Contact Us Search Site Index About This Site Edit Decrease text size Increase text size Georgetown University main web site Contact Us Search Site Index About This Site
spacer spacer spacer
University Information Services at Georgetown University
Faculty Help Staff Help Student Help About UIS

HOME » WEB DEVELOPMENT » POLICIES

INFORMATION SECURITY REQUIREMENTS

This web page lists requirements specifically for web sites on web hosting servers provided by University Information Services. All Georgetown University web sites are subject to the University Information Security Policy and you may have additional responsibilities under that policy. This page is intended to help you make your web site follow basic best practices in information security as required by the university.

If you are building a web site at Georgetown, please also review the list of common information security problems and solutions.

The following requirements apply to web sites that handle confidential data in any way, regardless of whether that data is stored or only transmitted and whether the data is submitted by users, provided to users, or only used internally. For purposes of these requirements, the following is a partial list of data that should be considered confidential. Other data may be considered confidential; you should consult the data steward.

  • Social Security number
  • Date or place of birth
  • Mother's maiden name
  • Credit card information
  • Bank account information
  • Driver's license number

Web sites that handle confidential data must meet the following minimum requirements:

  1. In general, web sites hosted on Georgetown web servers may not handle confidential data in any way.
  2. Your use of confidential data must be approved by the appropriate data steward as defined in the University Information Security Policy. If your office is not the data steward, this may require approval by another office, such as the Registrar for student data.
  3. The confidential data must be essential to the business process served by the web site. Never use any more confidential data than is absolutely necessary and make sure that you have considered possible alternatives. Any use of confidential data on the web represents a potential risk.
  4. All transmission of confidential data over the web must be encrypted using HTTPS. Web sites that handle confidential data must be set up to only be accessible via HTTPS.
  5. Access to confidential data must be restricted to the appropriate users. Web server NetID authentication must be used. Confidential data may not be used in applications that provide their own internal authentication. Beyond authentication, access must be restricted to specific authorized users.
  6. Confidential data may not be stored in files within the web server web root (folders that are potentially web accessible). This includes log files and other incidental uses of the data.
  7. Before it is put in production, your web site must undergo a review by the University Information Security Officer. Please note that this process may add to the time required for your project.

The security of confidential data within your web site is your responsibility as the web site owner. Please protect your users and the university by taking information security seriously. When in doubt, obtain expert advice.

 
spacer