Make Sure Your Site is Secure
It is absolutely essential to confirm that all NYU-related Web sites are operating in a secure manner.
A general rule: Be aware that the main NYU Web server, http://www.nyu.edu/, is a publicly accessible server. You must consider any file stored there to be generally available. As search engine technology has become more sophisticated, there may be no such thing as a “hidden” directory or file. Data files containing sensitive information should NOT be stored on the Webserver.
Perform a Site Review
If you’re being asked to collect sensitive information through your Web site, you must get written approval for doing so from a senior officer in your school or area and also get technical certification from ITS before you implement any application. Contact email@example.com for more information.
Information that may be considered "sensitive": social security numbers, driver's license number (DLN), date of birth (DOB), mother's maiden name, bank account numbers, employee numbers. Review the Data Classification Table to see additional information about data classification at NYU.
NYU is subject to various federal, state and local regulations. Among these are the Federal Educational Rights and Privacy A ct (FERPA), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act as well as NY State consumer protection regulations. You should also be aware of any NYU policies that impact your site. For these reasons and the general security concerns above, do not collect or store highly sensitive information on your site(s). Where necessary, use the NYU NetID as a unique identifier and consult ITS on proper use of the NetID.
Regularly review all contents of the Web site (s) you maintain. You should remove outdated and irrelevant files and directories (for example, files and directories called “old”), including any backup (.bak) or archive files (.zip, .sit). A production Web server is not an appropriate place for such files. You must also remove any executable files (.exe).
Deactivate any application or form that asks for Student ID or other sensitive personal information. Before reactivating any such application, you must contact firstname.lastname@example.org for approval.
Review the access privileges on all files on your site(s). Ensure that the privileges are set appropriately to protect sensitive files from publication and from indexing by search engines. You can get more information about properly setting UNIX file permissions in our Tutorials section.