University Web Developers

University Web Developers

Personally Identifiable Information - What are you doing to protect this?

Hello All,
A lot of discussion has been brought regarding the protection of personal information such as SSN, grades, addresses, phone numbers, credit card numbers etc. Some, if not all of this data is called Personally Identifiable Information (PII) my question is: what are you, as a web developer in your college, doing to ensure that such data is protected and or controlled? I am sure many of you have been asked to develop applications that ask for some of this data... what do you do to protect it?

Does your college have someone in charge of this?

Does your college run scans to find such data in its network?

thanks for you your feedback and ideas!

Andres

Views: 23

Reply to This

Replies to This Discussion

I am in rather a unique situation being the primary full-time Web professional and also Information Security Coordinator for the campus.

The first general theme is to keep PII as far away from the public Web site as possible. When we have a need to ask for Student ID, we prohibit the use of SSN (one of the few places it won't work). Web server cannot directly query our ERP / Student Information System database (Banner for us). Where information is shared, it gets pushed to the Web server.

Whenever we do write an app that accesses our ERP, we generally do that on a separate server from our public Web site. This server is locked down more tightly, monitored more closely, and is dedicated to that particular use. More often than not, these applications are written as much as possible inside the Web-facing application access for the Student body, faculty, etc.

General application security follows. Scrub data to prevent SQL injection (i.e. mysql_real_escape_string() in PHP), use encryption where PII might be submitted or accessed, make sure you password-protect administrative functions, and make sure those functions always check for authorization.

There is an Apache mod available that would log sensitive information conveyed off your server called mod_security IIRC. It's worth looking into (and regularly monitoring) if you have a server that has access to this information.

We are investigating monitoring all College computers for sensitive information, but are limited now by complexity, staff and financial resource availability. There are some free tools available to scan individual computers, and corporate tools that would report "hits" back to a central repository for action. We're also looking into full-disk encryption on laptops. And we're looking not just at electronic files, but paper ones as well.

And generally speaking the payment card industry's data security standard doesn't encourage you to store CC numbers at all. If I were you, I'd look into reengineering processes to ensure that you don't keep the data around any longer than absolutely necessary to process those kinds of requests...

Cheers,
-Steve
Hi Steve,
Thank you for your comments and ideas. We follow similar procedures when dealing with application development. What does your college do in regards to discovering systems that have PII? do you have any policies or procedures set in place to manage such found information?

The University of Arizona has a highly comprehensive process for managing such information documented on their web site (http://security.arizona.edu/pi). UA has also made sure to place the responsibility of managing and securing such data on the individual user WITH support and assistance from the IT managers. UA also encourages users to download and use Spider as their main finder tool. Carnegie Mellon University follows a very similar model (http://www.cmu.edu/computing/doc/security/identity/index.html) but uses a different software to find such data (http://www.identityfinder.com/).

Thanks again!

Andres

RSS

Elsewhere

Latest Activity

Jon Shaw posted a discussion

email obfuscation

Anyone using a javascript or php email obfuscation library that is effective for spam defense?See More
Jun 11
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Kelly Bostick from University of Arkansas who will provide some great tips on ways to ensure that all of your digital content is accessible. http://bit.ly/2zhdcIt"
Jun 6
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Creating and producing website content is just the tip of the iceberg. In our latest white paper, learn how to manage that content to help your website reach its fullest marketing and recruiting potential. http://bit.ly/30WJ0PW"
May 30
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A college or university website redesign is the most effective and cost-efficient way to attract and recruit new students. Download our ultimate guide to get started on your redesign today! http://bit.ly/30MmcSQ"
May 28
Cody Bryant is now a member of University Web Developers
May 20
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Rachael Frank from Gravity Switch to learn how to organize your content and messaging for a website redesign. http://bit.ly/2zhdcIt"
May 16
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Capitalize on content by creating an editorial calendar for your college or university website. Here’s how: http://bit.ly/2WCauaY"
May 9
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"A soft launch of your website redesign is well worth the extra time. Find out why. http://bit.ly/2LfeigX"
May 2
Linda Faciana posted a blog post

Webcast - Website Redesign | The importance of using content inventories

Join us for our next webcast with Laura Lehman from Eastern Mennonite University to learn how to effectively use Google Sheets during a website redesign and migration! http://bit.ly/2zhdcItSee More
May 1
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"What are characteristics of the best CMS for colleges and universities? Read our guide to find out: http://bit.ly/2Vt519j"
Apr 24
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Caroline Roberts from iFactory who will be providing tips on how to improve your SEO by finding and wisely using the keywords and phrases that matter most! http://bit.ly/2zhdcIt"
Apr 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"If your college website is not reaching your audience, but still meets most technical and accessibility requirements, there are a number of ways to fine-tune its performance. http://bit.ly/2KO08U8"
Apr 18
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Before you click the launch button on your newly redesigned website, it pays to doublecheck the details: http://bit.ly/2D9v5vr"
Apr 11
Laurie Trow replied to Jessie Groll's discussion Thoughts on "part-time work from home" for a web developer?
"I do work from home a few days a week. Depending where you're located, this would definitely be a perk. I've found plenty of higher ed jobs, but it's not often where working from home is an option. I find this odd since the higher ed…"
Apr 4
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Take a look at these award-winning higher ed digital marketing campaigns to see what’s working for them – and what you can implement to make your school’s digital marketing campaign one of the best. http://bit.ly/2JlzLiq"
Apr 3
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"Do you have a plan in place to ensure your redesigned website is a success? Read our new white paper for the steps needed to successfully launch your website so that it is effective, informative, and gets noticed. http://bit.ly/2HZt73Z"
Mar 29
Sara Arnold commented on Lynn Zawie's group OmniUpdate
"The better you pay attention to these small SEO details, the higher your website will rank in searches. http://bit.ly/2I6Yo1C"
Mar 28
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Brian Johnson from Tacoma Community College for tips on how to effectively communicate the website redesign process and move to a new CMS. Win over those key players and get your project started on the right…"
Mar 27
Linda Faciana commented on Lynn Zawie's group OmniUpdate
"Join us for our next webcast with Angela Cavaliere from Montgomery County Community College who will discuss how to successfully navigate a website redesign in higher ed. Learn how to get buy-in from stakeholders, organize your team, and…"
Mar 20
Linda Faciana joined Lynn Zawie's group
Thumbnail

OmniUpdate

Share your experiences using OmniUpdate CMS
Mar 20

UWEBD has been in existence for more than 10 years and is the very best email discussion list on the Internet, in any industry, on any topic

About

© 2019   Created by Mark Greenfield.   Powered by

Badges  |  Report an Issue  |  Terms of Service