Developers and website administrators incur risk when they collect sensitive data, such as student data, through web forms, and when they use web-based applications to analyze and display this data.
CASIT employs and recommends the following security practices when web forms are used for sensitive data:
- CASIT strongly recommends that all users of web forms that collect sensitive data or site administrators of sites that work with such data undergo training both in basic online security awareness and in the responsible use of UO sensitive data. We will post information on training opportunities as they become available. In addition to formal training opportunities, CASIT encourages our clients to speak to us about their web forms, data, and best practices.
- CASIT developers discuss the potential sensitive data implications of every proposed project with project clients. Clients should be familiar with the University Acceptable Use Policy and policies surrounding sensitive data.
Sensitive data authorization
- Before assisting a client with building a form, CASIT will verify that the requestor has the authority to collect the sensitive data in question. If sensitive data is to be used ‘downstream’ of this collection, it is the requestor’s responsibility to appropriately authorize any data consumers.
Content Management Systems
- Web forms collecting or referencing sensitive data through content management systems (CMS) are deployed on fully supported and maintained platforms (e.g. Drupal Central Hosting, BAO’s forms.uoregon.edu, WordPress) or vendor supplied commercial off-the-shelf software (e.g. Qualtrics, Redcap.)
- Web applications that collect or reference sensitive data are built and maintained or subcontracted by qualified applications teams that adhere to established best practices for applicable development technologies and hosting platforms. Such applications are in included in application life-cycle management (ALM) portfolios to ensure that security best practices are adhered to in all development, maintenance and governance processes (e.g. requirements, architecture, coding, testing, maintaining, change/release management, disaster recovery planning).
Web application security
- For access, use UO-approved single-sign-on (Shibboleth) wherever possible. Web applications which analyze and display sensitive data are maintained using web security best practices. For more information about web security best practices, see owasp.org.
Hosting and system governance
- Whatever CMS is in use, developers should use an actively and professionally supported instance of the CMS. That is, for Drupal, UO’s Drupal Central Hosting is recommended. For WordPress, Campus Press (blogs.uoregon.edu) is recommended. Both environments have active governance teams constantly reviewing security-related issues.
- Developers use a least-privilege approach, never allowing, for example, off-campus database port openings. Database connection strings stored in code repositories are restricted to the smallest possible group of developers. For Windows servers, database connection strings are stored in an encrypted password tool (e.g. Thycotic) are not stored in code repositories and are encrypted at rest in the server.
- Service accounts adhere to the least-privilege principle. They should be non-person accounts, with credentials stored in a secure system.
- Systems administrators adhere to the policies on server security listed in “Minimum security procedure for devices with sensitive information” here: https://it.uoregon.edu/system/files/Minimum%20Security%20Procedure%20for%20Devices%20with%20Sensitive%20Information.pdf
Outside attacks on printers are a widespread problem on campus right now.
When UO Information Services’ security team detects a printer in CAS that they suspect is insecurely configured, CASIT is then informed and we immediately take actions to secure the printer. End-users are encouraged to report any unusual printing activity as well. Once secured, CASIT reports these printers to UO Network Services in order to block all such future threats via an edge-of-campus firewall.
CASIT is therefore examining each potentially compromised printer individually to change the security settings so that they are as strict as possible.
Please contact firstname.lastname@example.org with any questions.
Thank you for your patience with this process.
|Provider||CASIT||CASIT Google Apps||Google Apps for Business||SpiderOak||Google Drive||Dropbox||Box.com|
|Initial Allocation||50GB Home, 100GB Dept||25GB||25GB||2GB||5GB||2GB||5GB|
|Data-at-rest in USA||Yes||No||No||Yes||No||No||No|
|Backup||Yes (tape; off-site)||Cloud||Cloud||Cloud||Cloud||Cloud||Cloud|
|Cost for Additional Storage||Just ask||—||$4/month/25GB||$100/year/100GB||$2.50/month/25GB||$100/year/100 GB||$10/month/25GB|
|Notes||100% on campus||Encrypted Transmission||Encrypted Transmission||100% Encrypted transmission and stored fully encrypted in the USA||—||Encrypted transmission: Dropbox uses Amazon Simple Storage Service for storage||—|
The University of Oregon has not yet created a clear policy on cloud storage but is working on one. Users should proceed with caution – laws regarding data storage have not kept up with current technological offerings.
(Please note the below list of terms are terms that we are using as working definitions.)
FERPA – The Family Educational Rights and Privacy Act of 1974, is a federal law that pertains to the release of and access to educational records. The law applies to all schools that receive funds under an applicable program of the US Department of Education. FERPA applies to personally identifiable information in educational records. This includes items such as the student’s name, names of family members, addresses, personal identifiers such as social security numbers, and personal characteristics or other information that make the student’s identity easily traceable.
HIPAA – The HIPAA Privacy Rule established national standards to guard the privacy of a patient’s protected health information. Protected health information includes:
1) Information created or received by a health care provider or health plan that includes health information or health care payment information plus information that personally identifies the individual patient or plan member.
2) Personal identifiers include: a patient’s name and email, web site and home addresses; identifying numbers (including Social Security, medical records, insurance numbers, biomedical devices, vehicle identifiers and license numbers); full facial photos and other biometric identifiers; and dates (such as birth date, dates of admission and discharge, death).
ITAR – Federal regulations promulgated and enforced by the Department of Commerce, Export Administration Regulations (EAR), and the Department of State, International Traffic in Arms Regulations (ITAR), prohibit the unlicensed export of specific technologies for reasons of national security or protection of trade. If University research involves such specified technologies, the EAR and/or ITAR may require the University to obtain prior approval from State or Commerce before allowing foreign nationals to participate in the research, partnering with a foreign company and/or sharing research—verbally or in writing—with persons who are not United States citizens or permanent resident aliens.
Export control regulations have the potential to harm the quality of University research, undermine publication rights, and prohibit international collaboration if the dissemination of University research is not placed in the public domain and does not qualify for the “fundamental research” exclusion (see below). The consequences of violating these regulations can be quite severe, ranging from loss of research contracts to monetary penalties to jail time for the individual violating these regulations.
Fundamental Research – The export control regulations do not apply to the results of “fundamental research” at universities and other institutions of higher learning. Under the EAR and the ITAR, fundamental research is defined to mean “basic and applied research” in science and engineering at accredited institutions of higher learning in the United States where the resulting information is ordinarily published and shared broadly within the scientific community. Fundamental research is distinguished from research where the results are subject to access or publication restrictions for proprietary, national security or foreign policy reasons.
Data Mining – is the computer-assisted process of digging through and analyzing enormous sets of data and then extracting the meaning of the data. Data mining tools predict behaviors and future trends, allowing businesses to make proactive, knowledge-driven decisions. Data mining tools can answer business questions that traditionally were too time consuming to resolve. The tools scour databases for hidden patterns, finding predictive information that lies outside expectations. Consider the implications if every telephone call you make, every credit card purchase you make, every flight you take, every visit to the doctor you make, every warranty card you send in, every employment application you fill out, every school record you have, your credit record, every web page you visit was all collected together? A lot would be known about you.
Encryption – An algorithmic process of encoding data to make it unintelligible except to users with the keys to decode the data.
Sensitive University Data – University Data that includes information that personally identifies individuals and any other data that is identified by law, regulation, policy or practice as confidential or registered confidential. (See Sensitive Data Checklist for specific data included in this category.)
University Data – Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video).
Research data – scholarly work of faculty or students, and intellectual property that do not contain personally-identifiable information or other data protected by law or University policy. The data, records, files or other evidence, irrespective of their content or form (e.g. in print, digital, physical or other forms), that comprise research observations, findings or outcomes, including primary materials and analyzed data.
Last updated: 10/22/2015
The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to their education records. Faculty and staff should keep the following guidelines in mind when dealing with student records. Refer any questions you may have to the Office of the Registrar.
For more specific information, please refer to the University’s guidelines.
Anti-virus programs are very important for computer security, but security starts with you, the user. There are many things you can do in several different areas to ensure the safety of your computer and your data.
General best practices
- Do not give out your log in information to anyone via e-mail or the phone.
- Do not write your passwords on sticky notes and leave them laying around.
- Make a password for your computer—and not something like “password1”!
- Use KeePass, which manages all your passwords so you can save them (and avoid entering them all the time) and protects them with a master password.
- Do not leave your office with your computer open and usable. Lock your computer or log off, shut/lock the door or use a computer cable lock, which secures your machine to the desk.
- Avoid keeping strong magnets, liquids or messy food around your computer. Magnets can alter the hard drive, causing data to be unrecoverable, and liquid spills can vary from recoverable to completely ruinous!
- When transporting your computer from one place to another, shut it down first or ensure it is sleeping/hibernating so that the hard drive is not spinning. Jostling a computer with a spinning (active) hard drive can cause errors and data loss.
- Ensure your computer has adequate ventilation—avoid using it in bed on your lap! Overheating can warp the connections in a hard drive and is a major cause of data loss.
- Avoid clicking links which look like gibberish, are sent to you by unknown persons or that seem unusual for the person who sent it.
- Be wary of attachments as they are a popular venue for viruses. Look for common file extensions like .docx, .pptx, .pdf, and .jpg. Even so, be careful—some viruses masquerade as images! Avoid .exe or .com files unless you trust the person intended to send you one of those.
- Set your anti-virus suite to scan incoming emails and downloaded attachments.
- Check the “full headers” of an email message to determine the true source of it (look for the Return-Path field). Be wary of emails where Return-Path and From differ.
- Be wary of emails asking for your log in information, especially if they appear to come from some “system administrator” or “IT team” or “security team.” Make sure the email address contains the correct domain (uoregon.edu for example) and check with CASIT if you think it still sounds fishy.
File and Data security
- Make regular backups of important data to an external hard drive, to your department’s or your own server space or even to CD/DVD or a thumb drive. One copy is not enough!
- For highly sensitive information, consider encryption. Encryption makes files unreadable by any but the authorized user. Consult CASIT for help.
- When getting rid of an old computer/hard drive, request that it be securely wiped once you have made sure you have all of your data safely copied to your new computer/hard drive.
- Keep your anti-virus suite up-to-date so it can catch the latest viruses and malware.
- Install an additional on-demand scanner for malware/greyware/spyware. Malwarebytes or Spybot Search & Destroy are both excellent choices. Keep this program up-to-date!
- Run the “immunization” function of Spybot to ensure maximum browser security.
- Keep your operating system (Windows or OSX) up-to-date; Microsoft and Apple both periodically release “patches” which fix flaws in the operating system. You can run updates from these locations:
- Windows: Start > Control Panel > Windows Update
- Mac: Apple menu > Software Update.
- Make sure the firewall built into your OS is active.
- Windows: Start > Control Panel > Windows Firewall
- OSX: Apple menu > System Preferences > Security > Firewall
Web and social networking security
- Use common sense. A trustworthy website will be well-organized, appear official and will help you find information or perform an action.
- When deciding whether to click a link, hover your mouse over the link. Check the bottom bar of the program you are in, or wait for a little box to pop up over the cursor. If the link in one of these places differs from the link that was linked to you, don’t click it!
- Avoid using excessive Facebook applications. Many applications are fronts for viruses or account hijackers.
- Close suspicious windows and pop-up ads by using Alt-F4 rather than the X button.
- Watch out for redirects. If you click on one link and end up on some other page, especially if it looks shady, the page may be dangerous or you may have a browser hijacker.
McAfee is a virus protection software provided free of charge to students, faculty and staff through UO Licensing. If you need McAfee, you can get it from a DuckWare CD or from http://it.uoregon.edu/software/virusscan
Note: If you have a previous version of McAfee installed or already have virus protection software such as Norton Anti-Virus installed, you will need to uninstall it before continuing the installation.
- Once you have the McAfee installation file (uoavinstall.exe) saved to your system, double-click on it to run it.
- Windows may warn you that it might be dangerous to run a program you downloaded off the Internet. You can safely proceed.
- After the McAfee installation window opens, click Next and wait for it to prepare the install.
- When prompted about unchecking update and scanning boxes, click OK.
- When prompted about the McAfee VirusScan Enterprise Setup, click Next.
- On the licensing window, select “Perpetual License” from the upper-left drop down menu, check the “I accept…” button below the license and then hit OK.
- Windows 7 – When prompted, agree to remove Windows Defender.
- On the “Select Setup Type” window, ensure that “Typical” is selected and click Next.
- On the “Select Access Protection Level” select “Standard Protection” and click Next.
- On the “Ready to Install” window, click Install and wait for the installation to complete.
- After the installation process has finished, you will be given show two check boxes. Uncheck them both and hit Finish.
- You may be prompted with a warning about a network driver. Click OK to proceed through the warning.
- When you are prompted with the McAfee AntiSpyware Enterprise Module install window, click Next.
- On the licensing window, select “Perpetual License” from the upper-left drop down menu, check the “I accept…” button below the license and then hit OK.
- After the module installs, a completion window will appear. Hit Finish.
- When prompted about McAfee Update Handling, select “Managed” and wait for the McAfee Agent Setup to complete. When it does, click OK.
- When prompted to update your virus definitions, select “Update Now” and wait for McAfee to update.
- On the “Reporting Usage” window, select “Already Registered”.
- On the “Antivirus Installation Finished” window, save all your open files, close all other open programs and then select “Restart My Computer”.
- When prompted about restarting the computer, click OK.