Document Control

Rev.	Author	Date	Comments
0.1	Richard Bartlett	01 Mar 2017	Interim policy approved by Director UIS and the Secretary of School

 

Purpose

Following consultation with the Secretary of the School of Clinical Medicine and the Director of University Information Services , this interim policy sets out the good practice which all units in the School should adhere to in the hosting of websites.  The policy is pending publication of a University policy on web hosting, at which point this policy will be subject to change. 

Scope

This policy covers all Institutions under the School of Clinical Medicine, and any websites which are the responsibility of that Institution, or individuals within the Institution (e.g. Principle Investigators) and which are identified as websites relating to the Institution, or part of it (e.g. a Research Group).

Requirements

1. All websites affiliated with the University should be hosted on a University server which is;
   1. Hosted on the University network, and therefore subject to the protections afforded to all hosts on the University network, and the policies which govern use of the University network
   2. Properly maintained and secured against unauthorised access or disclosure of data (maintenance to include proper configuration and updating of platform and application software)
   3. Under the authority and control of University staff who will take the appropriate action in the event of a security incident (e.g. reporting to the University Data Protection Officer and CamCERT, making changes to server configuration or in extreme cases taking the website offline)
2. Where there are barriers to using a University web hosting service (either cost, functionality or performance/capacity) a case should be made for hosting the website elsewhere, describing those barriers, how they are overcome by the alternative hosting provider. The proposal should also outline;
   1. What data the server will hold (in particular whether it will hold sensitive or personally identifiable data)
      Which geographic region the server is located in (for compliance purposes)
   2. How the server will be maintained and secured, and by whom
   3. Who (within the University) is responsible for taking appropriate action in the event of a security incident (as per 1.3 above)
3. This case would then be reviewed by the School of Clinical Medicine Information Security Oversight Committee (ISOC), in consultation with UIS Information Management, and if an exception is made, that would be documented in the minutes of that committee, and subject to review.