Computing Policies and Guidelines

Collected here are University Information security policies, Privacy Policies, IP Addressing Policies, Wired & Wireless Networking Policies, PennName Policies, Mobile Device Policies Penn Medicine policies, and Guidelines. Each person with access to the University's computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations. 

• Policy on Acceptable Use of Electronic Resources - often referred to as the Acceptable Use Policy or AUP, defines the boundaries of acceptable use of limited University electronic resources, including computers, networks, electronic mail services, and electronic information sources.
• Policy on Unauthorized Copying of copyrighted Media - states the disciplinary sanctions for violation of copyrights. 
• IT Security Policy - it describes requirements for securing computing devices, protecting confidential University data, securing web applications, and ensuring that security incidents are identified, contained, and investigated, and remedied. 

• Confidentiality of Student Records - outlines the circumstances under which personally identifiable information from a student's or applicant's record generally may be disclosed.
• Confidentiality of Faculty and Staff Records - (Human Resources Policy #201) is directed at protecting the confidentiality of staff and faculty human resources records.
• Policy on Security of Electronic Protected Health Information (ePHI) - describes the security safeguards that must be in place to ensure the security of patient medical information within the University community.
• Privacy in the Electronic Environment - highlights some general principles that should help to define the expectations of privacy of those in the University community.
• Social Security Number Policy - establishes expectations around the use of SSNs - sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. It calls on staff, faculty, contractors, and agents of the above to inventory their online and offline SSNs and reduces the above risks.
• PCI Compliance Policy - defines the PCI Compliance for Credit Card Sales at the University of Pennsylvania.

• NOTE: Be aware that different policies may apply depending on network connection on UPHSNet or PennNet.  More restrictive policies may be imposed on UPHSnet than on PennNet connections
• Penn Medicine Intranet Policies - the parent location for Penn Medicine health system organizational policies. Links are available for Human Resources, Administrative, Clinical, and Information Services policies.
• Penn Medicine IS Policies - Current Penn Medicine health system Information Services policies are located in this location. It includes the health system information security charter, data classification, acceptable use, and other Information Technology related policies affecting health system employees and all users of computers connected to the health system computer network, especially those devices managed by health system corporate Information Services and other LSPs.

• Electronic Privacy in Practice – provide explanations, suggestions, interpretations, and best practices that are important to members of the University community who use or provide electronic communications services.
• Rules for Users of Penn's Electronic Resources - cover username changes, operation of large email lists, and maintenance of message archives.
• Guidelines for Administrators of Penn E-mail Systems - specify maximum email attachment size and user quotas.
• Guidelines for Keeping Penn's Data Safe and Private - provide recommendations for protecting sensitive data.
• Cloud Computing Guidance - This guidance is to describe opportunities, issues, safeguards and requirements regarding the use of certain third-party services (often called  cloud computing  services) involving University data. They are free or low cost services offered worldwide to any individual user where resources, such as infrastructure or software, are provided over the Internet.
• Open Expression Guidelines - monitoring the communication processes to prevent conflicts that might emerge from failure of communication, recommending policies and procedures for improvement of all levels of communication and participating in evaluation and resolution of conflicts that may arise from incidents or disturbances on campus
• Log Retention Guidelines - work in progress - contact security@isc.upenn.edu
• Guidelines for the Use of Social Media at Penn - raises awareness of the immense power of social media and provides best practices and policy when using social media in teaching, research, administrative work and more

All IT policies, including policies under review and retired policies, are listed on the IT Policy Committee (ITPC) webpage.  

All policy questions should be directed to the following group websites: Security - ISC Security, Privacy - OACP, and Networking - ISC Networking.