Information Security Announcements
The University takes offensive, harassing or threatening e-mails very seriously. If you should receive an electronic communication that you feel is offensive, threatening or harassing please contact your LSP (find your LSP - https://www.sas.upenn.edu/computing/staff/distributed.html) and the Penn Police (215-573-3333).
Contact the University Police to make a report of the incident, so they can track and correlate the activity, even if you choose not to pursue the matter (the source of the communication might be engaging others and a report by you could bolster a case for the police).
Contact your LSP to discuss options for blocking the source of offending e-mails. In many cases offending e-mail can be bounced back to the sender, automatically deleted, or even forwarded to an account monitored by police. Your LSP will be able to discuss available options and coordinate technical details with the mail administrators.
If you would like further guidance feel free to contact SAS Information Security at firstname.lastname@example.org.
What is Secure Share?
Secure Share is a web-based application for secure file exchange available to Penn faculty and staff. Users may upload and download files via Secure Share and the application ensures that files reach only the intended recipients. Files are encrypted when they are uploaded, downloaded, and while being stored, and e-mail notifications are sent to designated recipients when files are available for retrieval. Files are automatically deleted after they are retrieved by a designated recipient; files that are not retrieved within 30 days are deleted from the system. Secure Share should not be used as a document storage mechanism, but rather as a safe alternative to file exchange methods such as e-mail, FTP, and portable devices for sharing documents with sensitive information cross campus.
ISC developed Secure Share in response to the increasing need to securely exchange documents that contain sensitive information. Secure Share is another component of Penn's security strategy, providing a campus-wide mechanism to ensure the safety and privacy of University data. Though there should be a very limited need to exchange sensitive or confidential information electronically, when members of the Penn community are required to do so, Secure Share provides a safe and easy-to-use mechanism.
Who may use Secure Share?
Secure Share is available to all Penn faculty and staff with a valid PennKey and PennKey Password.
Secure Share is currently available at https://medley.isc-seo.upenn.edu/secureShare/jsp/fast.do (or http://tinyurl.com/opabu4) after authentication with a PennKey and PennKey password. We are communicating its availability to the IT community first, with end-user communications to follow.
Benefits of Secure Share
Some of the key benefits of using Secure Share are:
- Reduces the University's exposure to data compromise issues such as identity theft
- Protects confidential data in documents, such as Social Security Numbers, financial information, health information, student grades, etc.
- Available to faculty and staff University-wide; eliminates the need for individual departments or Schools to develop in-house secure file exchange systems
- Helps ensure that those who request confidential data are properly authorized to receive it
- Data protected by encryption when uploaded, downloaded, and while stored on Secure Share
- Secure and easy-to-use application
For more about Secure Share, including information on sending and receiving files, please visit the Secure Share web site at http://www.upenn.edu/computing/security/secure-share/. Questions about Secure Share can be addressed to email@example.com.
--ISC Information Security
As stated in the Drupal configuration pages, "Improper text format configuration is a security risk."
Therefore, on websites hosted by SAS we require that input filters used by content editors meet strict security standards. We do not allow content editors to use full HTML to edit content. We ask our web developers to create an input filter for content editors that allows many commonly used tags without allowing full HTML. We typically call this input filter “Advanced Filtered HTML” or something similar (we find that the “Filtered HTML” filter that is there by default usually does not quite meet the needs of the content editors). This input filter should meet the following criteria:
- The role should be usable only by administrators and content editors, not authenticated or anonymous users
- The following filters should be enabled, in the following order: Limit allowed HTML tags; Convert line breaks into HTML; Convert URLs into links; Correct faulty and chopped off HTML
- Allowed HTML tags: <span> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><img><p><blockquote><br/><br><table><thead><th><tbody><tr><td><h2><h3><h4><h5><div>
- The Advanced Filtered HTML text format should be ranked 1st so that it is selected by default.
We prefer that the WYSIWYG editor should be TinyMCE, configured as follows:
- Enabled by default should be checked
- Do not check Allow users to choose default
- Enable/disable rich text toggle link
Buttons and Plugins:
- We prefer a minimalist approach – within a properly set up Drupal environment, the editors should not need to change the basic layout of the page very much. The following should be checked: Bold, numbered list, unlink, italic, block format, bullet list, styles (if supported in the CSS). Expand this list only with discretion. In some cases, paste from Word or clean-up is advisable. If you think your client needs other buttons for special need (for example, superscripts for academic citations) please consult with us.
- Typically toolbars are aligned to the top left, and the path location is at the bottom. The resizing button may be enabled.
Cleanup and output:
- Only Verify HTML and Remove line breaks should be checked. All others should remain unchecked.
- This is at the discretion of the developer and the specific site needs, but again, we recommend a minimalist approach. Typically we find it useful to give users the block formats p, h2, h3, h4, h5, h6, blockquote, div.
We have completed a security review of the jQuery Drop Down module (https://drupal.org/project/jquery_dropdown) version 6.x-1.2 and found no issues. This module has been updated to the new version in our approved modules list at http://www.sas.upenn.edu/computing/drupal-approved-modules.
We have completed a security review of the Menu Trails module (http://drupal.org/project/menutrails) version 6.x-1.1 and found no issues. This module has been updated to the new version in our approved modules list at http://www.sas.upenn.edu/computing/drupal-approved-modules.
We have completed a security review of the Submenu Tree module (http://drupal.org/project/submenutree) version 6.x-1.6 and found no issues. This module has been added to our approved modules list at http://www.sas.upenn.edu/computing/drupal-approved-modules.
"The XML sitemap module creates a sitemap that conforms to the sitemaps.org specification. This helps search engines to more intelligently crawl a website and keep their results up to date. The sitemap created by the module can be automatically submitted to Ask, Google, Bing (formerly Windows Live Search), and Yahoo! search engines. The module also comes with several submodules that can add sitemap links for content, menu items, taxonomy terms, and user profiles." (http://drupal.org/project/xmlsitemap). The XMLSiteMap module version 6.x-1.2 has been approved and added to the list of approved modules accordingly (http://www.sas.upenn.edu/computing/drupal-approved-modules).
"The Node Reference URL Widget module adds a new widget to the Node Reference field type. It auto-populates a node reference field with a value from the URL, and does not allow this value to be changed once set. It can automatically provide a link on the referencing node types, that will contain the proper URL to prepopulate the field." (http://drupal.org/project/nodereference_url). We have reviewed the 6.x-1.11 version of the Nodereference URL module and approved it for use.
The Views Slideshow Dynamic Display Block (http://drupal.org/project/views_slideshow_ddblock) module "enables you to present content in a
dynamic way. For creating slideshow effects it uses the jQuery Cycle plug-in." We have reviewed the latest (2.x) branch of the module and approved it for use. The updated version of the module (6.x-2.0) has been installed on our environment and updates the previously installed 6.x-1.1 version of the module.