OIT Policy - ITSEC-001
The University has a number of policies regarding the use and protection of sensitive data, including personally identifiable information (PII). These policies include:
- ADG08 – Collection, Storage and Authorized Use of Social Security Numbers and Penn State Identification Numbers
- AD95 – Information Assurance and IT Security
- AD96 – Acceptable Use of University Information Resources
Per University Policy AD95: “All faculty, staff, students, and units have an obligation to protect institutional data in accordance with this policy and its supplemental Guidelines and Standards, which take into consideration the University's mission, as well as the level of sensitivity and criticality of the information.”
In order for Penn State Altoona to ensure the security of data on university-owned computers, all university-owned devices are required to have installed and running as prescribed any security software provided by the Office of Information Technology (OIT). This type of software includes, but is not limited to, Personally Identifiable Information (PII) scanning tools.
Penn State University utilizes Spirion to detect Personally Identifiable Information (PII) on client (i.e. desktop and laptop) computers and servers. This software scans for PII and provides the user tools for data remediation. Further, the software reports into an administrative console (which tracks each machine that checks in, the username associated with the machine, number of hits, remediation steps taken by the user, etc.). The administrative console is managed jointly by Penn State Altoona IT staff and staff in the Office of Information Security at University Park.
In order for OIT to ensure compliance with the University policies listed above, all university-owned computers must have Spirion installed and running as configured by OIT (this includes regularly scheduled scans and mandated user remediation of all hits). The remediation process is essential to IT security. Each faculty and staff member is responsible for regularly reviewing Spirion reports and remediating the results list; IT staff members regularly monitor the administrative console and will contact individuals who have not remediated their data in an effort to ensure that remediation is completed in a timely manner.
Repeated instances of non-compliance with the PII remediation requirement and/or any attempt to alter/remove/circumvent mandated security software will be reported to a faculty or staff member’s (1) direct supervisor, (2) department/division head, (3) Chancellor’s Council member, as well as the campus’s (4) human resources department, and (5) Chancellor, and may result in disciplinary action.
Last updated: January 9, 2018