Computing Policies and Guidelines

Collected here are University Information security policies, Privacy Policies, IP Addressing Policies, Wired & Wireless Networking Policies, PennName Policies, Mobile Device Policies Penn Medicine policies, and Guidelines. Each person with access to the University's computing resources is responsible for their appropriate use and by their use agrees to comply with all applicable University, School, and departmental policies and regulations. 


Computing Policies and Guidelines
  • Confidentiality of Student Records - outlines the circumstances under which personally identifiable information from a student's or applicant's record generally may be disclosed.
  • Confidentiality of Faculty and Staff Records - (Human Resources Policy #201) is directed at protecting the confidentiality of staff and faculty human resources records.
  • Policy on Security of Electronic Protected Health Information (ePHI) - describes the security safeguards that must be in place to ensure the security of patient medical information within the University community.
  • Privacy in the Electronic Environment - highlights some general principles that should help to define the expectations of privacy of those in the University community.
  • Social Security Number Policy - establishes expectations around the use of SSNs - sensitive data whose misuse poses privacy risks to individuals, and compliance and reputational risks to the University. It calls on staff, faculty, contractors, and agents of the above to inventory their online and offline SSNs and reduces the above risks.
  • PCI Compliance Policy - defines the PCI Compliance for Credit Card Sales at the University of Pennsylvania.
  • Policy on the Use of PennNet IP Address Space - specifies the IP address registration requirements for devices connected to PennNet. It also provides "best practice" recommendations to guide local network administrators in the use of the Assignments program for handling IP address registration at Penn.
  • Policy on the Operation of DHCP Servers on PennNet - specifies the requirements for Dynamic Host Configuration Protocol (DHCP) servers and related infrastructure operating on PennNet. It also provides "best practice" recommendations for server administrators.
  • Policy on Server-Managed Personal Digital Assistants (PDAs) - establishes requirements for protecting confidential University data contained on or accessed by PDAs managed by University servers, whether those devices are owned by individuals or the University.
  • Mobile Device Encryption Policy - describes the requirements for encrypting Penn-owned mobile devices. It includes generic requirements, as well as their current technical interpretation. 

NOTE: Be aware that different policies may apply depending on network connection on UPHSNet or PennNet.  More restrictive policies may be imposed on UPHSnet than on PennNet connections

  • Penn Medicine Intranet Policies - the parent location for Penn Medicine health system organizational policies. Links are available for Human Resources, Administrative, Clinical, and Information Services policies.
  • Penn Medicine IS Policies - Current Penn Medicine health system Information Services policies are located in this location. It includes the health system information security charter, data classification, acceptable use, and other Information Technology related policies affecting health system employees and all users of computers connected to the health system computer network, especially those devices managed by health system corporate Information Services and other LSPs.
  • Electronic Privacy in Practice – provide explanations, suggestions, interpretations, and best practices that are important to members of the University community who use or provide electronic communications services.
  • Rules for Users of Penn's Electronic Resources - cover username changes, operation of large email lists, and maintenance of message archives.
  • Guidelines for Administrators of Penn E-mail Systems - specify maximum email attachment size and user quotas.
  • Guidelines for Keeping Penn's Data Safe and Private - provide recommendations for protecting sensitive data.
  • Cloud Computing Guidance - This guidance is to describe opportunities, issues, safeguards and requirements regarding the use of certain third-party services (often called  cloud computing  services) involving University data. They are free or low cost services offered worldwide to any individual user where resources, such as infrastructure or software, are provided over the Internet.
  • Open Expression Guidelines - monitoring the communication processes to prevent conflicts that might emerge from failure of communication, recommending policies and procedures for improvement of all levels of communication and participating in evaluation and resolution of conflicts that may arise from incidents or disturbances on campus

All IT policies, including policies under review and retired policies, are listed on the IT Policy Committee (ITPC) webpage.  

All policy questions should be directed to the following group web sites: Security - ISC Security, Privacy - OACP and Networking - ISC Networking.