IAS Security Hero

Security Guidelines on Drupal webforms

Dear CMS users,

As part of our Information Security program, here are guidelines for collection of information via webforms on our website.

Information taken from webforms frequently ends up in email. As we know, sending a standard email is not secure; it is analogous to sending a postcard in the mail [1]. As such, we need to be diligent about what we are asking people to give us in webforms.

The National Institute of Standards and Technology (NIST) came up with a list of data that is deemed as Personally Identifiable Information (PII)[2]. These data could be used for malicious purposes, such as opening a credit card account in someone else's name, creating fake credentials like a driver's license, or, stealing someone's identity entirely. We probably all know someone who has been a victim of these types of attacks, so we all know how devastating they are.

In order to protect our users and ourselves, we should not be collecting this type of information via the Drupal webform *. Here is a partial list of examples.

maiden name
mother‘s maiden name
information about children
social security number (SSN)
passport number
driver‘s license number
taxpayer identification number
financial account or credit card number
street address
fingerprints
handwriting
other biometric data (e.g., retina scan, voice signature, facial geometry)
date of birth place of birth race religion height weight medical information
financial information

If you do have this type of information already collected in a webform, please consider deleting the data from the Drupal site once you are done with it. Now would be a good time to look at your webforms and see which ones are no longer needed and remove them as well.

* Of course, I recognize that somtimes we do need some of this information to do our jobs. If you find yourself in this situation, it should first be discussed with Computing so that a safe and reasonable plan of action can be determined.

Please let me know if you have any questions.

Thanks!
Brian

PS. This information is available on the IAS Security website [3].

[1] https://security.ias.edu/node/22
[2] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-1…
[3] https://security.ias.edu/security-guidelines-drupal-webforms

--
Brian Epstein <bepstein@ias.edu> +1 609-734-8179
Manager, Network and Security Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED C34C C0E5 244A 55CA 2B78