Security & Privacy

VPULTS Security and Privacy Guidelines

Responsibilities of VPULTS

We help safeguard the security and privacy of confidential University data. We:

  • Configure, maintain, and manage hardware and software firewalls for infrastructure technology (servers, storage, databases, web applications) to ensure they are protected; configure, manage, and maintain enterprise endpoint management technology (firewalls, anti-virus, malware) for desktops.
  • Configure and manage local certificate services.
  • Configure, manage, and maintain complex policies (via AD, AppLocker, UserLock, KeyServer, and systems) to ensure access is limited to those systems and users requiring them for their respective positions.
  • Evaluate security implications of services provided by third-party vendors; work with OGC, Security and Privacy offices as well as acquisition services to ensure compliance and protection of Penn data.
  • Respond to reports of breaches of information security or privacy, coordinating with Penn’s Privacy Officer.
  • Represent VPUL on University committees related to information security and privacy.
  • Conduct the Security and Privacy Impact Assessment for VPUL. The SPIA process visits each department in the University and helps promote best practices for handling confidential data. SPIA also helps identify security and privacy issues for web sites and services provided by outside contractors.

Automatically-Implemented Policies

  • Simultaneous user login to systems is prohibited.
  • Desktop screensaver is automatically implemented after 15 minutes of inactivity.
  • Enterprise endpoint management (Symantec) implemented on all systems, including desktop firewall, anti-virus, malware, and browser protections.
  • AppLocker: only approved applications are permitted.
  • Data Storage – types and location of files and data to protected and secured centralized infrastructure
  • Databases and applications are protected by location, user, and additional login requirements.
  • Complex passwords are required for all systems. Previously used passwords are not allowed.
  • Remote access via PCOIP is limited to approved staff.
  • Desktop sharing is prohibited.

Responsibilities of VPUL Staff

  • Review and be familiar with Penn’s Computing and Privacy Policies.
  • Do not use e-mail to send sensitive data.
  • Use VPUL individual and group shares and/or Penn+Box to store data. Only sync when needed.
  • Use SecureShare to share highly sensitive data with Penn colleagues.
  • Keep only the information you need. Periodically review and dispose of data in individual and group folders.
  • All mobile devices (including laptops) need to be encrypted.
  • Report lost/stolen mobile devices supported by VPUL. They can be erased.
  • Use strong, complex passwords. Store them using LastPass, a way to securely manage your passwords.
  • Keep antivirus software up to date. Install Symantec on personal devices.

VPUL Departmental Responsibilities

  • Monthly review and reconciliation of active VPUL staff accounts.
  • Monthly review and reconciliation of active access to CMS, Databases, Online Applications.
  • Monthly review of student accounts and access.
  • Monthly review and reset of group e-mail account passwords.
  • Monthly review and reset of group passwords for Adobe Creative Cloud (general department accounts).
  • Monthly review of address books and settings on network printers.
  • Completion of checklist for staff leaving VPUL and/or Penn.

Best Practices

  • Do not save passwords.
  • Do not save data on online forms (by storing it in the browser).
  • Log out of password protected websites when you are done with them.
  • Do not use untrustworthy computers (at public kiosks or Internet cafes) or free wireless access points to access sensitive data.
  • Know what you are clicking:
    • Click only on trusted and safe web links. Make sure HTTPS (SSL) is in the URL.
      • Ex:,,; any address; etc.
    • Refrain from clicking on unusual links found in e-mails or instant messages, even if they are coming from friends or coworkers.
  • Use more secure passwords.
  • Be aware of whether or not your computer has been infected or compromised.

Relevant University Policies

Data Security and Policy Guides

Penn Student Data Security Policies

Penn takes the confidentiality of student data very seriously. Familiarize yourself with the university resources below to ensure that you are handling student data properly.

Additional Security and Privacy Information

What should I know about passwords?

  • Information about passwords can be found here.

Social Engineering

What is social engineering?

Social engineering is the act of manipulating people into doing an action or persuading them into releasing confidential information. There are many forms of social engineering, such as phishing and pretexting.

What is phishing?

Phishing is a technique of illegally obtaining private information. This attack can come in many forms, such as an e-mail or a web form.

  • Examples:
    • You receive an e-mail that looks legitimate. However, the sender asks you to reply with your username and password.
    • A website may look exactly like the real one but it is fake.

What is pretexting?

Pretexting is the act of orchestrating a (false) scenario in order to persuade a targeted victim to release information or perform an action.

  • Example: A malicious hacker is impersonating a professor through the phone. He explains that he needs the records and social security numbers for his students immediately.

Viruses and spyware

How is my computer protected from viruses and malicious hackers?

  • Symantec Endpoint Protection (SEP) antivirus software is used to run real-time scans for any viruses and spyware that are currently running on the computer.
    • An SEP firewall is running on your computer to protect against unwanted traffic from the Internet.
  • Security patches and updates are installed for Microsoft Windows and third-party applications (Adobe Reader, Flash, etc). Releases for most of these patches occur infrequently, but Microsoft generally releases patches once a month.
  • It is important to protect your personal computer as well. Penn also provides employees and students with free access to Symantec Endpoint Protection. You can download it from here (authenticate with your PennKey).
    • This is for personal use only! All VPUL computers already have antivirus software installed.

What are some signs that my computer might be infected with a virus or spyware?

  • Some symptoms include your computer running slow, or the sudden, repeated appearance of pop-up windows. If your computer doesn’t feel like it is running like it normally does, please contact the VPULTS help desk.

Two-Step Authentication

How do I set up Duo Mobile on a new device?

  • Follow the instructions in this PDF if you have purchased a new phone and need to set up Duo Mobile.