2. Scope This policy addresses all web sites hosted by the central web hosting service.

Transcription

1 OIT Web Hosting Policy Rev Effective Date: Last Revised: January 3, 2011 January 3, 2011 The following are responsible for the accuracy of the information contained in this document Responsible University Officer: Chief Information Officer (CIO) Responsible Coordinating Office: Georgia Tech Office of Information Technology (OIT) 1. Executive Summary This document is in direct support of the Georgia Institute of Technology Computer and Network Usage and Security Policy (CNUSP). The Office of Information Technology (OIT) provides web- hosting service to academic and administrative units as well as recognized student organizations at Georgia Tech. This service is limited to hosting production and development web sites and does not include technical support associated with web site design, development, or testing. This policy provides the necessary guidance to users of the service on support, content management, and site management. 2. Scope This policy addresses all web sites hosted by the central web hosting service. 3. Definitions Content Management System (CMS) Domain Account Domain Administrator Domain Owner Sensitive Information User Space A web application for managing web site content by multiple authors/editors. This includes packages such as Drupal and Joomla. The actual account in the Plesk system that has the ability to modify a domain and the applications within that domain. Anyone that a domain- owner has given the credentials necessary to login to a Plesk domain- account and make changes to that domain. A domain- owner and all domain- administrator constitute the complete domain- group. The single account holder responsible for one or more Plesk domains and for adding/removing domain- administrators to a domain. This information is considered private and should be guarded from disclosure; disclosure of the information may contribute to financial fraud. Disclosure may also violate state and/or federal law. Processes on a UNIX system that are run under the id and permissions of a particular user and not as one of the various system accounts such as root or nobody. Georgia Institute of Technology Page 1

2 4. Statement of Policy The policy statements below apply to all web sites and customers that are a part of the central web hosting service. 4.1 Web Site Ownership Authorized Requestors Georgia Tech full- time employees can request web- hosting space. Domain Ownership Initial domain ownership will be limited to faculty members and full- time exempt staff. Each web site hosted by OIT must have at least two contacts associated with it, one of whom must be a regular, full- time employee of the Institute. Furthermore, individual web site owners should document processes for approving, publishing and managing content to their production environments. Finally, web site owners should notify OIT when/if contacts for the web site change. Domains may not be owned by contractors, students (e.g. GRAs), or Tech Temps. However, the owner of the domain may delegate management of the domain to anyone with a valid GTED account, including students, faculty, staff, alumni, applicants, retirees, affiliates and guests. All users with management rights using this service will abide by all Georgia Tech policies and procedures, including the Georgia Tech Computer & Network Usage and Security Policy (CNUSP), and agree to the enforcement mechanisms defined by those policies. 4.2 Web Site Content Adhering to Georgia Tech Policies The content of sites hosted on OIT's web hosting service must adhere to Georgia Tech policies. The content of sites hosted on OIT's web hosting service must abide by all necessary Georgia Tech policies, including the campus Computer and Network Usage & Security Policy (CNUSP). These policies may be found at Offensive, illegal, political and/or commercial content is prohibited. Content must abide by copyright and fair use guidelines. Sensitive information, as defined in the Georgia Tech Data Access Policy, may not be stored, accessed, or utilized on the web- hosting servers. Web sites on the hosted service may not receive, store, transmit, or process credit card information. 4.3 Application Hosting & Administration Shared Environment The web hosting service is a shared resource environment, which means that the server resources are shared by all sites. Services that are included and allowed as a part of the web hosting service include: Content Management Systems, wikis, portals, forums, scheduling tools, and surveys. While a customer s site may need to share files (e.g. video Georgia Institute of Technology Page 2

3 files) as a core part of its purpose, the service is not intended to be used as a fileserver (replacing a departmental file server, personal file server) or a file sharing service (distributing/sharing files like Dropbox). System- Level Software Restrictions Users may not install any system- level software on the web- hosting servers. Virtual Websites and Hostnames The OIT Web Hosting Service provides virtual web servers with domain names for academic, administrative, research, and official student organizations, as well as joint initiatives involving one or more departments on campus. Software that requires administrative or root access may not be installed by site owners. This restriction does not include extensions to system software that are explicitly allowed by that software and which run in user space. OIT may suggest alternatives in situations where the requested virtual host name isn't allowed under this policy or wouldn't be advisable for technical reasons. OIT recommends contacting the webhosting team about the availability of gatech.edu domain names before attempting to register for the name/service. Use of Non-.gatech.edu Domains The webhosting service does accommodate the use of.com,.net,.org, and other non-.edu domain names. Accounts & Passwords Site administrators are responsible for the security of their site administration credentials. Access to the webhosting service for the purposes of administration and management must be through a secure channel. Webhosting domain names in domains other than.gatech.edu are allowed as long as they adhere to Institute policies and guidelines. OIT strongly recommends that the customer contact OIT about hosting these domains instead of hosting them with an outside registrar. If you do host with an outside domain name registrar, you will be responsible for the support of the domain. Access to the Web Hosting control panel is via the individual s standard Georgia Tech account credentials, and must be over a secure protocol such as SSL or SSH. Due to existing limitations with the service, each hosted web site will be assigned one site- specific ID and password for administrative management and is limited to the hosting environment only. This credential can be shared among the delegated administrators of the same web site, until such a time when the underlying technology is capable of leveraging existing GT credentials. This account/credential represents critical access to a critical service (yours) and must be protected. Site administrators MUST maintain these credentials in a secure fashion and not make them available unless absolutely necessary. Secure Hosting & SSL Content that should be encrypted when presented on the web must utilize the secure virtual host option available within the Web Hosting control panel. This option utilizes a wildcard certificate which allows all sites to utilize the same certificate. OIT does not support provisioning of alternate certificates or certificate authorities at this time. Please contact the webhosting team at XXX for help with alternatives if needed. Georgia Institute of Technology Page 3

4 4.4 Accessibility Guidelines Accessibility to Web Content Web content must adhere to Federal (Section 508) accessibility guidelines. The coding of the content should also comply with current Internet standards. Organizations such as W3C and Bobby Online Free Portal offer tools to test accessibility and standards compliance. Information and guidelines pertaining to accessibility can be found at: Information pertaining to Georgia Tech's web guidelines can be found at: Monitoring & Security Measures Security Vulnerabilities The hosted environment will be subject to periodic vulnerability scans for protection against known or potential information security threats, and site administrators will be notified if any changes or updates are required. OIT reserves the right to access system logs, account directories, site content, and other records to investigate and/or resolve system problems. Patching Domain owners are expected to install or upgrade applications within their domain in an acceptable and timely fashion. Resolving Incidents If a site is found to be causing problems for other users, presenting a security threat, or enabling illegal activity, the site administrators will be notified and expected to take corrective action immediately. Failure to apply security patches in a timely manner could result in service being temporarily disabled should it present risks to other users or the Institute s integrity. If any such urgent issues with a hosted web domain (as described above) cannot be resolved in a timely manner, OIT may take one or more of the following actions, in consultation with the domain owner, unit leadership, and campus leadership (as appropriate), depending on the nature and severity of the problem, as well as the time estimated for the site administrators to correct it: Restrict the public's access to the web site Disable dangerous files by altering permissions, moving, or renaming them Terminate processes Disable the web site Remove the site administrator s access to the site (e.g. when compromise is suspected) In cases where the compromise could impact the reputation of Georgia Tech, the incident will be remanded to the GT Incident Response team. Georgia Institute of Technology Page 4

5 5. Responsibilities & Support 5.1 Responsibilities & Support OIT- Provided Support OIT is responsible for providing support of the web hosting service servers and related applications. OIT does not offer design, development, or testing services associated with web hosting. Please refer to Communications & Marketing's Communications Toolbox at for website templates and production resources, design and style guides, and information pertaining to accessibility and coding standards. Centralized support for a particular Content Management System (CMS) in the form of themes, plugins, and image repository is also not currently offered. Most CMS packages will be available, but only one package per class of application is supported. Application Availability OIT will provide one package per class of application. The current list of provided packages includes: Class Package CMS Drupal Blog Wordpress Forums phpbb Image Gallery Gallery Wiki Mediawiki Domain Owner Best- Practices Departments are encouraged to develop and test in a local environment before securely transferring content to the web server. Web Site Scripts If domain owners choose to run scripts on OIT's web hosting server, they are responsible for making sure those scripts do not represent a security risk. Backups It is strongly recommended that each domain owner maintain a current copy of all content for backup purposes. In addition, domain owners may request a separate OIT hosted development environment. OIT hosted development sites shall be accessible via HTTP only from the GT campus network. This requires domain owners to: Know what the scripts do and how they work Keep them up to date with patches, etc. Watch for vulnerabilities in the scripts to be announced (by keeping an eye on and similar sites) Watch your site's log files for unusual activity Although OIT does create periodic system backups, OIT is not responsible for site content other than recovery resulting from catastrophic loss of the system. Backups are available via the self- service restore process for up to four (4) weeks. Recovery is the responsibility of the domain- owner through the built- in backup management systems. Georgia Institute of Technology Page 5

6 6. Compliance Any person (or unit) who uses the Web Hosting Service consents to all of the provisions of this policy and agrees to comply with all of its terms and conditions, and with all applicable state and federal laws and regulations. Users have a responsibility to use these resources in an efficient, effective, ethical, and lawful manner. Violations of the policy may result in loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Georgia Tech disciplinary procedures, as well as personal civil and/or criminal liability. 7. Policy Modifications This policy may be changed by directive from the responsible university officer. The Computer & Network Security Procedures may be changed by directive from the Georgia Tech Associate Vice President and Associate Vice- Provost for Information Technology. Any changes to the policy or procedures must be promptly communicated to the individuals and offices noted in Section Communication Upon approval, this policy shall be published on the Georgia Tech website. The following offices and individuals shall be notified via and/or in writing upon approval of the policy and upon any subsequent revisions or amendments made to the original document: Web Hosting Customers OIT Georgia Tech IT Directors Georgia Tech CSR Mail List Internal Audit Office of Legal Affairs Communications & Marketing 9. References Resource Georgia Tech IT Policy Website Georgia Tech Data Access Policy Georgia Tech Computer & Network Security Procedures Georgia Tech Copyright Infringement Complaint Response Procedures Link AP.pdf _Procedures.pdf infringement- complaint- response- procedures 10. Revision History Revision Number Author Description 2.0 Richard Biever Updated to Standard Format Georgia Institute of Technology Page 6

7 Georgia Institute of Technology Page 7