Security & Privacy

VPULTS Security and Privacy Guidelines

Responsibilities of VPULTS

We help safeguard the security and privacy of confidential University data. We:

• Configure, maintain, and manage hardware and software firewalls for infrastructure technology (servers, storage, databases, web applications) to ensure they are protected; configure, manage, and maintain enterprise endpoint management technology (firewalls, anti-virus, malware) for desktops.
• Configure and manage local certificate services.
• Configure, manage, and maintain complex policies (via AD, AppLocker, UserLock, KeyServer, and systems) to ensure access is limited to those systems and users requiring them for their respective positions.
• Evaluate security implications of services provided by third-party vendors; work with OGC, Security and Privacy offices as well as acquisition services to ensure compliance and protection of Penn data.
• Respond to reports of breaches of information security or privacy, coordinating with Penn’s Privacy Officer.
• Represent VPUL on University committees related to information security and privacy.
• Conduct the Security and Privacy Impact Assessment for VPUL. The SPIA process visits each department in the University and helps promote best practices for handling confidential data. SPIA also helps identify security and privacy issues for web sites and services provided by outside contractors.

Automatically-Implemented Policies

• Simultaneous user login to systems is prohibited.
• Desktop screensaver is automatically implemented after 15 minutes of inactivity.
• Enterprise endpoint management (Symantec) implemented on all systems, including desktop firewall, anti-virus, malware, and browser protections.
• AppLocker: only approved applications are permitted.
• Data Storage – types and location of files and data to protected and secured centralized infrastructure
• Databases and applications are protected by location, user, and additional login requirements.
• Complex passwords are required for all systems. Previously used passwords are not allowed.
• Remote access via PCOIP is limited to approved staff.
• Desktop sharing is prohibited.

Responsibilities of VPUL Staff

• Review and be familiar with Penn’s Computing and Privacy Policies.
• Do not use e-mail to send sensitive data.
• Use VPUL individual and group shares and/or Penn+Box to store data. Only sync when needed.
• Use SecureShare to share highly sensitive data with Penn colleagues.
• Keep only the information you need. Periodically review and dispose of data in individual and group folders.
• All mobile devices (including laptops) need to be encrypted.
• Report lost/stolen mobile devices supported by VPUL. They can be erased.
• Use strong, complex passwords. Store them using LastPass, a way to securely manage your passwords.
• Keep antivirus software up to date. Install Symantec on personal devices.

VPUL Departmental Responsibilities

• Monthly review and reconciliation of active VPUL staff accounts.
• Monthly review and reconciliation of active access to CMS, Databases, Online Applications.
• Monthly review of student accounts and access.
• Monthly review and reset of group e-mail account passwords.
• Monthly review and reset of group passwords for Adobe Creative Cloud (general department accounts).
• Monthly review of address books and settings on network printers.
• Completion of checklist for staff leaving VPUL and/or Penn.

Best Practices

• Do not save passwords.
• Do not save data on online forms (by storing it in the browser).
• Log out of password protected websites when you are done with them.
• Do not use untrustworthy computers (at public kiosks or Internet cafes) or free wireless access points to access sensitive data.
• Know what you are clicking:
  • Click only on trusted and safe web links. Make sure HTTPS (SSL) is in the URL.
    • Ex: www.google.com, www.yahoo.com, www.facebook.com; any upenn.edu address; etc.
  • Refrain from clicking on unusual links found in e-mails or instant messages, even if they are coming from friends or coworkers.
    • Example: http://123.12.11.10/login.htm.
• Use more secure passwords.
• Be aware of whether or not your computer has been infected or compromised.

Relevant University Policies

• Policy on Acceptable Use of Electronic Resources: Prohibits revealing passwords or otherwise permitting the use by others (by intent or negligence) of personal accounts for computer and network access.
• Policy on Server-Managed Personal Digital Assistants: Requires passcodes, device encryption and remote data wipe in case of loss or theft.
• Mobile Device Encryption Policy: Requires device encryption for laptops and mobile phones, centralized recovery key storage, and auditing of encryption status in case of loss or theft.
• Host Security Policy: Requires strong Windows passwords, automatic patching and updates for Windows, and antivirus programs.
• Principles of Responsible Conduct: Stipulates that University technology should be used responsibly.
• Incident Response Policy: Outlines appropriate responses to security incidents.
• See a complete list of University policies here.

Data Security and Policy Guides

• Privacy Website
• Penn Information Security Website
• Privacy in the Electronic Environment]
• Staff Confidentiality Statement
• Disposition of Documents and Data of Faculty/Staff Leaving Penn

Penn Student Data Security Policies

Penn takes the confidentiality of student data very seriously. Familiarize yourself with the university resources below to ensure that you are handling student data properly.

• FERPA FAQs: Frequently asked questions about rules and laws governing student data.
• Cloud Computing Policy: Guidance on the use of cloud services (Dropbox, Google Drive, etc.) and the handling of student data.
• Protecting Penn Data: Overview of what types of data are considered confidential, as well as general guidance.
• Social Security Policy
• Confidential University Data Policy
• Using and Sharing Personal Information
• Faculty Privacy Brochure

Additional Security and Privacy Information

• Top 10 Security Tips for Smartphones and Tablets
• Best Practices for Foreign Travel
• Facebook Guidelines from Penn Privacy
• Desktop Security 101

What should I know about passwords?

• Information about passwords can be found here.

Social Engineering

What is social engineering?

Social engineering is the act of manipulating people into doing an action or persuading them into releasing confidential information. There are many forms of social engineering, such as phishing and pretexting.

What is phishing?

Phishing is a technique of illegally obtaining private information. This attack can come in many forms, such as an e-mail or a web form.

• Examples:
  • You receive an e-mail that looks legitimate. However, the sender asks you to reply with your username and password.
  • A website may look exactly like the real one but it is fake.

What is pretexting?

Pretexting is the act of orchestrating a (false) scenario in order to persuade a targeted victim to release information or perform an action.

• Example: A malicious hacker is impersonating a professor through the phone. He explains that he needs the records and social security numbers for his students immediately.

Viruses and spyware

How is my computer protected from viruses and malicious hackers?

• Symantec Endpoint Protection (SEP) antivirus software is used to run real-time scans for any viruses and spyware that are currently running on the computer.
  • An SEP firewall is running on your computer to protect against unwanted traffic from the Internet.
• Security patches and updates are installed for Microsoft Windows and third-party applications (Adobe Reader, Flash, etc). Releases for most of these patches occur infrequently, but Microsoft generally releases patches once a month.
• It is important to protect your personal computer as well. Penn also provides employees and students with free access to Symantec Endpoint Protection. You can download it from here (authenticate with your PennKey).
  • This is for personal use only! All VPUL computers already have antivirus software installed.

What are some signs that my computer might be infected with a virus or spyware?

• Some symptoms include your computer running slow, or the sudden, repeated appearance of pop-up windows. If your computer doesn’t feel like it is running like it normally does, please contact the VPULTS help desk.

Two-Step Authentication

How do I set up Duo Mobile on a new device?

• Follow the instructions in this PDF if you have purchased a new phone and need to set up Duo Mobile.