ARCHIVED: Webserve account agreement

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.
Note:

Due to the evolving coronavirus situation, the retirement of Webserve was delayed until April 16 to allow classes that reference sites on Webserve to continue with minimal disruption.

All remaining Webserve sites were disabled beginning April 16, along with login access to webserve.iu.edu. If you have websites that still need to be moved to IU Sitehosting, you should migrate immediately.

Webserve is a web hosting service and several subservices. To be entrusted with a Webserve service account, users of the Indiana University computing networks must accept certain responsibilities and agree to use their accounts in accordance with certain standards.

To request any service account, you must have agreed to the terms of the IU Acceptable Use Agreement. The Webserve agreement supplements the Institutional Data Acceptable Use Agreement by addressing the unique aspects of the Webserve service.

Information governance explained

The roles for Webserve data and information are as follows:

  • Webserve service account owner: These are faculty and staff members who have been assigned a Webserve service account as a result of a request for a new account, or have accepted the transfer of an existing Webserve service account to them. The Webserve service account owner is responsible for ensuring all policies and laws listed in the Institutional Data Acceptable Use Agreement are followed.
  • Webserve service account user: These are faculty and staff members who have been granted access to Webserve service account resources by the Webserve service account owner. The Webserve service account users are also responsible for ensuring all policies and laws listed in the Institutional Data Acceptable Use Agreement are followed.

Information classification explained

Only Public and University-internal data are suitable to be stored in a Webserve service account file system or database. Restricted and Critical data cannot be stored in a Webserve service account file system or database. For definitions of Public, University-internal, Restricted, and Critical data, see Classification levels of institutional data. In addition, federally and state protected data, human subjects research data, and passwords cannot be stored in a Webserve service account file system or database. For more about data classifications, see About sensitive data at IU.

Usage responsibilities

The following points detail your responsibilities as you access, use, or handle information or information technology (IT) at IU.

Secure usage

You agree to:

  • Secure the Webserve service account. Limit distribution of passwords to only the users that require access. Change the password whenever anyone that knows the password leaves. When possible use the Siteshare subservice to grant access to the service account file space to service account users.
  • Before giving a user the password assure the user agrees to the terms of the "Institutional Data Acceptable Use Agreement" and this document.
  • Ensure file and database permissions are secure. No directory should be world writable. No database login should have permissions greater that absolutely necessary.
  • Request a web application security scan prior to adding any software in the account and rescan after any change.
    • Software refers to files containing Perl, PHP, or Javascript.
    • Scan in the Webserve test environment to avoid adversely impacting your application and Webserve users.
    • For related information and to request a scan, see Vulnerability Scanners.
  • Ensure file uploads only occur in directories without execute permissions.
  • Use secure programming practices such as ensuring web requests are checked for threats such as SQL injection and cross-site scripting before being processed and ensuring forms are protected from bot posting.

Sanctions

Failure to comply with these standards will be dealt with seriously, and may result in service account lockout, that is, the removal of web and account owner access. Minor violations will be reported to the service account owner so they can address the problem. More serious violations, or failure to address minor violations, will result in account lockout. Restoring access in the event of a lockout will be addressed on a case-by-case basis depending on the violation.

The Web Services Support team, WebTech team, UISO, and UIPO reserve the right to access the service account file space and database for troubleshooting purposes. The service account owner will be informed of any changes made. Although most violations will be addressed by permission changes, other changes could be made if warranted.

Assent

To be entrusted with access to Indiana University data and information, and access to IT accounts, systems, and applications, new or continuing faculty or staff employees must accept these responsibilities and standards of acceptable use. By accepting these terms, you agree to follow these rules in all of your interactions.

If you choose not to accept these standards of behavior, you may be denied access to the Webserve service and any of its subservices.

This is document bfid in the Knowledge Base.
Last modified on 2021-09-08 10:21:49.