Compliant Data Storage
The Office of Information Security Compliance team helps students, faculty, and staff understand their roles and responsibilities under Penn State and legal requirements. They can also help units and individuals understand how to implement Penn State policies, guidelines, and standards, and determine the risk associated with information described in Policy AD95 Information Assurance and IT Security.
AD95 establishes an institution-wide security program designed to ensure the confidentiality, integrity, and availability of Penn State's information assets from unauthorized access, loss, alteration, or damage while supporting the open, information-sharing needs of academic culture. Penn State utilizes a 4 level sensitive information classification system that dictates how data of each nature may be processed and stored.
If any Penn State department or unit reasonably suspects/believes a security incident has occurred, they must immediately notify their local IT staff and the Office of Information Security.
If you are unsure as to which security level applies to your data, Penn State's Office of Information Security offers an Information Classification tool. Additionally, the OIS Compliance team exists to assit researchers in implementing compliant data storage and transfer. Please contact the OIS team directly via e-mail.
To read more about data storage security, please see the full entry on Policy AD95 Information Assurance and IT Security.
University Standard practices for implementing compliant data storage can be located below (click on the link):
- Access, Authentication, and Authorization Management
- Disaster Recovery Planning for Information Systems and Services
- Electronic Data Disposal and Media Sanitization
- Information Assurance and IT Security Awareness, Training, and Education
- Information Security Risk Management
- Network Security
- Physical Security
- Requests for Exception to Information Security Policy
- Secure Coding and Application Security
- Security of Enterprise Application Integration
- Security Log Collection, Analysis, and Retention
- Third Party Vendor Security and Compliance
- Vulnerability Management
All University faculty, staff, students, and units when acting on behalf of the University, and others granted use of University information are expected to:
- Follow the University’s AD96 Penn State Acceptable Use of University Information Resources
- Understand this Information Assurance and IT Security Policy
- Be aware of the type of information they store, transmit, process, or otherwise handle and ensure that appropriate action is taken to protect the information in accordance with Penn State Policies and Guidelines
This service is part of the Research Data category.
- This is an active service
- Compliant Data Storage guidelines apply to all faculty, staff, students, workforce members, visitors to the University, and all units and other persons who are acting on, for, or on behalf of the University
- Additionally, these guidelines apply to third-party vendors who collect, process, share, transmit, or maintain Penn State institutional data (regardlesss of hosting location), and all devices that access or maintain this data
- This policy excludes Penn State Health and The Pennsylvania College of Technology, which will follow separate policies
- Exceptions to, or exemptions from, any provision of the AD96 policy or supplemental IT Guidelines and Standards must be approved by the Office of Information Security in accordance with the Requests for Exception to Information Security Policy Standard
- Any questions about the contents of this policy or supplemental IT Guidelines and Standards should be referred directly to the Chief Information Security Officer and the Office of Information Security (by e-mail) who has the responsibility to interpret the Security Standards
- For questions, additional details, or to request change to this Policy, please contact the Office of Information Security directly by e-mail