University Web Developers

University Web Developers

Personally Identifiable Information - What are you doing to protect this?

Hello All,
A lot of discussion has been brought regarding the protection of personal information such as SSN, grades, addresses, phone numbers, credit card numbers etc. Some, if not all of this data is called Personally Identifiable Information (PII) my question is: what are you, as a web developer in your college, doing to ensure that such data is protected and or controlled? I am sure many of you have been asked to develop applications that ask for some of this data... what do you do to protect it?

Does your college have someone in charge of this?

Does your college run scans to find such data in its network?

thanks for you your feedback and ideas!


Views: 24

Reply to This

Replies to This Discussion

I am in rather a unique situation being the primary full-time Web professional and also Information Security Coordinator for the campus.

The first general theme is to keep PII as far away from the public Web site as possible. When we have a need to ask for Student ID, we prohibit the use of SSN (one of the few places it won't work). Web server cannot directly query our ERP / Student Information System database (Banner for us). Where information is shared, it gets pushed to the Web server.

Whenever we do write an app that accesses our ERP, we generally do that on a separate server from our public Web site. This server is locked down more tightly, monitored more closely, and is dedicated to that particular use. More often than not, these applications are written as much as possible inside the Web-facing application access for the Student body, faculty, etc.

General application security follows. Scrub data to prevent SQL injection (i.e. mysql_real_escape_string() in PHP), use encryption where PII might be submitted or accessed, make sure you password-protect administrative functions, and make sure those functions always check for authorization.

There is an Apache mod available that would log sensitive information conveyed off your server called mod_security IIRC. It's worth looking into (and regularly monitoring) if you have a server that has access to this information.

We are investigating monitoring all College computers for sensitive information, but are limited now by complexity, staff and financial resource availability. There are some free tools available to scan individual computers, and corporate tools that would report "hits" back to a central repository for action. We're also looking into full-disk encryption on laptops. And we're looking not just at electronic files, but paper ones as well.

And generally speaking the payment card industry's data security standard doesn't encourage you to store CC numbers at all. If I were you, I'd look into reengineering processes to ensure that you don't keep the data around any longer than absolutely necessary to process those kinds of requests...

Hi Steve,
Thank you for your comments and ideas. We follow similar procedures when dealing with application development. What does your college do in regards to discovering systems that have PII? do you have any policies or procedures set in place to manage such found information?

The University of Arizona has a highly comprehensive process for managing such information documented on their web site ( UA has also made sure to place the responsibility of managing and securing such data on the individual user WITH support and assistance from the IT managers. UA also encourages users to download and use Spider as their main finder tool. Carnegie Mellon University follows a very similar model ( but uses a different software to find such data (

Thanks again!




Latest Activity

Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with April Buscher from Montana State University Billings to learn how blind readers and people with hearing impairment view and read your website and how you can make it accessible to them."
Amanda Lawson joined Lynn Zawie's group


Share your experiences using OmniUpdate CMS
Aug 9
Amanda Lawson posted a photo

Amanda Lawson

Amanda Lawson, Web Content ManagerCommunity College of Allgheny County
Aug 9
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"High schoolers spend more time on their digital devices than they do sleeping, doing homework, or participating in extracurricular activities. So how do you make your message stand out to them? #eexpect"
Aug 8
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Want to increase digital engagement with high school juniors and seniors? Join our next webcast with Stephanie Geyer from Ruffalo Noel Levitz as she shares new data from the 2019 E-Expectations Trend Report on email, paid media, and social media…"
Jul 31
Charlie Holder joined DNI's group

Cascade Server CMS

For folks who use (or are interested in) Hannon Hill's Cascade Server CMS productSee More
Jul 26
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Is your website in compliance with the new WCAG 2.1? Join our webcast to learn various accessibility guidelines, what’s new in 2.1, and more!"
Jul 22
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Even though GDPR has been in effect for over a year, many U.S. colleges and universities are still struggling with how best to implement the rules. We’re here to help."
Jul 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Does your college or university website meet the new WCAG 2.1 accessibility standards?"
Jul 12
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Eric Turner from Mt. San Antonio College, who will share easy steps to make your website GDPR compliant."
Jul 10
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"It is always important to make a good first impression! Join Aaron Blau from Converge Consulting as he covers ways to make your web content attractive to your target audience and create an authentic brand message."
Jun 19
Jon Shaw posted a discussion

email obfuscation

Anyone using a javascript or php email obfuscation library that is effective for spam defense?See More
Jun 11
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Kelly Bostick from University of Arkansas who will provide some great tips on ways to ensure that all of your digital content is accessible."
Jun 6
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Creating and producing website content is just the tip of the iceberg. In our latest white paper, learn how to manage that content to help your website reach its fullest marketing and recruiting potential."
May 30
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A college or university website redesign is the most effective and cost-efficient way to attract and recruit new students. Download our ultimate guide to get started on your redesign today!"
May 28
Cody Bryant is now a member of University Web Developers
May 20
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Rachael Frank from Gravity Switch to learn how to organize your content and messaging for a website redesign."
May 16
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Capitalize on content by creating an editorial calendar for your college or university website. Here’s how:"
May 9
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A soft launch of your website redesign is well worth the extra time. Find out why."
May 2
Linda Faciana posted a blog post

Webcast - Website Redesign | The importance of using content inventories

Join us for our next webcast with Laura Lehman from Eastern Mennonite University to learn how to effectively use Google Sheets during a website redesign and migration! More
May 1

UWEBD has been in existence for more than 10 years and is the very best email discussion list on the Internet, in any industry, on any topic


© 2019   Created by Mark Greenfield.   Powered by

Badges  |  Report an Issue  |  Terms of Service