This policy describes the requirements and constraints for attaching and securing a critical computer to PennNet. It also provides "best practice" recommendations to guide systems administrators in further steps to protect PennNet-connected systems. Guidelines providing additional security recommendations for systems administrators of critical computers are also available. Critical hosts can be registered online with Information Security.
• Policy on Requirements for Authenticated Access to PennNet - This policy specifies authentication and accounting requirements for certain user access to PennNet. Specifically, it addresses on-campus access to PennNet from locations or devices that are not directly associated with a specific individual Penn user. Primary examples are access to PennNet from public jacks, public kiosk computers, wireless networks, and lab computers. This policy is therefore addressed to the local computing directors and computing support personnel responsible for these areas and/or these network jacks. This policy document also provides related "best practice" recommendations on configuration decisions associated with authentication and accounting.
• Administrative Computing Security Policy - This policy outlines the responsibilities of users, data stewards, application stewards, systems administrators and management to assure the availability, integrity and confidentiality of University administrative systems and data.

University Privacy Policies

• Confidentiality of Student Records - This policy outlines the circumstances under which personally identifiable information from a student's or applicant's record generally may be disclosed.
• Confidentiality of Faculty and Staff Records - This policy (Human Resources Policy #201) is directed at protecting the confidentiality of staff and faculty human resources records.
• Policy on Security of Electronic Protected Health Information (ePHI) - This policy describes the security safeguards that must be in place to ensure the security of patient medical information within the University community.
• Privacy in the Electronic Environment - This policy highlights some general principles that should help to define the expectations of privacy of those in the University community.
• Social Security Number Policy - This policy establishes a formal institutional program around Social Security numbers for the purposes of protecting the privacy of Penn constituents and reducing compliance and reputational risks to Penn. This policy establishes clearly defined steps and announces available resources to reduce the availability of this sensitive data.

University Network Policies

Network policies are overseen by the Network Policy Committee (NPC), which develops, reviews, and recommends policies for approval.

• Network Policies Under Review - Any proposed policies that are under review are listed on this page.
• Policy on the Use of Ethernet Repeaters at PennNet Wallplates - This policy specifies the conditions under which an Ethernet repeater may be connected to a PennNet wallplate, and refers to a list of eligible locations. It also provides "best practice" recommendations to guide the network user in deploying repeaters appropriately.
• Policy on the Use of PennNet IP Address Space - This policy specifies the IP address registration requirements for devices connected to PennNet. It also provides "best practice" recommendations to guide local network administrators in the use of the Assignments program for handling IP address registration at Penn.
• Policy on the Operation of DHCP Servers on PennNet - This policy specifies the requirements for Dynamic Host Configuration Protocol (DHCP) servers and related infrastructure operating on PennNet. It also provides "best practice" recommendations for server administrators.
• Policy on Deployment, Operation, and Registration Requirements for Wireless Access Points on PennNet - This policy specifies the requirements for Wireless Access Points (APs) and related wireless LAN infrastructure operating on PennNet. It also provides related "best practice" recommendations.
• Policy on the Operation of Private Remote Access Services Connecting to PennNet - This policy specifies the requirements for operation of private remote access services connecting to PennNet, specifically modems and modem pools.
• Policy on the Use of upenn.edu Domain Name Space - This policy specifies the naming requirements for the creation/changing of new/existing domains within the upenn.edu domain name space.
• Policy on Troubleshooting Charges for PennNet - This policy specifies the conditions under which network users may be charged for troubleshooting and remedy of networking problems on PennNet. It also provides "best practice" recommendations to guide the network Local Support Provider (LSP) in preliminary troubleshooting steps in an effort to avoid any additional charges.
• Policy on Routing Devices on PennNet - This policy specifies the conditions under which a routing device may be connected to PennNet via a wallplate or any other media type, such as fiber optic link.
• Policy on Use of Ethernet Switches at PennNet wallplates - This policy specifies the conditions under which an Ethernet switch may be connected to a PennNet wallplate and provides "best practice" recommendations for deploying switches appropriately.
• Policy on the Installation and Maintenance of Network Wiring - This policy specifies the requirements for installation of new wiring or the relocation or removal of existing wiring as it pertains to PennNet, Telecom, or PVN networks.
• Policy on the Definition of a PennName - This policy specifies the characteristics of a legal PennName, including the length, alphabet, and structure.
• Policy on PennNames Compliance - This policy specifies the requirements for systems and services to be considered PennNames-compliant.
• Policy on the Duration of a PennName - This policy specifies the duration of PennNames and the circumstances under which ownership may be transferred.
• Policy on Server-Managed Personal Digital Assistants (PDAs) This policy establishes requirements for protecting confidential University data contained on or accessed by PDAs managed by University servers, whether those devices are owned by individuals or the University.

Guidelines

• Electronic Privacy in Practice – These guidelines provide explanations, suggestions, interpretations, and best practices that are important to members of the University community who use or provide electronic communications services.
• Rules for Users of Penn's Electronic Resources - These guidelines cover username changes, operation of large email lists, and maintenance of message archives.
• Guidelines for Administrators of Penn E-mail Systems - These guidelines specify maximum email attachment size and user quotas.
• Guidelines for Keeping Penn's Data Safe and Private - These guidelines provide recommendations for protecting sensitive data.
• Critical Host Security Guidelines - These guidelines provide recommendations system monitoring and account management beyond those required by the Critical Host policy.