Guidelines and Requirements for Developers

PRIVACY AND CONFIDENTIALITY:

Each CalNet Directory attribute has an owner whose permission must be obtained before an application may use that data. The LDAP Attributes chart identifies each owner.

  • Individuals who are granted privileged access (bind) must comply with any usage restrictions relevant to the types of data accessed.
  • In cases where data may not be further distributed or republished the application must display informational instructions to the users.

SECURITY CAUTIONS AND GUIDELINES:

Ensure that application servers are configured very securely, especially if they will be handling confidential or sensitive information. For example:

  • Do not run unnecessary services.
  • Maintain the latest available system software updates.
  • Ensure the machine is in a secure physical location.
  • Limit direct login access to the machine.
  • Register your system with NetReg.

If you are using CAS, ensure that you are in compliance with the CAS Terms of Service.

The use of encryption is encouraged to prevent unauthorized access to restricted data during transmission.
Data output to user workstations may be vulnerable to unauthorized disclosure because, e.g.:

  • Normal web browser access doesn't provide for a way to "log off" an application securely other than closing down the browser completely.
  • Workstations may be left unattended at times.
  • Multiple users may share workstations. 

When developing applications that will display confidential or sensitive information, minimize data access vulnerability at user access interfaces, by using measures such as:

  • Incorporate "time-out" features of appropriate duration.
  • Display warning messages to users regarding sensitive or confidential data.
  • Some information may be so sensitive that even one view of it by an unauthorized party can cause substantial damage. In such cases, consideration should be given to not making the information available via the Web.

GENERAL POLICY COMPLIANCE:

CalNet resources must be developed so as to comply with all applicable laws and policies governing the University of California, Berkeley. For example, the Campus Online Activities Policy clarifies some particular areas, such as:

  • Sponsorship, advertising, or other forms of acknowledgment
  • Relationships with vendors
  • Copyright
  • Accessibility
  • Privacy and confidentiality of information
  • Student information disclosure
  • Identification