Security

UNH websites and web applications must be secure.  This means that the tools and practices used to create and maintain them must ensure the appropriate confidentiality, integrity, and availability of data and services that they provide.

Security Guidelines

Standards for security of UNH websites and web applications are set by the UNH Information Security Committee and are monitored by Information Security Services (ISS).

There is a critical distinction between a static website consisting of just HTML and associated files versus a web application containing dynamic content that comes from a database and/or code in some language such as JavaScript, PHP, Java, Ruby, Python, or others.  Websites built using a content management framework such as Drupal fall into the latter category of web applications.  Web applications may be developed in-house or acquired by UNH from a third-party, either via a university-approved commercial licensing agreement or by using a open-source solution.  Any third-party solution, regardless of licensing structure and including open-source, must be vetted by Information Security Services to determine if a Security Assessment Review (SAR) is required.  Any solution determined to require a SAR must complete that process prior to implementation.

Static Websites

For static websites, the primary security concern is limiting access to who can add or modify those files.  In this regard, user account practices are of primary importance:

  • Do not share usernames and passwords with anyone.
  • Request administrative access to a website, web tool or UNH server for yourself or an employee using the IT Accounts Management System.
  • If a user account has not been accessed in a year, Web and Mobile Development (WMD) will make an attempt to contact the owner and may disable it.
  • If you are hosting your own site, please review the hosting standard as well as the standard on standalone websites.

Web Applications

For web applications, proper user account practices are important, but there are many additional areas of concern in relation to security.  The following is a summary of the most important points:

  • Web hosting environments and associated database systems supporting them should be maintained by experienced professionals.  For additional information on hosting, see the standard on web hosting.
  • Underlying frameworks and technologies must be updated on a regular basis, especially to install security-related patches.
  • Web applications should be tested for issues with the web application coding before being put into production, at least annually once they are live, and after any significant revision to the application.  These issues include concerns such as SQL injection, cross-site scripting, authentication and authorization, and session control.  UNH IT provides access to the Accunetix scanning tool to check web applications.
  • Wherever possible, web applications that require users to authenticate should use UNH Authentication Services.
  • Web applications must have a designated administrator and a backup person who is responsible for overseeing the web application and granting authorization of various levels of access rights to other individual users within that application.
  • Web applications that involve sensitive or restricted data per the USNH Data Classification Policy must undergo a specific security review by Information Security Services (ISS).
  • Web applications that are developed in-house should be following industry best practices such as the OWASP Top Ten Guidelines.
  • The principle of least privilege should always be used in granting access rights and managing permissions in any web application.

Security Breaches

If any UNH employee suspects a security-related incident with a website or web application, follow the Information Security Incident Response Plan.

  • Report the security incident to your manager.  If you are a manager, contact the UNH IT Service Desk and state that you are reporting an information security incident.

Support

For questions regarding security, please contact contact Information Security Services (ISS) or the website owner or manager.

Responsibility for Security

Website owners and managers of any websites set up on UNH servers are responsible for following security-related best practices for their websites.  All UNH employees must report security-related incidents following the Information Security Incident Response Plan. In addition, site owners and managers must comply with all relevant laws, university policies and this standard.

Violations

UNH reserves the right to remove a website or access to that website if the owner or manager does not appropriately maintain security practices.  UNH also reserves the right to remove a website or access to that website if it is considered to have violated this standard or any other UNH policies.

If inappropriate security practices are reported, UNH AT or IT will contact the site owner to discuss the issue.  Unacceptable responses may cause the UNH website, web application, or server access to be suspended.

Reports regarding inappropriate security may be sent to UNH ISS.