Content

Web Hosting Security Policy

Policy

Authentication and authorization

Administrators should ensure that proper care is taken regarding access to web applications and administrative privileges. To comply, administrators must:

  • Determine which individuals should have access to specific accounts and applications, and clearly define the level of access for these individuals. Admins should document which users have these abilities and update any changes.
  • Apply the principle of least access whenever possible. Admin accounts should not be used for day-to-day activities. Admin accounts should not be used by individual users to run systems.
  • Where technically possible, disable file sharing or export options for users who do not need this capability.
  • Use two-factor/SSO whenever practicable for administrators and privileged users.
  • Ensure user roles, groups, and permissions adequately address the classification level of institutional data and the sensitivity level of departmental data involved.
  • Enforce password change requirements in accordance with LightForce Policies.

SSL Certification

Administrators should ensure that any Website or hosted web application is protected by a valid SSL Certificate for an approved LightForce Domain, and that necessary steps have been taken to ensure the Certificate is appropriately renewed and maintained.

Backups and data retention

Administrators should be able to recover application data and components and ensure continuous operations. Backups are essential. Administrators must also ensure that their backup data are stored in compliance with LightForce policies, and that data are retained in accordance with university retention schedules. Administrators must:

  • Develop a disaster recovery plan
  • Regularly create backups of data and ensure that personnel documentation and training information can be located. Store backup data, log data, and personnel records in a central, secure location so they can be located easily in the event of a disaster.
  • Test disaster plan and backups at least annually.
  • Ensure data retention schedules are followed and data are archived if applicable.

Security Awareness

  • Administrators should always inform LightForce IT when a new website or hosted web application is deployed.
  • Administrators should always review and implement application specific security settings such as:
    • SFTP instead of FTP
    • HTTPS instead of HTTP
    • Login Requirements rather than no authentication
    • Specific SSL Certificates instead of WIldcard certificates

Data protection

When data is collected on a website or hosted in a web application, Administrators must exercise caution to ensure these data are properly protected. Administrators must:

  • Assess the type(s) of data which will be collected and/or stored in the system
  • If regulated data is involved (such as HIPAA), ensure users have completed appropriate compliance training.
  • If there will be third-party sharing or disclosing of data, ensure proper contracts are signed and cleared. Ensure this agreement is reviewed and updated yearly to remain compliant.

Scans and log monitoring

Administrators must keep event logs of various interactions with their web servers, applications, and sites by:

  • Enabling logging and auditing to capture login attempts. When sensitive data is involved, modifications and deletions should also be tracked.
  • Maintaining logs for a minimum of 30 days and a maximum of 60 days, or as required by external compliance requirements (for example, HIPAA).
  • Reviewing logs at least weekly, or as required by compliance requirements, for unusual behavior or activity.
  • Running regular vulnerability scans (web application scans and server scans). Ensure that vulnerability scans are run before major changes are made to the application or website.

Personnel and training

Administrators should ensure their teams and the teams they work with have appropriate technical knowledge and training, maintaining training logs and other compliance materials as applicable. Administrators must:

  • Create and distribute manuals and tutorials to users which explain proper use of the application and the procedures for protecting application data.
  • Ensure users know how to protect data gathered, stored, and distributed by applications and sites.
  • Ensure IT professionals involved in management of the app or its data are properly trained.
  • Ensure training provided to IT Pros is appropriate and role-specific whenever possible.
  • Ensure business associates and third parties are also properly trained to handle the application and, if necessary, data gathered or stored by it.
  • Update training documents at least annually.
  • Use application notifications and built-in training whenever possible to ensure user compliance and proper usage of components.

Privacy

For sites that collect, store, or share data, compliance with privacy policies and regulations is imperative. Web administrators must:

  • Ensure that if an application has the ability to store personally identifiable information, develop a procedure to track, reduce, and protect these data.
  • In cases where personnel or contractors will interact with data, obtain appropriate non-disclosure agreements, privacy, and access agreements. These should be signed by all personnel, contractors, and/or vendors.
  • Annually remind personnel and third parties of data protection policies.
  • Remind content owners and site managers to work together to post a readily visible link to a privacy notice on the home page of each site, and on any page that actively solicits user information, that reasonably notifies users regarding how that information will be used, managed, and disclosed.

Physical and server security and risk

Regarding web applications and websites, Administrators must be aware of ways to minimize risks by securing all systems appropriately. To address these risks, Administrators must:

  • Put all servers behind a firewall.
  • Whenever possible, use antivirus software on any system which will be used to access or manage the application.
  • Protect data at rest, in transit, and in storage as a backup via encryption whenever possible.
  • When appropriate, perform an Annual Risk Assessment.
  • Immediately report suspected or actual breaches of information, abnormal systematic unsuccessful attempts to compromise information, or suspected or actual weakness in safeguards.

Software and hardware

Key to securing IT resources at LightForce is ensuring that all software and hardware used by web applications and websites is maintained. Administrators must:

  • Use the most up-to-date software and operating systems whenever possible.
  • Remove unnecessary services and software on machines that come into contact with web applications.
  • Ensure all system updates and manufacturer patches are installed in a timely manner.
  • Inventory all hardware and software annually or whenever major updates occur.

Recommendations

Administrators

While the first section of this guide outlines policy requirements that may be applicable, LightForce also strongly recommends that Administrators implement the best practices in this section.

Administrators should know which users own or maintain sites on their server. This awareness allows administrators to effectively delegate responsibilities and to ensure systems are properly secured if an account is compromised or a user retires or leaves the organization and the chain of custody for information is maintained. This process should also include the content owners who, in turn, should be actively involved in updating administrators with changes to content ownership on a regular basis. Administrators should:

  • Generate a list of site contacts with a minimum of two contacts per site and maintain it in a readily available format and location.
  • Update the contact list at least annually.
  • Renew any service agreements for web hosting with content owners at least annually.

Content Owners

While Administrators should be aware of who owns content on servers they administer, content owners also have a responsibility to communicate and coordinate with Administrators. Ownership of content/sites can change quickly. LightForcestrongly recommend content owners take the following steps to assist in the continuity of web server administration:

  • Ensure that a current list of content owner contacts is created and maintained in a readily available format and location.
  • Review and update contact lists at least annually or when personnel changes occur.
  • Share an updated list with Administrators on a regular basis, as roles change, or as requested by Administrators.
  • Maintain site content as appropriate