Security and Privacy Impact Assessment (SPIA)

Why do a Security and Privacy Impact Assessment (SPIA)? Who will it benefit? The SPIA process is one that supports schools, centers, business units, and the university as a whole. More importantly the process will help protect our students, patients, research subjects, and employees by ensuring the information entrusted to Penn is protected and used only for their intended purposes. Completing such an analysis is extremely important in today's technologically advanced world. Users should understand what risks exist in their environment, and how those risks can be reduced or even eliminated.

Provided at the links below are Step-by-Step instructions and guidance along with a tool/template to assist you in completing the assessment. (Note: The following is all you need to complete your SPIA.)

• Introduction and Instructions - Read this first (PDF).
• Summary of School/Center Approach (Word document)
• SPIA Blank Tracking Tool (Excel)
• SPIA Blank Inventory Tool (Excel)
• SPIA Blank Risk Assessment Tool (Excel)
• SPIA Sample Inventory Tool (Excel)
• SPIA Sample Risk Assessment Tool (Excel)
• SPIA Blank Executive Report (Word)

Related Links and Resources

International Standard Code of Practice for Information Security Management
http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq.pdf

Payment Card Industry Security Standards
http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf

HIPAA Privacy and Security Rules
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/privacy/default.asp

http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

Gramm Leach Bliley Act
http://www.ftc.gov/privacy/glbact/glbsub1.htm

Last updated: Friday, July 13, 2007