Summary: Procedure Name: Information Services Hosted Web Site Security Procedures
Complements: Policy 150.81- Information Services Hosted Web Site Security
Responsibility: Information Services
General Procedure List
1. Only web applications supporting University business will be enabled onUniversity Web servers
and must be disabled or removed when that purpose has been served (Examples: conferences,
special events, and time sensitive materials).
2. Open source, commercial and custom web applications must be installed and configured in
accordance with the current security recommendations of the vendor/developer.
3. Web applications must be secured and maintained in accordance with the current
recommendations of the vendor/developer.
4. Web applications which have reached 'end of life', are no longer supported or deemed by
Information Services to be unresponsive to patching security vulnerabilities must be replaced
with a secure alternative within 30 business days.
5. In accordance to University policies regarding confidentiality and/or copyright, site owners are
solely responsible for the safeguarding of all data collected or transmitted.
6. Any materials deemed by Information Services to be private or sensitive in nature must be
encrypted and transmitted using a secure network connection.
7. Financial information may not be collected or transmitted by anywebapplication which has not
been verified to be PCI (Payment Card Industry) compliant.