Information Security Policies & Procedures

Overview

The Office of Information Security establishes policies that comply with the University, state, and federal regulations. These policies address the requirement to protect information from disclosure, unauthorized access, loss/corruption of electronic and physical data. Along with well-documented best practices and procedures, the policies enable an organization to manage business risk through defined controls that provide a benchmark for audit and corrective action. Notable policies and best practices include:

• Computing Policies and Guidelines
• IT Security Policy(link is external)
• IT Security Standards(link is external)
• Policy on Acceptable Use of Electronic Resources(link is external)
• Policy on Unauthorized Copying of Copyrighted Media(link is external)
• Policy on Computer Disconnection from PennNet(link is external)

Procedures

• Response to a Compromised Computer with Sensitive Data(link is external)

Guidelines

• Security Logging Guidelines(link is external)
• Penn Data Risk Classification(link is external)
• Use of PennBox and Amazon Web Services
• Computer Security Incident Handling(link is external)
• Guidelines on Incident Response Cost Coverage(link is external)
• Securing Office 0365 Collaboration Tools(link is external)
• Guidance on Large Language Models (link is external)
• Statement on Guidance for the University of Pennsylvania (Penn) Community on the Use of Generative Artificial Intelligence(link is external) 

Statements

• The University of Pennsylvania Statement on Security Vulnerability Reporting and Bug Bounties(link is external)

Forms

• Employee Exit IT Checklist(link is external)