There are a lot of options for creating and deploying websites. Here is some guidance to help highlight some of the options provided by UNC and to ensure University data is protected when deploying websites for university business. We also have guidance on handling secure file uploads in a separate post.
Consider ITS Managed Services
UNC ITS supports two Software as a Service (SaaS) options for creating websites with WordPress: Self-service, for individual or small group sites, and Enterprise, for larger organization sites (e.g., Schools, Departments, Centers, etc.).
Neither service is rated for UNC Sensitive Information (Tier 2 or 3).
ITS also manages Red Hat Openshift via cloudapps.unc.edu. Unlike the aforementioned SaaS options, this Platform as a Service (PaaS) gives you increased flexibility for developing a highly customized solution. The downside is that this increases the onus of shared responsibility for you: i.e., you are additionally responsible for maintaining and patching the software code you deploy to the platform.
CloudApps is rated for certain categories of sensitive information, but you must indicate that your project space will be used for sensitive information handling so that additional requisite controls are provisioned.
See the section below for additional requirements regarding collection or storage of University-owned sensitive information.
Security Recommendations and Guidelines
The following are a few security guidelines that should be considered when deploying websites for University business.
Some apply regardless of what kind of information is involved.
If there is a need to have UNC users authenticate, it should be a centrally managed identity provider such as Shibboleth or Azure AD.
Under some circumstances, a department may choose to manage their own infrastructure and deploy websites via their own servers. In those cases, the following guidelines should be followed:
- Use both host and network firewall to limit traffic to necessary ports.
- Utilize a Web Application Firewall (WAF) such as the WordFence plugin for WordPress or Sucuri.
- Install Anti-Virus software or an Endpoint Detection and Response (EDR) agent on each server. Installing both is highly recommended where possible.
What if there is University-Owned Sensitive Information or the Website is considered Mission Critical?
Any process involving the collection or storage of UNC Sensitive Information must proceed through the Data Governance and Risk Assessment process. This should be done:
- Prior to beginning the data collection activity (or as soon as possible for activities that existed prior to the establishment of this process)
- Anytime there is a significant change to the method or system involved (e.g., moving from WordPress to Qualtrics)
- Anytime there is a significant change in what Sensitive Information will be collected (e.g., population changes from employee to employees and students; collecting new sensitive information elements)
When self-managing server infrastructure to support websites involving sensitive information, the following must be implemented
- Any related servers must be added to the Systems Administrator Initiative (SAI)
- Must have the current Endpoint Detection and Response (EDR) agent managed by ITS Security.
- Work to get web logs forwarded to the ITS Splunk instance.
As always, if there are any questions or an exception to any of the above is required, please reach out to the Information Security Office. The best way to contact us is by ServiceNow request.