There are two important areas to consider when thinking of data security. One is protecting data, especially sensitive data, from compromise. Data is compromised when an unauthorized individual reads or changes it.
The second area is protecting the use of personal IDs. Each BEN Financials record is stamped with the logon ID of the person who entered or modified the record. If someone other than the user enters or modifies data using his/her logon ID, the user is held responsible for the changes.
It is the responsibility of all BEN Financials users to be familiar with and follow the advice in the brochure "Information Security at Penn" available at: Office of Information Security.
Logon IDs are used to identify the person responsible for entering and changing data in the BEN Financials system. They are issued by a central authority granting access to a system or application. BEN Financials Logon IDs are the same as the user's PennKey ID.
Passwords are used to secure logon IDs from use by unauthorized individuals. Passwords are created by the user. If carefully chosen and protected, the password is the user's best line of defense for protecting data.
Protecting Sensitive Data from Disclosure
Sensitive or confidential data includes any data which could cause harm, either to the University or to the subject of the data, if disclosed. Examples include payroll information, medical information, performance appraisals, social security numbers, student records (legally protected), etc.
Data can be compromised if a PC or laptop is stolen, diskettes or files are stolen, someone sits down at an unsecured desktop computer (user logs on and leaves the area), or someone obtains a password and abuses privileged data. Sensitive data (IDs and passwords) can be captured while being transmitted over a network from the desktop to a server.
The user can prevent data compromise by securing computers and media - keep offices locked, use locking file cabinets for storing removable media (disks, tapes, etc.) and use locking screen savers. Insure file sharing programs are properly installed for the user's computer (Macintosh file sharing, Microsoft Windows 98, Novell).
Social Security Numbers (SSN) must be treated with confidentiality. Social security numbers can be used to obtain a variety of personal data. Users can protect SSN confidentiality by:
- Using SSNs only for University purposes
- Always logging off when leaving a terminal unattended
- Shredding lists containing SSN numbers
Protecting Critical Data from Loss
Critical data should be backed up to guard against loss due to equipment failure or loss. Software does not need to be backed up but the original diskettes should be stored in a safe place. Each user should determine how much data he/she can afford to lose and then should back up data accordingly. Backups should be kept in a different location. Use lock down equipment on computer if it is not installed in a locked office.
Note: BEN Financials data is backed up at the system level. This section is included to remind BEN Financials users that data downloaded to desktop servers, Local Area Networks (LANs), DEC, UNIX or other mainframes should be safeguarded from loss.
Computer Security Statement
To insure that all computer users are aware of the security policies at the University, the following statement will be reviewed and acknowledged by all computer users annually.
As an individual whose position requires interaction with any or all of the University's administrative information systems, I understand that I may be provided with direct access to confidential and valuable data and/or use of data/voice systems. In the interest of maintaining the integrity of these systems and of ensuring the security and proper use of University resources:
- I will maintain the confidentiality of my password for all systems to which I have access.
- I will maintain in strictest confidence the data to which I have access. The Information viewed will not be shared in any manner with others who are Unauthorized to view such data.
- I will use my access to the University's systems for the sole purpose of Conducting official business of the University. I understand that the use of these Systems and their data for personal purposes is prohibited.
- I understand that any abuse of my access to the University's systems and their data, any illegal use or copying of software, any misuse of the University's equipment, may result in disciplinary action, loss of access to the University's systems, and possible sanctions up to and including dismissal from the University.