Based on recent electronic attacks on our college’s web servers, the Engineering Network Services (ENS) and Data Analytics and Technical Infrastructure (DATI) teams of the Walter Scott, Jr. College of Engineering have developed a set of policies to secure our College’s web servers.
Our web environment is complex, from simple HTML web pages to the sites managed by our DATI team through the WordPress software package. These security policies are system-wide for every site, page, and file hosted on our servers, regardless of how a file was created.
Policies include, but are not limited to:
- Logins to all WordPress and other software system administrative login pages are restricted to on-campus or VPN-access availability only.
- For any sites that require logins by non-CSU employees, e.g., conference registrations, HTTPS secure sites are required.
- Administrators of all sites and software on College web servers, including all WordPress installations, are expected to apply any available software updates in a timely manner. This includes plugin, theme, and software core updates, except where special permission from DATI or ENS is granted.
- Comments are disabled on all web sites for security and anti-spam measures, except where special permission from DATI is granted after a security review.
Vulnerabilities and administrator messages
The DATI team sends weekly e-mail messages to WordPress site administrators listing out-of-date elements: plugins, scripts, etc., which must be addressed in a reasonable time by the site administrator.
- Vulnerabilities are identified as i) important, ii) urgent, or iii) critical.
- For each of these categories, the vulnerability should be fixed within i) two weeks, ii) one week, and iii) two days.
- If the vulnerability is not fixed within the established number of days for each vulnerability, the site administrator will receive a personal e-mail message from Kelley Branson, ENS Director, indicating that the vulnerability must be fixed within the same number of days given initially.
- If it is not fixed within the second time window, the entire site will be moved behind the CSU VPN, effectively cutting off access to all non-CSU employees.
Site administration under DATI
WordPress and website administrators have the option to move their sites under the College’s WordPress umbrella, effectively moving the responsibility for security updates to the DATI team. If the site owner agrees to the move, the site will be subject to the CSU design and branding guidelines, for which the Director of Communications and communications staff will provide assistance.
Version 1.5; Implemented 2/1/2019
Dave McLean, Dean, Walter Scott, Jr., College of Engineering
Mark Ritschard, Assistant Dean
Kelley Branson, Director, Engineering Network Services (ENS)
Jim Jensen, Director, Data Analytics and Technical Infrastructure (DATI)