Tech Tip: AD95 and AD96: Protecting information is everyone’s responsibility

By: Ryan Johnson

As one of the premier research universities in the country, Penn State has lots of valuable information—information that attackers regularly try to steal. As an employee of the University, part of your job is to protect that information to the best of your ability.

Penn State has two policies that govern information security:

AD95: Information assurance and IT Security

AD96: Acceptable use Policy

All members of the Penn State community, including students, faculty, and staff, must abide by these policies. Let’s look at them a little more in depth.

AD95: Information assurance and IT Security

AD95 discusses the measures you must take to protect information you work with while at Penn State. AD95 classifies information based on the risk it poses to the University. The higher the risk, the more protections must be applied to that information. In other words, the more sensitive the information, the more risk it carries and the more measures must be employed to protect it.

There are four levels of information classification at Penn State: Low, Moderate, High, and Restricted. If your unit processes or stores High or Restricted information, it must have an Authority to Operate (ATO).

To learn more about information classification, please visit:

https://security.psu.edu/awareness/icdt

This page includes an information classification decision tool which will guide you when determining the classification of information you access.

AD-95 Standards

AD-95 includes fourteen (14) corresponding Standards which detail the security measures required for individual data types. These Standards carry the weight of policy. In other words, they must be met in order to be considered compliant with AD-95. The Standards may be found in Section V of AD-95.

Finally, Penn State recognizes that units and individuals at Penn State operate in diverse and complex environments. Exceptions may be made to AD-95 on a case-by-case, per-request basis provided that appropriate protection measures have been applied to the information or project in question.

For more information on exception requests, please visit: Requests for Exception to Information Security Policy

AD96: Acceptable use Policy

AD96 defines how you may and may not use information resources while at Penn State. Part of the acceptable use policy ensures that you will protect:

  • The rights of others’ privacy
  • Intellectual property rights (i.e. as reflected in licenses and copyrights)
  • Ownership of information
  • System mechanisms designed to limit access; and
  • An individual’s right to be free of intimidation, harassment, and retaliation

As part of the acceptable use policy, you agree to:

  • use only the information technology resources that you’re authorized to use (i.e. you will not attempt to gain unauthorized access to information resources)
  • protect your password and not share your account credentials with anyone else, even your family members

These policies also contain security standards for information security, which may help you determine which protections must be in place for specific types of information.

To learn more about Security Awareness, please access the training in LRN and search “Information Security Awareness Training (Office of Information Security)”