Information Security at the University of Pennsylvania

The job of coordinating information security at Penn is handled by the Office of Information Security, a unit of Penn's Information Systems and Computing (ISC) division.

The Office of Information Security establishes, implements and maintains security programs to assist management in the protection of computing resources and associated information assets against accidental or unauthorized modification, destruction, or disclosure.

New Online Privacy and Security Training

Penn has developed an online training that focuses many important privacy and security topics that its faculty and staff should know about.

For your own personal benefit, as well as for the benefit of Penn's valued community, we urge all faculty and staff at Penn to take this training. The training will help each of us to meet the expectations of the students, faculty, staff, alumni, patients, visitors and many others who trust in us to protect the privacy and security of their information.

Taking this training requires approximately 20-25 minutes. To enroll, simply go to the University's Knowledge Link site, at http://knowledgelink.upenn.edu/welcome/index.html. Log in using your Penn Key and password; click on 'Optional'; then select 'Information Privacy and Security at Penn' from the list of available courses.

Thank you for your help in protecting important personal and Penn data - this effort relies on each and every one of us.

Information Security News & Views...

The SANS Institute (www.sans.org) is reporting that the death of singer Michael Jackson on Thursday, June 25, 2009 has already given rise to an outbreak of spam messages with subject lines like "Confidential===Michael Jackson", and many of these messages carry attachments purporting to be videos and other items relating to Jackson, but which actually carry malware. For the SANS Diary entry discussing this, visit:

http://isc.sans.org/diary.html?n&storyid=6658.

Secure Share is a web-based application for secure file exchange available to Penn faculty and staff. Though there should be a very limited need to exchange sensitive or confidential information electronically, when Penn faculty and staff are required to do so, Secure Share provides a secure and easy-to-use mechanism to ensure the safety and privacy of University data.

For information and login instructions, click here.

A laptop computer belonging to an employee at Cornell University was stolen, and it contained sensitive personal information relating to 45,000 current and former Cornell students, faculty and staff. Read more about this here.

Loss of (unencrypted) confidential and sensitive data by theft of laptops and other portable data devices continues to be a major security issue, and the risk of incidents like this one at Cornell is certainly a major concern here at Penn and other educational institutions.Especially if you regularly use a laptop, PDA, USB "thumb drive" or other device in handling important data, please investigate and consider using whole disk/device encryption to minimize the damage that could occur to Penn - and yourself - if the device is lost or stolen. For more information on encryption, visit:

www.upenn.edu/computing/security/pgp.php

The Security-SIG special interest group meets bi-monthly on the 3rd Thursday of even-numbered months (February, April, June, August, October, December). The usual meeting place is the Bits and Pieces Room (Rm 306) in Sansom West.

All Penn IT staff and faculty with an interest in computing security and privacy issues are invited to attend. For more info, contact John Lupton at lupton@upenn.edu

The agenda for this meeting includes a presentation by SAS Computing's Justin Klein Keane on their use of a "low interaction ssh honeypot".

IT support staff in Penn's School of Medicine have received numerous complaints about high-pressure email tactics used by Tagged.com to get users to upload address books to their (Tagged.com) site, which are then used in turn to generate spam to the addresses in those books.

Please note that, in addition to being a source of yet more spam, providing electronic address books to people or organizations outside Penn may violate laws and Penn policies regarding protection of student and employee information. If you receive a solicitation of this type, please disregard it.

According to this article published in the Philadelphia Inquirer on June 5, 2009, Sears Roebuck & Co. has agreed to settle in a case involving charges brought by the Federal Trade Commission that Sears misled customers who joined their "My SHC Community". Read the full article here