The Security and Privacy Impact Assessment (SPIA) is a University-wide initiative to identify and protect personal and confidential information across the University. It is jointly sponsored by the Office of Audit Compliance and Privacy and Information Systems and Computing. In the School of Arts and Sciences, the SPIA effort is managed by SAS Computing. Our goal is to help protect critical SAS data and ensure policy compliance.
Purpose
The SPIA process is designed to identify key areas of vulnerability in information resources at SAS. These areas include exposure of sensitive information, business continuity processes such as backups, deficiencies in physical security, and other similar concerns. SPIA is merely a reporting process, however, and does not involve blame, or solutions. The purpose of SPIA is to develop as complete a picture as possible of our data, process, and information landscape. Once this has been developed, SAS as a whole can identify problem areas and propose solutions in an effort to best maximize and direct resources toward the areas that most need attention. For this reason, everyone should be as free and forthcoming about their unique organizational situation and challenges so that SPIA can best identify the ways in which the School can serve your needs.
About the SPIA Process
In SAS, SPIA assessments are typically conducted by LSPs who support a particular department, group, or program. The LSP will set up interviews with one or more people in the department to talk about the way the department gets its work done. The LSP is likely to ask about work processes, data flow, physical security, and any substantial changes that have occurred since the last SPIA assessment, such as a new research program added or new business processes. We also continue to be on the lookout for old data that includes personally-identifiable information, but which doesn’t need to be kept around anymore.
Because the information security landscape is constantly changing, and because our goal is to continually improve our information security stance, SPIA assessments are conducted annually.
You can expect to be informed of an upcoming SPIA evaluation by your LSP. If you have further questions, you can check out the University-wide SPIA web page or contact Christine Brisson (brisson@sas.upenn.edu) in the SAS Information Security and Unix Services (ISUS) group.