[ BEN Financials ]
Section 1. University Security
Section 1. University Security
Security & Access
Section 2. Obtaining Logon IDs
Section 3. Passwords
Section 4. Accessing and Exiting BEN Financials
There are two important areas to consider when thinking of data security. One is protecting data,
especially sensitive data, from compromise. Data is compromised when an unauthorized individual reads or changes it.
The second area is protecting the use of personal IDs. Each BEN Financials record is stamped with
the logon ID of the person who entered or modified the record. If someone other than the user enters or
modifies data using his/her logon ID, the user is held responsible for the changes.
It is the responsibility of all BEN Financials users to be familiar with and follow the advice in the
brochure "Information Security at Penn" available at:
Logon IDs are used to identify the person responsible for entering and changing data in the
BEN Financials system. They are issued by a central authority granting access to a system or
application. BEN Financials Logon IDs are the same as the user's PennKey ID.
Passwords are used to secure logon IDs from use by unauthorized individuals. Passwords
are created by the user. If carefully chosen and protected, the password is the user's best line
of defense for protecting data.
Protecting Sensitive Data from Disclosure
Sensitive or confidential data includes any data which could cause harm, either to the
University or to the subject of the data, if disclosed. Examples include payroll information,
medical information, performance appraisals, social security numbers, student records
(legally protected), etc.
Data can be compromised if a PC or laptop is stolen, diskettes or files are stolen,
someone sits down at an unsecured desktop computer (user logs on and leaves the area),
or someone obtains a password and abuses privileged data. Sensitive data (IDs and passwords)
can be captured while being transmitted over a network from the desktop to a server.
The user can prevent data compromise by securing computers and media - keep offices
locked, use locking file cabinets for storing removable media (disks, tapes, etc.) and use locking
screen savers. Insure file sharing programs are properly installed for the user's computer (Macintosh
file sharing, Microsoft Windows 98, Novell).
Social Security Numbers (SSN) must be treated with confidentiality. Social security numbers
can be used to obtain a variety of personal data. Users can protect SSN confidentiality by:
- Using SSNs only for University purposes
- Always logging off when leaving a terminal unattended
- Shredding lists containing SSN numbers
Protecting Critical Data from Loss
Critical data should be backed up to guard against loss due to equipment failure or loss. Software does not need
to be backed up but the original diskettes should be stored in a safe place. Each user should determine how much
data he/she can afford to lose and then should back up data accordingly. Backups should be kept in a different
location. Use lock down equipment on computer if it is not installed in a locked office.
Note: BEN Financials data is backed up at the system level. This section is included to remind BEN
Financials users that data downloaded to desktop servers, Local Area Networks (LANs), DEC, UNIX or other
mainframes should be safeguarded from loss.
Computer Security Statement
To insure that all computer users are aware of the security policies at the University, the following
statement will be reviewed and acknowledged by all computer users annually.
As an individual whose position requires interaction with any or all of the
University's administrative information systems, I understand that I may be
provided with direct access to confidential and valuable data and/or use of
data/voice systems. In the interest of maintaining the integrity of these systems
and of ensuring the security and proper use of University resources:
I will maintain the confidentiality of my password for all systems to which I have
I will maintain in strictest confidence the data to which I have access. The
Information viewed will not be shared in any manner with others who are
Unauthorized to view such data.
I will use my access to the University's systems for the sole purpose of
Conducting official business of the University. I understand that the use of these
Systems and their data for personal purposes is prohibited.
I understand that any abuse of my access to the University's systems and their
data, any illegal use or copying of software, any misuse of the University's
equipment, may result in disciplinary action, loss of access to the University's
systems, and possible sanctions up to and including dismissal from the University.