Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn


Saturday, May 27, 2017

  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Two-step verification
Combating Malware
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Wireless Networking
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
  More in-depth information for
Local support providers
System administrators
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
  Related links
Electronic privacy
Worms, trojans, backdoors

Information Security Standards

The Office of Information Security (OIS) has published several standards for common IT environments and scenarios encountered across the University.  These standards represent recommended minimum security controls, and are considered voluntary recommendations at this time.  Additionally, all listed controls are recommended to be implemented regardless of the sensitivity of the data on the machine, as these standards represent the minimum security posture.

You are encouraged to evaluate your environment to determine if it meets these recommendations, and to prioritize system implementation efforts by risk level.  As the field of Information Security is constantly evolving, these standards may be updated over time.

All of the recommendations will be considered for future inclusion in official University IT Policy.


If you have any questions regarding these standards, you may email OIS at


You may jump to a specific standard here:

Application Standards
Endpoint Standards
Server Standards


Application Standards

Definition: An application is defined as software running on a server that is network accessible, including mobile applications.




Critical Components

If there is sensitive data, register the host and application in Critical Components to ensure regular vulnerability scanning starting before rollout. For web applications, scan with a web application vulnerability scanner.

Critical Components

Secure Coding

Follow secure coding best practices, such as OWASP (for web applications) and implement a SDLC (Software Development Life Cycle) whenever possible. A SDLC should include regular regression testing, code review, security as a design requirement; and use of a framework.

OWASP (See Quick Download section)
CERT (See coding standads for C, Android, C++, Java, and Perl)
Join Developer SIG
Developer SIG Code Contributions
Developer SIG Slack Channel

Sensitive Data

Consider your use of sensitive data - if you must store it, use encryption in transit and at rest.

Computer Security Policy
Consult ISC Information Security ( about alternatives to handling sensitive data.


Security patches must be applied on a timely basis.

Computer Security Policy
University Computing Policies


Conduct SPIA (Security and Privacy Impact Assessment), including inventory of applications, libraries on which they depend, application contacts/developers, data classifications, and data volume estimates. Consider any policy or legal implications as appropriate, consulting others as needed.


Account Review

Review accounts & privileges regularly.

PennGroups where possible, or equivalent control

Credential Management

Follow secure password handling practices for passwords used by the application, and wherever possible, use campus authentication system for user passwords.

Strong password recommendations for PennKeys
Best Practices for passwords used by the application
Penn WebLogin
Two-Step Verification with Duo





Endpoint Standards

Definition: Any laptop, desktop or mobile operating system.




Security Patching

Apply security patches within seven days of being published. Use a supported OS version.

Penn Endpoint Management Service (PennEM)
Configure OS to perform automatic updates.

Whole Disk/Device Encryption

Run native encryption as available on newer devices.

InfoSec encryption recommendations


Backup user data daily.

Secure Remote Backup

Access Control

Always use a password or a PIN on the device. Set device to lock the screen automatically when not in use.

Computer Security Policy

Malware Protection

Run antimalware/antivirus software.

Symantec Endpoint Protection

Configuration Management

Use an endpoint management solution selected and supported at the school or center level.

IBM Endpoint Management

Secure Deletion

Erase or destroy storage media before recycling or donating devices.

Secure Data Deletion





Server Standards

Definition: A server is defined as a host that provides a network accessible resource.




Physical security

Physical controls to prevent unauthorized access. Server hardware placed inside data centers wherever possible.

ISC Hosting
Facilities Managed Computing

Multi-Factor Login

Multi-factor authentication required when logging into servers with privileged account access.

Two-Step Verification with Duo


Patches to vulnerabilities applied promptly after they have been made available.

IBM Endpoint Management

Credential management

Credentials reviewed periodically. Group password management used for all shared credentials. Credential lifecycle management applied.

LastPass Premium at Penn

Secure Disposal

Hard drives and writeable media used on servers follow secure destruction/deletion upon disposal.

Secure Data Deletion


Inventory created, maintained, and periodically reviewed regarding system hardware, applications/software in use, data classification, and any regulated data present on the server (HIPAA, PCI, FERPA, etc).

IBM Endpoint Management

Identity Finder

Network firewall

Host-based network filtering (e.g. firewall) configured. Hardware firewall used wherever possible.


Centralized logging

Security-relevant events, including privileged access, are logged to a separate system.

Security Logging Service


Vulnerability management

Servers regularly scanned with a vulnerability scanner. Findings resolved as soon as is practicable. Continuous monitoring used wherever possible.

Nessus Vulnerability Scanner


SysAdmin Training

SAs trained with the tools and procedures required to implement the items listed in this standard. University policy, as well as prohibited behaviors covered.


Host integrity

Host integrity maintained through some combination of antivirus, antimalware, rootkit detection, and file integrity monitoring, configured with external alerting whenever possible (see Centralized Logging).



Least privilege


Admin/user accounts, processes, and applications limited to the most restrictive set of resources necessary. Periodic review of privileges.


Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania