Data Security Policy

Data Security Policy

OIT Policy - ITSEC-001

The University has a number of policies regarding the use and protection of sensitive data, including personally identifiable information (PII). These policies include:

  • AD19 – Use of Penn State Identification Number and Social Security Number
  • AD20 – Computer and Network Security
  • AD23 – Use of Institutional Data
  • AD71 – Data Categorization

Per University Policy AD-20, “Appropriate security shall include protection of the privacy of information.”

In order for Penn State Altoona to ensure the security of data on university-owned computers, all university-owned devices are required to have installed and running as prescribed any security software provided by the Office of Information Technology (OIT). This type of software includes, but is not limited to, Personally Identifiable Information (PII) scanning tools.

Penn State University utilizes Identify Finder to detect Personally Identifiable Information (PII) on client (i.e. desktop and laptop) computers and servers. This software scans for PII and provides the user tools for data remediation. Further, the software reports into an administrative console (which tracks each machine that checks in, the username associated with the machine, number of hits, remediation steps taken by the user, etc.). The administrative console is managed jointly by Penn State Altoona IT staff and IT staff in the office of Security and Operations Services at University Park.

In order for OIT to ensure compliance with the University policies listed above, all university-owned computers must have Identity Finder installed and running as configured by OIT (this includes regularly scheduled scans and mandated user remediation of all hits). The remediation process is essential to IT security. Each faculty and staff member is responsible for regularly reviewing Identity Finder reports and remediating the results list; IT staff members regularly monitor the administrative console and will contact individuals who have not remediated their data in an effort to ensure that remediation is completed in a timely manner.

Repeated instances of non-compliance with the PII remediation requirement and/or any attempt to alter/remove/circumvent mandated security software will be reported to a faculty or staff member’s (1) direct supervisor, (2) department/division head, (3) Chancellor’s Council member, as well as the campus’s (4) human resources department, and (5) Chancellor, and may result in disciplinary action.