Introduction
Each of Penn's Schools and Centers must have a designated Security Liaison who works both inside the organization and with ISC's Information Security Office to strengthen Penn's security layers and to identify and address risks and opportunities for the security of Penn Systems and data. The goals of this initiative are to raise security knowledge in those responsible for security initiatives, broaden awareness of security practices across organizations, provide a designated local security point of contact of Penn-wide and School or Center-based initiatives, and to ensure compliance with University information security policies and procedures. Active participation in the Security Liaison Council is expected.
Roles and Responsibilities of Security Liaisons
- Be knowledgeable of Major Security Issues, Policies, and Programs at Penn Including:
- Familiarity with Penn's information security policies, procedures, publications, initiatives, and other resources located on Penn's Information Security homepage -- www.isc.upenn.edu/security/overview
- Understanding of Penn's legal and regulatory obligations regarding information security
- Actively Promote Security Awareness in School or Center
- Establish and maintain a security awareness program specific to individual school or centers leveraging both University-wide pertinent policies, publications, and tools, as well as incorporating knowledge of specific school/center risks gained from tools, such as SPIA. Examples of types of communications that can be used include:
- Almanac "One Step Ahead" Privacy and Security Tips. These tips may be copied for use in newsletters, on websites, on posters, and via other media. Or they can be linked to from your websites.
- Brochure: Guide to Information Security & Privacy are available from the Information Security Office. Consider the quantity and placement of such brochures appropriate to your School or Center.
- Information Security Training classes are taught at least annually and frequently more often.
- Assess the need for additional information security training, written guidance, and other tools that can be provided through the Information Security Office or through University-wide best practices.
- Be proactive in promoting Security Initiatives in the school or center whether new or existing. Current examples include:
- Serve as Proactive Security Champion in School or Center
- Act as an advocate for information security on a proactive basis with respect to School- and Center-based initiatives and programs.
- Establish and maintain a security awareness program specific to individual school or centers leveraging both University-wide pertinent policies, publications, and tools, as well as incorporating knowledge of specific school/center risks gained from tools, such as SPIA. Examples of types of communications that can be used include:
- Serve as Contact Person in Case of Security Incident
- Serve as a contact person in the School or Center in case of an information security incident; assist in gathering and appropriately distributing information regarding the incident and developing a response, working closely with ISC Information Security, for the appropriate senior leadership in the school or center and/or other appropriate personnel.
- Maintain the confidentiality of information and situations concerning Penn security incidents whether restricted to the individual school/center or whether other Schools/Centers may be affected.
- Actively participate with other Security Liaisons in an on-going Security Liaisons Council
- Share, as appropriate, problems, concerns, and best practices with other Security Liaisons
- Learn from the Office of General Counsel and Division of Public Safety and ISC Security Office about how to best coordinate information security activities internally and potential with external agencies