Skip to Content

Recommended Best Practices for Use of Sensitive Data With Web Applications

Developers and website administrators incur risk when they collect sensitive data, such as student data, through web forms, and when they use web-based applications to analyze and display this data.

CASIT employs and recommends the following security practices when web forms are used for sensitive data:


  • CASIT strongly recommends that all users of web forms that collect sensitive data or site administrators of sites that work with such data undergo training both in basic online security awareness and in the responsible use of UO sensitive data. We will post information on training opportunities as they become available. In addition to formal training opportunities, CASIT encourages our clients to speak to us about their web forms, data, and best practices.

Risk analysis

Sensitive data authorization

  • Before assisting a client with building a form, CASIT will verify that the requestor has the authority to collect the sensitive data in question. If sensitive data is to be used ‘downstream’ of this collection, it is the requestor’s responsibility to appropriately authorize any data consumers.

Content Management Systems

  • Web forms collecting or referencing sensitive data through content management systems (CMS) are deployed on fully supported and maintained platforms (e.g. Drupal Central Hosting, BAO’s, WordPress) or vendor supplied commercial off-the-shelf software (e.g. Qualtrics)

Custom Development

  • Web applications that collect or reference sensitive data are built and maintained or subcontracted by qualified applications teams that adhere to established best practices for applicable development technologies and hosting platforms.  Such applications are in included in application life-cycle management (ALM) portfolios to ensure that security best practices are adhered to in all development, maintenance and governance processes (e.g. requirements, architecture, coding, testing, maintaining, change/release management, disaster recovery planning).

Web application security

  • For access, use UO-approved single-sign-on (Shibboleth) wherever possible. Web applications which analyze and display sensitive data are maintained using web security best practices. For more information about web security best practices, see

Hosting and system governance

  • Whatever CMS is in use, developers should use an actively and professionally supported instance of the CMS. That is, for Drupal, UO’s Drupal Central Hosting is recommended. For WordPress, Campus Press ( is recommended. Both environments have active governance teams constantly reviewing security-related issues.

Database security

  • Developers use a least-privilege approach, never allowing, for example, off-campus database port openings. Database connection strings stored in code repositories are restricted to the smallest possible group of developers. For Windows servers, database connection strings are stored in an encrypted password tool (e.g. Thycotic) are not stored in code repositories and are encrypted at rest in the server.

Service accounts

  • Service accounts adhere to the least-privilege principle. They should be non-person accounts, with credentials stored in a secure system.

Server security