Security Scanning

AITS is assisting the University community by providing a Web Content Management Service for departments to manage web sites. The SitePublish system is used for creating, hosting, and managing sites. The goal is to provide an efficient and effective means for decentralizing control over content.

However, it is critical to maintain security standards. Many sites within the SitePublish system are interconnected; therefore, security vulnerabilities existing in one site impact all other sites within the system. To maintain secure environments, AITS requires administrators of SitePublish to comply with several guidelines and procedures.

Standard Statement

  • SitePublish sites are to be regularly scanned for security vulnerabilities.
  • New SitePublish sites will be scanned by AITS prior to deployment.
  • Non-intrusive scans may be performed in production-staging environments; intrusive scans must be performed in non-production environments.
  • Site Administrators are responsible for any security vulnerabilities that are introduced into the system for changes they or their staff make on their site.
  • Site Administrators will complete a Site Security Questionnaire. The questionnaire will be reviewed by AITS Security Engineering to determine the appropriate degree of intrusiveness of the scan.
  • All high and medium vulnerabilities need to be resolved.
  • High vulnerabilities will prevent a site from being deployed.
  • Site Administrators will allow up to two weeks for scanning.
  • SitePublish patches and upgrades will be scanned, tested and approved in a representative environment by all site administrators prior to being migrated to production.
  • Recurring intrusive scans of all existing sites will be performed in test environments cloned from production every 6 months.
  • If an existing site undergoes significant changes or introduces a major new feature, Site Administrators are required to notify the SitePublish System Manager.
  • All active/interactive content, whether client-side (e.g. JavaScript, VBScript, Ajax, etc.) or server-side (e.g. php, Java, .Net, etc.) must be created and scanned in an environment that will not affect operational data.
  • The System Manager will determine whether a new Site Security Questionnaire needs to be completed and reviewed by AITS Security Engineering.

EXEMPTIONS/SPECIAL SITUATIONS

Any exceptions to these standards require review by the points of contact listed below and approval from the AITS Leadership Team.