Security

×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û websites and web applications must be secure. This means that the tools and practices used to create and maintain them must ensure the appropriate confidentiality, integrity, and availability of data and services that they provide.

Security guidelines

Standards for security of ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û websites and web applications are set by the Information Security Committee and monitored by Enterprise Cybersecurity Services.

Website platforms and  web applications may be developed in-house or acquired by ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û from a third-party, either via a university-approved commercial licensing agreement or by using an open-source solution. Any third-party solution, regardless of licensing structure and including open-source, must be vetted by Cybersecurity Services to determine if a Security Assessment Review (SAR) is required. Any solution determined to require a SAR must complete that process prior to implementation.

Static websites

For static websites, the primary security concern is limiting access to who can add or modify those files. In this regard, user account practices are of primary importance:

  • Do not share usernames and passwords with anyone.
  • to a website, web tool or ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û server for yourself or an employee using the IT Accounts Management System.
  • If a user account has not been accessed in a year, an attempt will be made to contact the owner and potentially disable it.
  • If you are hosting your own site, please review the hosting standard as well as the standard on standalone websites.

Web applications

For web applications, proper user account practices are important, but there are many additional areas of concern in relation to security. The following is a summary of the most important points:

  • Web hosting environments and associated database systems supporting them should be maintained by experienced professionals. For additional information on hosting, see the standard on web hosting.
  • Underlying frameworks and technologies must be updated on a regular basis, especially to install security-related patches.
  • Web applications should be tested for issues with the web application coding before being put into production, at least annually once they are live, and after any significant revision to the application. These issues include concerns such as SQL injection, cross-site scripting, authentication and authorization, and session control. ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û IT provides to check web applications.
  • Wherever possible, web applications that require users to authenticate should use .
  • Web applications must have a designated administrator and a backup person who is responsible for overseeing the web application and granting authorization of various levels of access rights to other individual users within that application.
  • Web applications that involve sensitive or restricted data per the ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û Data Classification Policy must undergo a specific security review by Enterprise Cybersecurity Services.
  • Web applications that are developed in-house should be following industry best practices such as the .
  • The principle of least privilege should always be used in granting access rights and managing permissions in any web application.

Security breaches

If any ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employee suspects a security-related incident with a website or web application, follow the Cybersecurity Incident Reporting process.

  • Report the security incident to your manager. If you are a manager, contact the IT Service Desk and state that you are reporting an information security incident.

Support

For questions regarding security, please contact Cybersecurity Services or the website owner or manager.

Responsibility for security

Website owners and managers of any websites set up on ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û servers are responsible for following security-related best practices for their websites. All ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û employees must report security-related incidents following the Cybersecurity Incident Reporting process. In addition, site owners and managers must comply with all relevant laws, and this standard.

Violations

×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û reserves the right to remove a website or access to that website if the owner or manager does not appropriately maintain security practices. If the site or content owner cannot be contacted or is no longer at ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û, that content will be administered by ET&S Software Development and can be removed if deemed inaccurate or inappropriate. ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û also reserves the right to remove a website or access to that website if it is considered to have violated this standard or any other ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û policies.

If inappropriate security practices are reported, ×î¿ì¿ª½±Ö±²¥½ÁÖé½á¹û ET&S will contact the site owner to discuss the issue. Unacceptable responses may cause the UNH website, web application, or server access to be suspended.

Reports regarding inappropriate security .