Hong Kong Baptist University

Transcription

1 Hong Kong Baptist University Guidelines for Development and Maintenance of University/Departmental Websites FOR INTERNAL USE ONLY Date of Issue: MAY 2014

2 Revision History Version Author Date Revision 1.0 Information Security Subcommittee (ISSC) May 2014 Initial Version Copyright Statement All materials in this document are, unless otherwise stated, the property of Hong Kong Baptist University ( HKBU or the University ), and protected by the copyright and other intellectual property laws. Reproduction or retransmission of the materials, in whole or in part and in any manner, without the prior written consent of HKBU, is an offence under the relevant laws. FOR INTERNAL USE ONLY - 2 -

3 Policy Statement HKBU must ensure that all information published in the World Wide Web, and its relevant information resources are well protected against unauthorised access, use, disclosure, disruption, modification, or destruction. University members and external parties that involve in the development and maintenance of University/Departmental websites are expected to adhere to the standards herewith. 1. Objective The objective of this document is to provide security guidance and standards on publication of information on University/Departmental websites, and protection of relevant information resources. 2. Scope This set of guidelines applies to the development and maintenance (including information publication) of all websites registered with HKBU domain names or IP addresses, i.e. *.hkbu.edu.hk, and hosted under University owned, leased, operated, contracted, or controlled equipment and computer communication facilities. 3. Website Hosting ITO provides centralised website hosting services for the University community, in which servers and relevant IT resources are well protected against malicious attacks. Faculty/Department may make use of the service to host their websites. In case that Faculty/Department sets up its web server which is directly or indirectly connected to the University networks, information security standards, as stated in this guideline, must be strictly followed. While relevant information should be provided to ITO for record. As web servers and relevant IT resources are classified as mission-critical/sensitive assets, connection to them for administrative or maintenance works is highly recommended to be made within the University Intranet. If remote access is needed, connection to them must follow the requirements stated in the Remote Access Security Standard. 4. Infrastructure Level Security Web servers should be administered by qualified IT/security professionals and protected with appropriate security controls/infrastructures, which include, but not limited to, the following areas: Hardening of Operating Systems Firewall Protection Intrusion Detection/Prevention Systems Anti-virus and Anti-malicious software Security Patch Management FOR INTERNAL USE ONLY - 3 -

4 Backup and Restore 5. Application Level Security 5.1. Authentication and Authorisation Access to RESTRICTED/CONFIDENTIAL information published in University/Departmental websites should be authenticated with strong username/password, or equivalence/higher securitylevel authentication mechanisms. Whenever possible, centralised University Single-Sign-On (SSO) service should be used. When user profiles/information are to be maintained separately, login credentials stored in the system must be hashed or encrypted with strong encryption mechanism. Publication of, and access to, RESTRICTED/CONFIDENTIAL information in University/Departmental websites should be controlled and only authorised to relevant University members, according to their role in the University and the classified information categories Encryption Data stored or used by the website must be password protected. Communication channel that is used to transmit RESTRICTED/CONFIDENTIAL information between web server and browser over the Internet shall be encrypted by Secure Socket Layer (SSL) Access/Audit Log Access to webmaster or privileged accounts must be protected by strong password and with proper account locking mechanism for consecutive fail login attempts. Administrative login sessions to web server or related IT resources shall be monitored and logged. System and audit logs should be reviewed regularly by responsible administrator. 6. Development and Maintenance Control 6.1. Development and Acceptance Test Members shall follow the Guidelines for Information Classification and Handling during the development of University/Departmental websites, in order to ensure information published in the websites is well protected in accordance with the classified information categories. A risk analysis on potential data loss and appropriate security protection requirements should be defined and incorporated into the development phase of the website, and should be verified against, during the acceptance test before the production launch. Granting of World-Writeable or Modifiable access privileges on any files/folders of the University/Departmental websites is strictly prohibited. FOR INTERNAL USE ONLY - 4 -

5 The University shall impose standard security requirements in the tender documents for outsourced website development/maintenance projects. Such requirements should include, but not limited to the following: The website should be developed in accordance with high security standard, with reference to the programming practices and techniques specified in The Open Web Application Security Project (OWASP). A thorough website vulnerability scan, with reference to the worldwide security standard The OWASP Top 10 Security Project, must be performed during the acceptance test. A scan report showing the website is compliant with the standard has to be produced and submitted to ITO for approval of production launch. Maintenance of production website should include annual scanning and fixing of identified vulnerabilities with reference to the The OWASP Top 10 Security Project. The tenderer shall bear all costs incurred for fixing the identified vulnerabilities revealed by the vulnerability scan. Tenderer that violates the security requirements stated in the Security Guidelines for Development/Maintenance of University/Departmental Websites published by HKBU shall be blacklisted and rejected for bidding of future website development/maintenance projects of the University Production Launch and Maintenance Scanning and fixing on website vulnerabilities with reference to the worldwide security standard, such as The OWASP Top 10 Security Project, should be performed before the production launch; for major enhancements, on a regular basis. In case that the website is not housed at the Universitywide web server, ITO has the right, if deemed appropriate, to coordinate with responsible parties, e.g. outsourced vendor of respective website, to perform random security/vulnerability scan to ensure it meets the required security standard. 7. Summary To mitigate the risks of website hacking occurred at the University, all University members and outsourced external vendors that involve in the development, maintenance and information publication of the University/Departmental websites must adhere to the guidelines specified in this document. FOR INTERNAL USE ONLY - 5 -