These Best Practices were developed by the offices of Information Systems and Computing and Audit, Compliance and Privacy.

  1. Background and Purpose

    The University of Pennsylvania and University community members require reliable and continuous access to data to support the University’s teaching, research and service mission. The University’s data is a valuable resource and asset that must be maintained and protected as such. In addition, the privacy of University community members must be protected to the greatest possible extent.

    The purpose of recommending these best practices on data access control is to help ensure the protection of the University’s data resources from accidental or intentional unauthorized access, damage, alteration or disclosure while preserving authorized users’ ability to access and use data as needed to perform their job functions. The purpose is also to support compliance initiatives regarding FERPA, HIPAA, the Gramm Leach Bliley Act and other privacy and security requirements and best practices that address data access controls.

  2. Scope of Best Practice Recommendations

    Nearly every activity of the University generates significant data, resulting in a massive amount of stored information. University data stores range in size from large central systems to much smaller local databases. These best practice recommendations are intended primarily to cover Confidential University Data and Operational Data, referred to jointly in this document as “Data,”I and are designed with large Data systems in mind. The practices should also be implemented for smaller Data sets if warranted based on the data risks and implementation burdens involved.

    1. Best Practices for Data Stewards: Data Access Controls

      Data Stewards are managers, researchers and others who oversee the capture, maintenance, and dissemination of Data for a particular purpose. They are expected to know the specific types of Data for which they are responsible, the appropriate uses of the Data, and the applicable regulatory and policy requirements.II

      Data Stewards are responsible for making security decisions regarding access to and protection of Data under their charge. This includes developing and executing procedures for granting, maintaining and terminating access to the Data for which they are responsible. These procedures should be developed taking into account the risks associated with the specific Data and/or system being accessed, as well as the burdens associated with implementing the procedures.

      1. Best Practices for Granting, Reviewing and Terminating Data User Access
        1. The Data access request process is formalized and documented. The process applies to all access requests, including those relating to third-parties (e.g., consultants).
        2. An electronic provisioning process is used where practicable.III
        3. The Data User’sIV access request includes the specific Data requested, the level of access requested (read, write), and the purpose for accessing the Data.
        4. The request process includes appropriate review and approvals (two levels), typically by the User’s immediate supervisor (i.e., first level reviewer) and the Data Steward.
        5. The Data Steward grants access to Data only to the extent that the User requires it in order to perform assigned duties and responsibilities (“need to know” access). “Need to know” access is determined by the Data Steward, based upon information provided by the first-level reviewer, as follows:
          1. Identify the User’s assigned duties and responsibilities, and evaluate how these relate to the Data that is the subject of the request.V
          2. Determine which specific aspects of the Data are directly relevant to the User’s duties and responsibilities (e.g., which Data elements, functions).
          3. Grant access only to those aspects of the Data that are directly relevant to the User’s work-related requirements. The Data Steward confirms that the first-level reviewer is in an appropriate position to evaluate the “need to know” and the level and type of access requested.
          The Data Steward ensures that individuals who will have access to Data sign a confidentiality agreement that assures compliance with University policies and procedures and appropriate safeguards.
        6. The Data Steward ensures that Users are required to access Data via unique and individual user credentials (e.g. PennKey).
        7. The Data Steward retains Data access account creation requests for six years, in order to support the need to audit Data access permissions throughout the complete Data access lifecycle (creation through termination).
        8. If the Data Steward permits access to Data, the permission is subject to an appropriate de-provisioning program, including, for example (alone or in combination):
          1. A specific termination of access date.
          2. Periodic review by Data Steward, in concert with supervisors, of individuals’ employment responsibilities and continued need for access.
          3. Periodic review by Data Steward of employment termination reports; reports are obtained proactively by Data Steward.VI
          4. Prompt reporting by supervisors and other personnel of termination or change in employment by Users.
          5. Removal of access after a substantial period of inactivity (ordinarily 12 months) from the User account.
          6. Periodic review of institutional access accounts (i.e., accounts assigned to entities or devices rather than individuals) to ensure continued need for access and to ensure appropriate ownership and stewardship of such access by a Penn employee.
        9. Data access procedures are reviewed on an annual basis to ensure that they remain appropriate.
      2. Best Practices for Training Data Users

        In addition, the Data Steward ensures that Users receive appropriate awareness training in connection with the grant of Data access.

        The training includes:

        1. General use of the system and Data.
        2. Review of Policy on Acceptable Use of Electronic Resources.
        3. Review of relevant privacy and security requirements (for example, Social Security Number policy, PDA policy, Incident Response policy, HIPAA policies, FERPA policy).
        4. Review of highest priority risks to the Data (for example, remote access, storage of Data on laptops) and ways to manage those risks.
        5. Emphasis on accessing and using Data only as required for the conduct of University business, within the scope of the User’s job responsibilities, regardless of the actual level of access the system provides.

        A Data Steward may delegate any or all of his/her Data administration duties to other University faculty or staff; however the Data Steward retains ultimate responsibility for the Data.

      Definitions

      “Data” is defined here to include the following:

      1. Confidential University Data, including:

        Sensitive Personally Identifiable Information
        Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Penn. Examples may include, but are not limited to, Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information Penn has promised to keep confidential, and account passwords or encryption keys used to protect access to confidential University Data.

        Proprietary Information
        Data, information, or intellectual property in which the University has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to Penn. Examples may include, but are not limited to, business planning, financial information, trade secrets, copyrighted material, and software, or comparable material from a third party when the University has agreed to keep such material confidential.

        Other Data
        Other data whose disclosure would cause significant harm to Penn or its constituents.

      2. Operational Data

        Data whose loss or corruption would impair the academic, administrative, or research functions of the University, or result in a significant business or financial risk or a significant legal risk or liability.

        These definitions are used in the University’s Computer Security Policy as well as other policies.

        “Data User” means, for purposes of this document, an individual who has been granted access to Data as part of his or her assigned duties, roles or functions. This access is granted solely for the conduct of University business.

      Footnotes

      I. The definition of “Data,” as used in this document, is provided in the Definitions section beginning on p. 3, below.

      II. Data Stewards should confer with the Office of General Counsel or Office of Audit, Compliance and Privacy if assistance is needed in interpreting regulations, policies or statutes.

      III. PennGroups is an automated provisioning service available for use at Penn. For details on PennGroups see http://www.upenn.edu/computing/penngroups/.

      IV. “Data User” is defined in the Definitions section that begins on p. 3 of this document.

      V. The Data Steward may wish, as a preliminary matter, to identify the most common usages of the Data sets for which he or she is responsible. This could potentially expedite determinations regarding “need to know” access requests.

      VI. At the time of the writing of this document, the most convenient source for these reports is the University’s Data Warehouse.