Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Thursday, April 24, 2014

 
  New Resources
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption & digital signatures
 
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Security Best Practices for Applications with Confidential University Data 1

Application Owners are expected to know the specific types of data for which they are responsible and to make security decisions regarding access to and protection of data under their charge 2. The following recommendations for Application Owners are applicable to all applications that handle Confidential University Data. All of the recommendations will be considered for future inclusion in official University IT Policy:

  1. Ensure that all applications are coded in a secure manner that at a minimum address the vulnerabilities defined in the OWASP Top 10 list 3 (or recognized equivalent secure development guidance).
    • OWASP contains a number of best practices, including input validation, parameterized queries and ensuring the principle of least privilege is in place for access to databases.

  2. Application testing and monitoring:
    • Regularly assess the security of applications using automated vulnerability scanning, penetration testing, and/or an IT security audit as needed (such as, prior to initial implementation, after a major code revision, upon publication of a new vulnerability, etc.).
    • Have a defined log monitoring practice to identify unusual or anomalous behavior associated with the application and follow it.

  3. Platform Testing and Monitoring:
    • Register platforms that house highly sensitive data as a Critical Host 4. This will result in regular platform vulnerability scanning by ISC Information Security. When notified that an application registry is available, register applications that access or store Confidential University Data.
    • Have a defined log monitoring practice to identify unusual or anomalous behavior associated with the platform and follow it.
      • Consider using a host intrusion detection system (HIDS) to monitor platforms housing applications with Confidential University Data to observe unauthorized or unusual activity.

  4. Establish a repeatable process for responding to external notifications of current/observed attacks. This should include identifying your organization's Security Liaison, and how they will communicate critical information.
  5. Purge unnecessary sensitive data from the application regularly and move old data offline whenever possible.
  6. Consider encryption for sensitive data at rest.
Note: For applications built by a 3rd party or housed on a 3rd party's system (including ISC), data owners should work with the contracted developers and vendors to ensure that these requirements are met.

Please contact ISC Information Security (security@isc.upenn.edu or 215-898-2172) for assistance with the implementation of these recommendations.

[1] Confidential University Data is defined in the Computer Security Policy, and includes Sensitive Personally Identifiable Information, Proprietary Information, and Other data whose disclosure would cause significant harm to Penn or its constituents:
http://www.net.isc.upenn.edu/policy/approved/20100308-computersecurity.html

[2] Penn Data Access Standards:
http://www.upenn.edu/oacp/privacy/policiesguidance/data-access-standards.html

[3] The OWASP Top 10 list can be found here:
https://www.owasp.org/index.php/Top_10_2010

Also, for a more comprehensive list, please see the OWASP Development Guide:
https://www.owasp.org/index.php/Category:OWASP_Guide_Project

[4] Penn Critical Host Registration:
http://www.upenn.edu/computing/security/crithost/index.php

Download this page as a PDF document

Last updated: Tuesday, February 12, 2013

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania