Recommended Best Practices for Use of Sensitive Data With Web Applications
Developers and website administrators incur risk when they collect sensitive data, such as student data, through web forms, and when they use web-based applications to analyze and display this data.
CASIT employs and recommends the following security practices when web forms are used for sensitive data:
- CASIT strongly recommends that all users of web forms that collect sensitive data or site administrators of sites that work with such data undergo training both in basic online security awareness and in the responsible use of UO sensitive data. We will post information on training opportunities as they become available. In addition to formal training opportunities, CASIT encourages our clients to speak to us about their web forms, data, and best practices.
- CASIT developers discuss the potential sensitive data implications of every proposed project with project clients. Clients should be familiar with the University Acceptable Use Policy and policies surrounding sensitive data.
- Before assisting a client with building a form, CASIT will verify that the requestor has the authority to collect the sensitive data in question. If sensitive data is to be used ‘downstream’ of this collection, it is the requestor’s responsibility to appropriately authorize any data consumers.
Content Management Systems
- Web forms collecting or referencing sensitive data through content management systems (CMS) are deployed on fully supported and maintained platforms (e.g. Drupal Central Hosting, BAO’s forms.uoregon.edu, WordPress) or vendor supplied commercial off-the-shelf software (e.g. Qualtrics, Redcap.)
- Web applications that collect or reference sensitive data are built and maintained or subcontracted by qualified applications teams that adhere to established best practices for applicable development technologies and hosting platforms. Such applications are in included in application life-cycle management (ALM) portfolios to ensure that security best practices are adhered to in all development, maintenance and governance processes (e.g. requirements, architecture, coding, testing, maintaining, change/release management, disaster recovery planning).
Web application security
- For access, use UO-approved single-sign-on (Shibboleth) wherever possible. Web applications which analyze and display sensitive data are maintained using web security best practices. For more information about web security best practices, see owasp.org.
Hosting and system governance
- Whatever CMS is in use, developers should use an actively and professionally supported instance of the CMS. That is, for Drupal, UO’s Drupal Central Hosting is recommended. For WordPress, Campus Press (blogs.uoregon.edu) is recommended. Both environments have active governance teams constantly reviewing security-related issues.
- Developers use a least-privilege approach, never allowing, for example, off-campus database port openings. Database connection strings stored in code repositories are restricted to the smallest possible group of developers. For Windows servers, database connection strings are stored in an encrypted password tool (e.g. Thycotic) are not stored in code repositories and are encrypted at rest in the server.
- Service accounts adhere to the least-privilege principle. They should be non-person accounts, with credentials stored in a secure system.
- Systems administrators adhere to the policies on server security listed in “Minimum security procedure for devices with sensitive information” here: https://it.uoregon.edu/system/files/Minimum%20Security%20Procedure%20for%20Devices%20with%20Sensitive%20Information.pdf