Security for Applications with Confidential University Data

The University of Pennsylvania expects Application Owners to know the specific types of data they handle/are responsible for. Application Owners are expected to make security decisions regarding access to and the protection of data under their charge. The following recommendations for Application Owners are applicable to all applications handling Confidential University Data (CUD). All of the recommendations will be considered for future inclusion in official University IT Policy:

1. Ensure that all applications are coded in a secure manner that at a minimum address the vulnerabilities defined in the OWASP Top 10 list. OWASP contains a number of best practices, including input validation, parameterized queries and ensuring the principle of least privilege is in place for access to databases. 
2. Application testing and monitoring:  
   • Regularly assess the security of applications using automated vulnerability scanning and penetration testing. In addition, conduct an IT security audit as needed, such as, prior to initial implementation, after a major code revision, upon publication of a new vulnerability, etc. 
   • Have a defined log monitoring practice to identify unusual or anomalous behavior associated with the application and follow it. 
3. Platform Testing and Monitoring:  
   • Register platforms that house highly sensitive data as a Critical Host. This will result in regular platform vulnerability scanning by ISC Information Security. When notified that an application registry is available, register applications that access or store Confidential University Data (CUD).
   • Have a defined log monitoring practice to identify unusual or anomalous behavior associated with the platform and follow it. Consider using a host intrusion detection system (HIDS) to monitor platforms housing applications with CUD to observe unauthorized or unusual activity. 
4. Establish a repeatable process for responding to external notifications of current/observed attacks. This process should include identifying your organization's Security Liasion and how they will communicate critical information. 
5. Purge unused sensitive data from the application regularly and move old data offline whenever possible. 
6. Consider encryption for sensitive data at rest. 

For applications built by a third party or housed on a third party's system (including ISC), data owners should work with the contracted developers and vendors to ensure that these requirements are met. 

Please contact ISC Information Security at security@isc.upenn.edu or at (215) 898- 2172 for assistance with implementation of these recommendations. 

Resources & Links

1. Confidential University Data (CUD) is defined in the Computer Security Policy, and includes Sensitive Personally (PII), proprietary information, and other data whose disclosure would cause significant harm to Penn or its constituents.

2. Penn Data Access Standards.

3. The OWASP Top 10 list can be found.

   • Also, for a comprehensive list, review the OWASP Development Guide.

4. Penn Critical Host Registration.