Information Security

Information security processes are designed to protect confidential, private and sensitive information from unauthorized access or use.

The Boise State web environment has many technical security methodologies in place like firewalls, single sign on (SSO), security certificates, whitelisting of trusted URLs and more.

However, these best practices do not protect us from improperly publishing content or collecting data that could be harmful to individuals or the organization.

Per Boise State’s Information Privacy and Data Security Policy (Policy 8060), all members of the University community share in the responsibility for protecting information resources for which they have access or custody.

Each person who creates, approves, publishes, collects or stores web content and data has a responsibility to handle content and collected data properly.

Site Administration

If you or your department manage multiple WordPress sites, review your sites to evaluate the possibility of combining or simplifying your sites or content. The more sites you have, the more complexity you will face in maintaining content, managing user access and data retention/protection. Fewer sites means less overhead and a more simplified management workflow.

Private Data

Users have a right to expect that their personally identifiable information is protected. To ensure the privacy and security of personal information, keep the following in mind when developing web pages, posts and forms.

• Social Security Numbers (SSNs) can not be collected or disclosed in WordPress pages, posts or Gravity forms.
• Credit card or financial data can not be collected or disclosed in WordPress pages, posts or Gravity forms, as this is a direct violation of credit card Payment Card Industry (PCI) standards.
• Other sensitive or confidential personal information such as health information or information related to personnel issues can not be collected or disclosed in WordPress pages, posts or Gravity forms.
• Use special care when collecting personally identifiable information like name, email address, address and phone number. In general, if you do not need the information, it is better to not ask for it.
• Employee/Student ID is the campus-wide solution for unique identity used by Boise State University. This number should be used as the primary factor of identification when user identity is required. Employee/Student ID can not be published on web pages.
• Only ask for the information you need and let the user know how information will be used on the form.
• The information you collect must be used in accordance with the reason it was collected. Once data has been used in accordance with the reason it was collected it should be deleted.

Sensitive Content

Sensitive or confidential information is content and data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. Examples of sensitive content include upcoming announcements that are not yet public, candidate selections, some types of financial information, etc. Most content on the public-facing WordPress sites is not sensitive or confidential.

Sensitive Web Content Workflow

Do not enter sensitive or confidential information in WordPress. Time-sensitive or confidential content should be created outside of WordPress (in a secured Google Doc, for example) and only added to a WordPress page or post once the information is appropriate to be posted publicly.

Draft pages, password-protected pages and private pages are not sufficient methods to keep information confidential. Carefully consider who has access to your WordPress site and do not enter sensitive content that has not yet been made public in WordPress.

Additionally, all published pages on the Boise State WordPress sites are included in sitemaps that are available to search engines. That means that even if you are not linking to a published page yet, the page is still available to be indexed and included in Google search results, for example.

HTTP Security Headers

In accordance with Boise State information technology security standards and policies, the university requests the implementation of HTTP security headers on all university web servers and web sites, including third-party and affiliate websites that convey a relationship with the university.

HTTP Security Header Information

Secure Links With “https://”

Boise State University websites use what is known as TLS (Transport Layer Security) to add encryption protocols to web traffic. You can verify that a site is using TLS if you look in the address bar and the site begins with “https://” with the ‘s’ as opposed to non-secure “http://” sites. Often times, the browser’s address bar also includes a closed lock icon when the site uses TLS, which you can click to inspect the certificate.

TLS provides you and your users with benefits such as:

• Secure data transmission via encryption.
• Data integrity validation
• Potential performance improvements
• Prioritization by search engines.

That ‘s’ may seem innocuous, but for the mentioned reasons it is important that you include “https://” anytime the target site you are linking to is secured with TLS. Doing so benefits the security of all Boise State University web users, and ensures that you are compliant with university web standards.

Additional Information Security Resources

• Office of Institutional Compliance and Ethics
• OIT Information Security Program
• Office of General Counsel
• Boise State University Policies