University of Illinois System

Security Scanning

AITS is assisting the University System by providing a Web Content Management Service for units to create and manage their web sites securely. Sites work within a shared infrastructure, and all sites must maintain security standards. AITS requires administrators of SitePublish to comply with several guidelines and procedures.

Standard Statement

  • SitePublish sites are to be regularly scanned for security vulnerabilities.
  • New SitePublish sites will be scanned by AITS prior to deployment.
  • Intrusive scans must be performed in non-production environments.
  • Site Administrators are responsible for any security vulnerabilities that are introduced into the system for changes they or their staff make on their site.
  • All high and medium vulnerabilities need to be resolved.
  • High vulnerabilities will prevent a site from being deployed.
  • Site Administrators will allow up to two weeks for scanning.
  • SitePublish patches and upgrades will be scanned, tested and approved in a representative environment prior to being migrated to production.
  • Recurring intrusive scans of all existing sites will be performed in test environments regularly cloned from production.
  • If an existing site undergoes significant changes or introduces a major new feature, Site Administrators are required to notify the SitePublish System Manager.
  • All active/interactive content, whether client-side (e.g. JavaScript, VBScript, Ajax, etc.) or server-side (e.g. php, Java, .Net, etc.) must be created and scanned in an environment that will not affect operational data.

Any exceptions to these standards require review and approval from AITS.