NOTE: This draft has been accepted by ITCC for implementation as official policy pending any final comments.
The Smith College main web server ("WebServer") provides a highly visible and very important core service to the widest variety of Smith College community constituents. It is explicitly targeted as an essential service vehicle for many aspects of Smith's business, academic and community mission, including recruitment, community outreach, HR services, academic and administrative information and services, and emergency information dissemination in times of crisis, among others. It is clear that the credibility, integrity, availability and security of Smith's primary web server, as well as the vitality of its content, must be maintained at the highest level reasonably possible.
WebServer's host environment and content style are maintained jointly by the departments of Information Technology Services and College Relations. In response to violations of this policy, the Director of Systems and Network Services will take appropriate action as the Director deems necessary. Administration of and questions regarding this policy should be directed to the Director of Systems and Network Services in ITS. Appeals to any decisions made in enforcing this policy may be made in writing to the Vice President for Information Technology.
WebServer is intended for, and restricted to official Smith College academic and administrative departments and organizations. It is not intended for consortial, unofficial, or other types of organizations; personal web sites; class or residence web sites; or any other web presence or service.
Back to top >
WebServer Administration :
- The ITS WebServer Administrator will maintain a current list of Web Site / Web Service Maintainers ("Maintainer") with current contact information. This will help when patches or updates are needed and ITS needs to contact Maintainers who may be affected, when questions or problems associated with a particular site arise, or when there is indication of a potentially successful system or service security breach.
- WebServer Maintainer accounts: A user account will be created for Maintainers for site maintenance and development. This account will expire periodically unless it is renewed; the Maintainer will be expected to verify their contact information to renew the account and keep it active.
- Transfer to a new Maintainer: The current Maintainer for a site or service should notify the WebServer Administrator when they will no longer be responsible for maintaining sites or services, and provide contact information for a new maintainer. If the Maintainer of record cannot do this for any reason, appropriate approval and verification from the site's department of a new designated Maintainer will be required.
- WebServer Environment: Every effort will be made to maintain a current and stable host environment for the content and services deployed on WebServer. As such, new or potential applications and services being considered for installation must be compatible with the extant web programming environment, including current versions of Linux, Apache, MySQL, and supported programming languages.
- Updates and Patches: Updates to WebServer systems and services will be made in a timely manner, both to reduce the security risks of running older software and services, and to provide the latest features and enhancements for the College's Web Site programmers and maintainers. The WebServer Administrator will communicate changes to Maintainers. It will be the responsibility of the Maintainer to make sure that their content and services will continue to function, be reprogrammed, or the content replaced or removed, once updates are made to the production WebServer environment.
- ITS reserves the right to take down a site or service without prior notice if it presents a notable security risk. All reasonable efforts will be made to work with the responsible Maintainer to rectify the security issues, but it will remain the responsibility of the Maintainer to remediate the risk.
- Abandoned sites and services: A web site or service for which the support account has been expired for a period of 6 months will be considered abandoned. If reasonable attempts to contact the site's department or sponsor to re-establish a formally designated Maintainer for the site are unsuccessful after an additional 3 months, the site or service will be declared abandoned and will be removed from the system.
Back to top >
- Monitoring: The WebServer Administrator will provide for the monitoring of actual and attempted security breaches of the WebServer host system and any of its hosted services.
- Security Patches: In the event that a system or system level service has an identified security hole, a determination will be made by the WebServer Administrator, with the agreement of the Director of Systems and Network Services, to install any relevant patch, or to disable the service, depending on the relative risk and potential damage that might be caused by a successful exploit of the hole, with due and reasonable consideration of any perceived impact this may have on existing services.
- Secure Services: Any form, application or service that requires some type of authentication, or that is used to collect or transfer user information, sensitive information, or legally protected data, must utilize the encryption and security features available on WebServer to reasonably protect that information.
Back to top >
- Maintenance and support: Web Site / Web Service Maintainers who install or create programs, applications or services are responsible for maintaining that code or service, monitor for and install updates and patches as needed, and remove apps and related data that are outdated or no longer in active use.
- Best Practices: Web programmers and developers are expected to seek and adopt web programming Best Practices when developing and installing new programs or updating existing programs, particularly as they apply to the security of the service or the system as a whole. Failure to maintain existing code with these practices could result in code either becoming vulnerable to known exploits, or cease to function when future security updates are implemented. Web content, programs and applications should only be uploaded to WebServer when they are in a production ready state; development and testing of content, programs and third party applications should occur in client or development environments.
- Third party applications: Maintainers must perform due diligence by researching any potential security and maintenance issues, such as short-term installation support as well as long-term support both locally and by the application's creator. The application and the application's developer must be vetted by the Maintainer for security, robustness, and support before installation.
- Similar services: If a similar community-supported service is already in place, it is preferable to utilize that service rather than implement an additional service.
- Keep informed: Application installers should routinely visit the application developer's site, join relevant mailing lists, and otherwise proactively monitor for important updates pertaining to the application.
- Information life cycle management: The information content on WebServer is expected to be maintained and kept current. Stale or outdated information should be removed by the Web Site Maintainer in a timely fashion.
- Inappropriateness: If the content or presentation of content on WebServer is deemed to be inappropriate by the Vice President for Information Technology or the Executive Director of Public Affairs, it will be blocked or removed. All content on WebServer must comply with the Acceptable Use of Computer Resources policy.
Back to top >
All WebServer sites and services, and all actions taken by individuals or groups within this context, must adhere to all other applicable policies and guidelines. These include but are not limited to the Acceptable Use Policies, Data and Record Handling policies, Copyright policies, Student Handbook policies, and Staff Handbook policies.
The policies below apply to all WebServer web sites:
Terms and Conditions of Use policy
Back to top >
WebServer / www.smith.edu: The server hosting the College's main web services platform.
WebServer Administrator: The system administrator in the department of ITS, Systems and Network Services, responsible for the maintenance of the WebServer host platform and environment.
Maintainer / Web Site Maintainer / Web Service Maintainer: The person officially responsible for the oversight of maintenance, upkeep, problem resolution, and integrity of a specific web site or web-base application or end-user service; this could be an individual within a particular department or group, or the person with whom a particular department or group has made a formal agreement to provide such maintenance, upkeep, and site accountability.
Institutionally Sensitive Information: Any information that is not legally protected, but is considered confidential by the institution.
Personally Identifiable Information (PII): Specific types of personal information or combinations of information that under MA, Federal, or other applicable law constitutes data presenting the risk of identity theft for financial gain, for which specific protections are made and penalties invoked if an unauthorized access or release of such data, or other breach exposing such data, occurs.
Legally protected information: Similar to PII, any data that is protected by applicable local, state or federal law, such as FERPA and HIPAA, or data protected by copyright law.
Best Practices: Best practices are those methods of developing, implement and hosting web based content and services that are most effective in providing for the confidentiality, integrity, and availability of that site. Please see [Best Practices URL to be determined here] for additional information.