Computing Policies and Guidelines

• Policy on Acceptable Use of Electronic Resources - often referred to as the Acceptable Use Policy or AUP, defines the boundaries of acceptable use of limited University electronic resources, including computers, networks, electronic mail services, and electronic information sources.
• Policy on Unauthorized Copying of copyrighted Media - states the disciplinary sanctions for violation of copyrights. 
• Policy on Computer Disconnection from PennNet - Describes the circumstances under which computers will be disconnected from PennNet. 
• Policy on Requirements for Authenticated Access to PennNet - Describes the circumstances under which computers will be disconnected from PennNet. 
• Computer Security Policy - describes the requirements for securing computing devices and protecting confidential University data. It includes a baseline set of requirements for all computing devices that connect to PennNet, and additional requirements for devices that store or access confidential University data or operational data. 
• Information Systems Security Incident Response Policy - defines the response to computer security incidents. 

• Confidentiality of Student Records - outlines the circumstances under which personally identifiable information from a student's or applicant's record generally may be disclosed.
• Confidentiality of Faculty and Staff Records - (Human Resources Policy #201) is directed at protecting the confidentiality of staff and faculty human resources records.
• Policy on Security of Electronic Protected Health Information (ePHI) - describes the security safeguards that must be in place to ensure the security of patient medical information within the University community.
• Privacy in the Electronic Environment - highlights some general principles that should help to define the expectations of privacy of those in the University community.
• Social Security Number Policy - establishes expectations around the use of SSNs - sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. It calls on staff, faculty, contractors, and agents of the above to inventory their online and offline SSNs and reduces the above risks.
• PCI Compliance Policy - defines the PCI Compliance for Credit Card Sales at the University of Pennsylvania.

• Policy on the Use of PennNet IP Address Space - specifies the IP address registration requirements for devices connected to PennNet. It also provides "best practice" recommendations to guide local network administrators in the use of the Assignments program for handling IP address registration at Penn.
• Policy on the Operation of DHCP Servers on PennNet - specifies the requirements for Dynamic Host Configuration Protocol (DHCP) servers and related infrastructure operating on PennNet. It also provides "best practice" recommendations for server administrators.

• Policy on Deployment, Operation, and Registration Requirements for Wireless Access Points on PennNet - specifies the requirements for Wireless Access Points (APs) and related wireless LAN infrastructure operating on PennNet. It also provides related "best practice" recommendations.
• Policy on the Operation of Private Remote Access Services Connecting to PennNet - specifies the requirements for operation of private remote access services connecting to PennNet, specifically modems and modem pools.
• Policy on the Use of upenn.edu Domain Name Space - specifies the naming requirements for the creation/changing of new/existing domains within the upenn.edu domain name space.
• Policy on Routing Devices on PennNet - specifies the conditions under which a routing device may be connected to PennNet via a wallplate or any other media type, such as fiber optic link.
• Policy on Use of Ethernet Switches at PennNet wallplates - specifies the conditions under which an Ethernet switch may be connected to a PennNet wallplate and provides "best practice" recommendations for deploying switches appropriately.
• Policy on the Installation and Maintenance of Network Wiring - specifies the requirements for installation of new wiring or the relocation or removal of existing wiring as it pertains to PennNet, Telecom, or PVN networks.
• Policy on Troubleshooting Charges for PennNet - specifies the conditions under which network users may be charged for troubleshooting and remedy of networking problems on PennNet. It also provides "best practice" recommendations to guide the network Local Support Provider (LSP) in preliminary troubleshooting steps in an effort to avoid any additional charges.
• Policy on Unused PennNet Wallplates - describes the circumstances under which PennNet wall plates (jacks) may be considered unused and the process by which they can be disabled and deactivated in an effort to reduce customer costs, improve the accuracy of billing, and improve the security of PennNet in a programmatic way.

• Policy on the Definition of a PennName - specifies the characteristics of a legal PennName, including the length, alphabet, and structure.
• Policy on PennNames Compliance - specifies the requirements for systems and services to be considered PennNames-compliant.
• Policy on the Duration of a PennName - specifies the duration of PennNames and the circumstances under which ownership may be transferred.
• Policy on the use of @upenn.edu address namespace - specifies the naming requirements for the creation/changing of new/existing names within the @upenn.edu email address space.

• Policy on Server-Managed Personal Digital Assistants (PDAs) - establishes requirements for protecting confidential University data contained on or accessed by PDAs managed by University servers, whether those devices are owned by individuals or the University.
• Mobile Device Encryption Policy - describes the requirements for encrypting Penn-owned mobile devices. It includes generic requirements, as well as their current technical interpretation. 

NOTE: Be aware that different policies may apply depending on network connection on UPHSNet or PennNet.  More restrictive policies may be imposed on UPHSnet than on PennNet connections

• Penn Medicine Intranet Policies - the parent location for Penn Medicine health system organizational policies. Links are available for Human Resources, Administrative, Clinical, and Information Services policies.
• Penn Medicine IS Policies - Current Penn Medicine health system Information Services policies are located in this location. It includes the health system information security charter, data classification, acceptable use, and other Information Technology related policies affecting health system employees and all users of computers connected to the health system computer network, especially those devices managed by health system corporate Information Services and other LSPs.

• Electronic Privacy in Practice – provide explanations, suggestions, interpretations, and best practices that are important to members of the University community who use or provide electronic communications services.
• Rules for Users of Penn's Electronic Resources - cover username changes, operation of large email lists, and maintenance of message archives.
• Guidelines for Administrators of Penn E-mail Systems - specify maximum email attachment size and user quotas.
• Guidelines for Keeping Penn's Data Safe and Private - provide recommendations for protecting sensitive data.
• Cloud Computing Guidance - This guidance is to describe opportunities, issues, safeguards and requirements regarding the use of certain third-party services (often called  cloud computing  services) involving University data. They are free or low cost services offered worldwide to any individual user where resources, such as infrastructure or software, are provided over the Internet.
• Open Expression Guidelines - monitoring the communication processes to prevent conflicts that might emerge from failure of communication, recommending policies and procedures for improvement of all levels of communication and participating in evaluation and resolution of conflicts that may arise from incidents or disturbances on campus

• Log Retention Guidelines - work in progress - contact security@isc.upenn.edu

• Guidelines for the Use of Social Media at Penn - raises awareness of the immense power of social media and provides best practices and policy when using social media in teaching, research, administrative work and more

All IT policies, including policies under review and retired policies, are listed on the IT Policy Committee (ITPC) webpage.  

All policy questions should be directed to the following group web sites: Security - ISC Security, Privacy - OACP and Networking - ISC Networking.

https://www.upenn.edu/about/policies