Guide to security and policy for web server and web content management

• Overview
  • Who this guide applies to
  • Consider whether you really need a website
• Policy
  • Applicable information and technology policies
  • Web server administrators
    • Authentication and authorization
    • Backups and data retention
    • Data protection
    • Scans and log monitoring
    • Personnel and training
    • Privacy
    • Physical and server security and risk
    • Software and hardware
• Recommendations
  • For web server administrators
    • Content ownership
    • Orphaned content/sites
  • For content owners
    • Content ownership
    • Orphaned content/sites
    • Accessibility and UX
• Resources
  • IU policies
  • Other IU resources
  • Federal, international, and industry policies and standards

---

Overview

Web server administrators, website managers, and web content owners who manage IU-owned IT resources must do so in accordance with applicable IT policy and published guidance to promote the security of these resources. The information here details existing policies and other resources that apply to web servers, web server administrators, and web content owners, and explains them in the context of web server administration.

Hosted content must be managed in a manner commensurate with its value as an information asset and to promote appropriate use of information.

As the use of the cloud and web applications expands, it is important to remember that all existing IT policies also apply to new and emerging technologies.

Who this guide applies to

• Web server administrators: Responsible for the operation of an institutional web server, who has duties such as patching, installing updates, etc., other than using Sitehost or the Windows Hosting Environment (WHE)
• Website managers: Responsible for the content of an institutional website using a tool such as the WCMS to make content changes, or the contact for the group account that the content is hosted under
• Content owners and/or creators of institutional web content

Consider whether you really need a website

• For document sharing, the recommended tools are Microsoft OneDrive at IU, Microsoft Teams at IU, Microsoft at IU Secure Storage, and Google at IU My Drive.
  Important:

  • Shared storage in Google is available only as an option for departments that wish to pay for continued storage in Google.
  • Due to limits to IU's storage footprint in the Google platform, all individual Google My Drives now have a 5 GB quota.
• For sharing pedagogical content, the recommended tools are Canvas, Microsoft Teams, or Google Sites.
• For individual document storage, the recommended tools are OneDrive or Google My Drive.
• For storing and sharing scholarly works and research papers, the recommended tool is IUScholarWorks.
• For storing sensitive institutional data including research data, see About dedicated file storage services and IT services with storage components appropriate for sensitive institutional data, including research data containing protected health information.
• To compare file storage services, see Dedicated file storage services.
• Other resources:
  • Scopus, a source-neutral abstract and citation database
  • ORCID, the Open Researcher and Contributor ID registry

Policy

Applicable information and technology policies

The requirements and recommendations expanded on in this document are pulled from several IU policies and federal laws.

Services need to be aware of these policies. There may be others also, depending on the use case; service-, department-, or school-specific policies and procedures may apply more rigorous or more specific standards in certain use cases. Schools and/or departments may have additional guidelines and requirements that local UITS support people and content owners should follow. It is important to know if these apply to your situation. Likewise, when handing Critical or Restricted data, HIPAA, FERPA, or financial data, it is always helpful to consult the appropriate Data Stewards with any questions about which policies apply to your work group or application.

Web server administrators

These policy requirements for IU web server administrators, outlined in greater detail below, protect the university community by mitigating the risk of malicious attacks, intrusions of privacy, and data breaches. These are divided into categories based on the type of requirement.

Web server administrators must be familiar with IU's information technology policies, and must ensure that their staff are as well.

The Institutional Data Standards (IDS) Checklist provides a more detailed list of steps required for those collecting and storing Critical data and certain types of Restricted data.

Authentication and authorization

Web server administrators should ensure that proper care is taken regarding access to web applications and administrative privileges. To comply, web server administrators must:

• Determine which individuals should have access to specific accounts and applications, and clearly define the level of access for these individuals. Admins should document which users have these abilities and update any changes. (IT-12, Section 1, Section 2.17)
• Apply the principle of least access whenever possible. Admin accounts should not be used for day-to-day activities. Admin accounts should not be used by individual users to run systems. (IT-12, Sections 2.17-.18 and 2.20)
• Where technically possible, disable file sharing or export options for users who do not need this capability. (IT-12, Sec 2.4)
• Use two-factor and IU Login whenever practicable for administrators and privileged users. If not practicable, seek advice from the University Information Security Office (UISO). (IT-12, Sections 2.16-.17 and 2.19)
• If specific access control needs arise, contact the Data Stewards for feedback and guidance. Remember to update local policies to reflect any changes to procedure. (DM-01)
• Ensure user roles, groups, and permissions adequately address the classification level of institutional data and the sensitivity level of departmental data involved.

Backups and data retention

Web server administrators should be able to recover application data and components and ensure continuous operations. Backups are essential. Web server administrators must also ensure that their backup data are stored in compliance with IU policies, and that data are retained in accordance with university retention schedules. Web server administrators must:

• Develop a disaster recovery plan. (IT-28)
• Regularly create backups of data and ensure that personnel documentation and training information can be located. Store backup data, log data, and personnel records in a central, secure location so they can be located easily in the event of a disaster. (DM-01, Section B; IT-28; ISPP-26)
• Test disaster plan and backups at least annually. (IT-28)
• Ensure data retention schedules are followed and data are archived if applicable. (UA-18)

Data protection

When data are collected on a website or hosted in a web application, web server administrators must exercise caution to ensure these data are properly protected. Web server administrators must:

• Assess the type(s) of data which will be collected and/or stored in the system, as well as the Classification levels of institutional data. (DM-01s, Section 1.a.)
• If a system includes the collection or storage of institutional data, ensure that the infrastructure used will meet this classification level. Complete the IDS checklist as appropriate (Critical data or certain types of Restricted data). (DM-01s, Section 5)
• If regulated data are involved (such as FERPA, HIPAA, GDPR, GLBA), ensure users have completed appropriate compliance training. (DM-01)
• If collecting or managing financial data, ensure PCI DSS compliance training is completed and that infrastructure and procedures meet these guidelines. (DM-01, FIN-TRE-VI-110)
• Contact the University Information Policy Office (UIPO) and the appropriate data stewards when required by policy or when in doubt. (DM-01)
• If there will be third-party sharing or disclosing of data, ensure proper contracts are signed and cleared. Ensure this agreement is reviewed and updated yearly to remain compliant (DM-02).

UISO strongly recommends that web server administrators communicate the level of institutional data that may be stored on your server when provisioning content owner accounts/directories where possible. Additionally, for departmental data, ensure that you also communicate the level of data sensitivity.

Scans and log monitoring

Web server administrators must keep event logs of various interactions with their web servers, applications, and sites by:

• Enabling logging and auditing to capture login attempts (with geolocation information when possible), changes to administrative access, unsuccessful file access attempts, and successful file accesses when sensitive information is involved. (IT-12, Section 5). When sensitive data is involved, modifications and deletions should also be tracked.
• Maintaining logs for a minimum of 30 days and a maximum of 60 days, or as required by external compliance requirements (for example, HIPAA, FERPA).
• Reviewing logs at least weekly, or as required by compliance requirements, for unusual behavior or activity. (IT-12, Section 2.5.1-4)
• Running regular vulnerability scans (web application scans and server scans). Ensure that vulnerability scans are run before major changes are made to the application or website and before the migration of one site or application to another environment. Vulnerabilities should be mitigated or corrected within 24 hours for high-risk vulnerabilities, 48 hours for medium-risk vulnerabilities, and 72 hours for low-risk vulnerabilities. (IT-12, Section 2.12.1-4)

Personnel and training

Web server administrators should ensure their teams and the teams they work with have appropriate technical knowledge and training, maintaining training logs and other compliance materials as applicable. Web server administrators must:

• Create and distribute manuals and tutorials to users which explain proper use of the application and the procedures for protecting application data. (IT-12, Section 1)
• Ensure users know how to protect data gathered, stored, and distributed by applications and sites. Make sure these users are also aware of the classification and sensitivity level of the data in the application or system. (IT-07; IT-12, Section 1; DM-01.s, Sections 1 and 2)
• Ensure those involved in management of the app or its data are properly trained. (IT-12, Section 1.2)
• Ensure training provided to local UITS support people is appropriate and role-specific whenever possible. (IT-12, Section 1.2)
• Ensure those using the system have had the appropriate background checks. (IT-12)
• Ensure business associates and third parties are also properly trained to handle the application and, if necessary, data gathered or stored by it. (DM-02)
• Update training documents at least annually. Review for any changes to university policy or data classifications. (IT-12)
• Use application notifications and built-in trainings whenever possible to ensure user compliance and proper usage of components. (IT-12, Section 1)
• Make sure that all records are reviewed yearly and stored properly. Ensure that the length of storage and type of storage for personnel training records meets the standards required under FERPA or HIPAA, if applicable. (DM-01.s)

Privacy

For sites that collect, store, or share data, compliance with privacy policies and regulations is imperative. Web administrators must:

• Ensure that if an application has the ability to store personally identifiable information, develop a procedure to track, reduce, and protect these data. (DM-01.S Section 9.H)
• In cases where personnel or contractors will interact with data, obtain appropriate non-disclosure agreements, privacy, and access agreements. These should be signed by all personnel, contractors, and/or vendors. (DM-02, Section 2)
• Annually remind personnel and third parties of data protection policies. (ISPP-24, Section 1.4)
• Remind content owners and site managers to work together to post a readily visible link to a privacy notice on the home page of each site, and on any page that actively solicits user information, that reasonably notifies users regarding how that information will be used, managed, and disclosed. (ISPP-24)
• For sites targeting, collecting data, or tracking EU data subjects, develop a privacy notice in conjunction with the GDPR working group.

Tracking of personal web activity can, in some situations, be particularly sensitive. System-generated log information may be used for system administration purposes, but may not be disclosed (especially information associated with an individual) except as authorized in Policy IT-07.

Physical and server security and risk

Regarding web applications and websites, web server administrators must be aware of ways to minimize risks by securing all systems appropriately. To address these risks, web server administrators must:

• Put all servers behind a firewall. (DM-01, section 2.f)
• Whenever possible, use antivirus software on any system which will be used to access or manage the application. (IT-12, Section 2.13)
• Protect data at rest, in transit, and in storage as a backup via encryption whenever possible. (IT-12, Section 2)
• When appropriate, perform an Annual Risk Assessment. (IT-28)
• Ensure that physical server controls and room environment controls are sufficient. (DM-01.s, Section 11.B)
• Have a procedure in place, such as device wiping or destruction of hard drives, for the decommissioning of software. (FIN-PUR-11)
• Immediately report suspected or actual breaches of information, abnormal systematic unsuccessful attempts to compromise information, or suspected or actual weakness in safeguards to it-incident@iu.edu. (ISPP-26).

Software and hardware

Key to securing IT resources at IU is ensuring that all software and hardware used by web applications and websites is maintained. Web server administrators must:

• Use the most up-to-date software and operating systems whenever possible. (IT-12, Section 2.3)
• Remove unnecessary services and software on machines that come into contact with web applications. (IT-12, Section 2.4)
• Ensure all system updates and manufacturer patches are installed in a timely manner. Stay up to date by following UISO recommended updates and information about vulnerabilities. (IT-12, Section 2.14)
• Inventory all hardware and software annually or whenever major updates occur. (IT-12, Section 2)

Recommendations

For web server administrators

While the first section of this guide outlines policy requirements that may be applicable, UIPO and UISO also strongly recommend that web server administrators implement the best practices in this section.

Content ownership

Web server administrators should know which users own or maintain sites on their server. This awareness allows administrators to effectively delegate responsibilities and to ensure systems are properly secured if an account is compromised or a user retires or leaves the organization and the chain of custody for information is maintained. This process should also include the content owners who, in turn, should be actively involved in updating administrators with changes to content ownership on a regular basis. Web server administrators should:

• Generate a list of site contacts with a minimum of two contacts per site and maintain it in a readily available format and location.
• Update the contact list at least annually.
• Renew any service agreements for web hosting with content owners at least annually.

Orphaned content/sites

In cases of orphaned sites, where the content/site owners do not respond to web administrator requests or when accurate contact information no longer exists, web administrators should act:

• The sites of content owners who do not respond to server administrators or review/renew service agreements and contact lists in a timely manner should be archived or otherwise made inaccessible by web server administrators until ownership or disposition can be determined.
• In cases where a site has become orphaned due to the death or incapacitation of the account holder/site manager, IT-07 outlines the procedure for web server administrators to transfer ownership of the content.

For content owners

Content ownership

While web server administrators should be aware of who owns content on servers they administer, content owners also have a responsibility to communicate and coordinate with web server administrators. Ownership of content/sites can change quickly. UIPO and UISO strongly recommend content owners take the following steps to assist in the continuity of web server administration:

• Ensure that a current list of content owner contacts is created and maintained in a readily available format and location.
• Review and update contact lists at least annually or when personnel changes occur.
• Share an updated list with web server administrators on a regular basis, as roles change, or as requested by web server administrators.
• Maintain site content as appropriate.
• Work with server administration to develop and maintain an appropriate site privacy notice as required by policy ISPP-24, and in situations where EU data subjects are involved, in coordination with the GDPR working group.

Orphaned content/sites

In order to maintain a website on IU web infrastructure, a web server administrator should receive certain information from content owners. In cases where continuity of content ownership is not maintained (orphaned sites), web admins may remove access to sites on the web server. Regarding such orphaned sites, content owners should be aware of the process regarding maintenance to ensure their sites do not become orphaned:

• Site account owners should work with web server administrators to review and renew the applicable web hosting service agreements and site contact lists at least annually as requested. Server administrators may archive sites without current agreements or contact lists, or make them no longer accessible until ownership can be determined.
• Site owners should work with web server administrators as appropriate when changes are implemented on the back end of the service that may require a review or changes to hosted websites. Failure to do so could result in a site being locked and archived until needed updates are made.
• In cases where a site has become orphaned due to the death or incapacitation of the account holder/site manager, content owners should notify their web server administrator, who will implement the necessary procedure outlined in IT-07.

Accessibility and UX

IU provides several services to content owners so they can effectively create accessible websites. The Office of Accessibility recommends that all web content meet certain accessibility standards. IU recommends that web content meet the Web Accessible Content Guidelines at a Level of A or AA. University websites must be accessible so that students, prospective students, employees, guests, and visitors with disabilities have equivalent access to the information and functionality provided to individuals without disabilities. In order to ensure that pages meet these standards, IU recommends:

• Content owners be aware of accessibility guidelines.
• Content owners reach out to the Office of Accessibility for guidance, as necessary.
• Content owners involve their web administration team in discussions about accessibility.
• Content owners maintain training in accessibility guidelines whenever possible.

All marketing and communications, including print and digital, must follow IU brand guidelines to enable the university community to tell the IU story in a consistent, compelling, and authentic way.

Refer to the policies and IU resources sections below for links to the ADA policy, the marketing and communications policy, and other IU resources.

Resources

IU policies

• Management of Institutional Data (DM-01)
• DM-01s: Standards for Management of Institutional Data
• DM-02: Disclosing Institutional Information to Third Parties
• FIN-PURCH-11: Disposal and Redistribution of University Property
• FIN-TRE-VI-110: Accepting Electronic Payments
• ISPP-24: Web Site, Web Application, and Web Services Privacy Notices
• ISPP-26: Information and Information System Incident Reporting, Management, and Breach Notification
• ISPP-27: Privacy Complaints
• Appropriate Use of Information Technology Resources (IT-01)
• IT-02: Misuse and Abuse of Information Technology Resources
• IT-07: Privacy of Electronic Information and Information Technology Resources
• Security of Information Technology Resources (IT-12)
• Cyber Risk Mitigation Responsibilities (IT-28)
• UA-18: University Records Retention and Disposition
• Americans with Disabilities Act Policy (UA-02)
• VPE-01: Marketing and Communication

Other IU resources

• Creating accessible web content
• Institutional Data Standards (IDS) checklist
• Information Security Best Practices
• UIPO Privacy Notice Generator
• About institutional data at IU
• IT required practices
• IU GDPR Working Group
• Resources for building websites and applications at Indiana University

Federal, international, and industry policies and standards

• Family Educational Rights and Privacy Act
• Health Information Portability and Privacy Act (HIPAA)
• PCI-DSS
• GLBA at IU
• GDPR