Information Security Policies & Procedures

Overview

The Office of Information Security establishes policies that comply with the University, state, and federal regulations. These policies address the requirement to protect information from disclosure, unauthorized access, loss/corruption of electronic and physical data. Along with well-documented best practices and procedures, the policies enable an organization to manage business risk through defined controls that provide a benchmark for audit and corrective action. Notable policies and best practices include:

• Computing Policies and Guidelines
• IT Security Policy
• IT Security Standards
• Policy on Acceptable Use of Electronic Resources
• Policy on Unauthorized Copying of Copyrighted Media
• Policy on Computer Disconnection from PennNet

Procedures

• Response to a Compromised Computer with Sensitive Data

Guidelines

• Security Logging Guidelines
• Penn Data Risk Classification
• Use of PennBox and Amazon Web Services
• Computer Security Incident Handling
• Guidelines on Incident Response Cost Coverage
• Securing Office 0365 Collaboration Tools
• Guidance on Large Language Models 
• Statement on Guidance for the University of Pennsylvania (Penn) Community on the Use of Generative Artificial Intelligence 

Statements

• The University of Pennsylvania Statement on Security Vulnerability Reporting and Bug Bounties

Forms

• Employee Exit IT Checklist