The Security and Privacy Impact Assessment (SPIA) program is a resource to help each School/Center better understand what threatens the data in its computing applications and databases, where the greatest vulnerabilities exist, and what safeguards can be implemented. SPIA helps these organizations collect an inventory of their computing applications and databases, create a three-year plan for conducting risk assessments, and then complete detailed risk assessments according to the schedule developed by that organization. The tool offers suggestions for what safeguards may be appropriate in order to mitigate the most common threats and provides a reporting template to help synthesize the learning and proposed changes that result from the SPIA process.
It is important to note that SPIA is not a mandate that requires that all mitigation strategies be implemented. Rather, it is a roadmap to help organizations identify areas of risk and select appropriate strategies and timeframes to mitigate those risks.
The following tools and guidance help you navigate when it is permissible and advisable to share Penn data with others:
- SPIA Blank Inventory Tool
- SPIA Blank Risk Assessment Tool
- SPIA Sample Inventory Tool
- SPIA Sample Risk Assessment Tool
- SPIA Blank Executive Report
Additional resource: SPIA for Reference Tool