Information Security Policies & Procedures

Overview

The Office of Information Security works with the broader Penn IT community to establish policies that comply with University, state, and federal regulations and govern how IT is deployed at Penn. These policies help to protect information from disclosure, unauthorized access, or loss/corruption of electronic and physical data. Along with well-documented best practices and standards, these policies enable Penn organization to manage business risk through defined controls that serve as benchmarks for audits and corrective action. Notable policies and best practices include:

Overseen by Penn's IT Policy Committee:

• IT Policy Governance
• IT Security Policy
• IT Network Policy
• IT Security Standards
• IT Network Standards
• IT Network Best Practices
• Information Security Best Practices

Other relevant University policies and procedures:

• Policy on Acceptable Use of Electronic Resources
• Policy on Unauthorized Copying of Copyrighted Media
• Policy on Computer Disconnection from PennNet
• Response to a Compromised Computer with Sensitive Data

Guidelines

• Security Logging Guidelines
• Penn Data Risk Classification
• Use of PennBox and Amazon Web Services
• Computer Security Incident Handling
• Guidelines on Incident Response Cost Coverage
• Securing Office 0365 Collaboration Tools
• Guidance on Large Language Models
• Statement on Guidance for the University of Pennsylvania (Penn) Community on the Use of Generative Artificial Intelligence 

Statements

• The University of Pennsylvania Statement on Security Vulnerability Reporting and Bug Bounties

Forms

• Employee Exit IT Checklist