A. Name: Policy on Server-Managed Personal Digital Assistants (PDAs)
B. Number: 20080407-serverpda
C. Author: M. Muth (ISC N&T)
[ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete
E. Date proposed: 2007-09-12
F. Date revised: 2009-01-12
G. Date approved: 2008-04-07
H. Effective date: 2008-04-15
II. Authority and Responsibility
Information Systems and Computing is responsible for the operation of Penn's data networks (PennNet) as well as the establishment of information security policies, guidelines, and standards. This office therefore has the authority and responsibility to develop a policy in response to the significant privacy and compliance risks associated with confidential University data contained on or accessed by personal digital assistants (PDAs).
III. Executive Summary
This policy establishes requirements for protecting confidential University data contained on or accessed by PDAs managed by University servers, whether those devices are owned by individuals or the University.
The purpose of this policy is to ensure that University server operators configure and maintain PDAs with appropriate measures to protect the privacy of Penn constituents and reduce compliance and reputational risks to Penn.
V. Risk of Non-compliance
PDAs have a greater risk of theft or loss than other computing devices. If a PDA containing confidential University data is accessed by an unauthorized party, the University may incur business risks (strategic, operational, financial, compliance and reputational).
Sensitive Personally Identifiable Information - Information relating to an individual that reasonably identifies the individual and, if compromised, could cause significant harm to that individual or to Penn. Examples may include, but are not limited to: Social Security numbers, credit card numbers, bank account information, student grades or disciplinary information, salary or employee performance information, donations, patient health information, information Penn has promised to keep confidential, and account passwords or encryption keys used to protect access to Confidential University Data.
Proprietary Information - Data, information or intellectual property in which the University has an exclusive legal interest or ownership right, which, if compromised, could cause significant harm to Penn. Examples may include, but are not limited to, business planning, financial information, trade secret, copyrighted material, and software or comparable material from a third party when the University has agreed to keep such information confidential.
Any other data, the disclosure of which could cause significant harm to Penn or its constituents.
This policy covers server-managed PDAs that access University systems or services. The policy covers both individually-owned and University-owned devices. A handheld used exclusively by a student who has access only to his or her own personal or academic data is exempt.
VIII. Statement of policy
IX. Recommendations and Best Practices
A. Verification: Through its annual program of risk-based audits and compliance assessments, the Office of Audit, Compliance and Privacy will verify that servers providing PDA synchronization service are implementing this policy.
B. Notification: The Office of Audit, Compliance and Privacy will notify server administrators and computing directors of compliance issues.
C. Remedy: Remedy will be the re-configuration of the server or service to push appropriate policies to PDAs it manages. ISC will offer consulting assistance to the operator of the computer, server or service where possible in order to bring the service and PDA into compliance as quickly as possible.
D. Financial Implications: Costs associated with the implementation of this policy are the responsibility of the department, individual, school, and/or center responsible for the server.
E. Responsibility: Responsibility for remedy lies with the department, individual, school, and/or center responsible for the server.
F. Time Frame: Affected servers must be brought into compliance within 6 months of the date this policy is approved. For service commencing after the effective date of this policy, end-user acknowledgement must be obtained prior to delivery of the service. For services already being provided, end-user acknowledgement must be obtained within 6 months of the date this policy is approved.
G. Enforcement: Individuals not adhering to this policy may be subject to sanctions as appropriate under Penn policies.
H. Appeals: Requests for waiver from the requirements of this policy may be submitted to either the Office of Audit, Compliance and Privacy or Information Systems and Computing, Information Security. These requests shall be decided by the Vice President of Information Systems and Computing and the Associate Vice President of Audit, Compliance and Privacy.