General Description
Purpose:
California State University, Bakersfield websites/properties are defined by the display/use of CSUB branding, logos, academic seal, are part of our internet name space (csub.edu), or are affiliated with a part of our organization belonging to CSUB. In order to provide the necessary protection of our brand, data, reputation, intellectual property, and records management, all websites/properties that fall under the stipulations set forth in this policy belong to CSUB and must abide by this policy.
Scope:
This policy applies to all CSUB and auxiliary websites/properties, hosted internally or externally that are related to California State University Bakersfield, and represent the campus.
These sites include but are not limited to: Schools, Units, Clubs, Departments, Affinity Groups, Sport Teams, Fraternities or Sororities, Campus Services, Faculty Web Sites, and Charitable or Governing Board Sites.
These sites include but are not limited to: Schools, Units, Clubs, Departments, Affinity Groups, Sport Teams, Fraternities or Sororities, Campus Services, Faculty Web Sites, and Charitable or Governing Board Sites.
Policy/Procedure
Use of CSUB Web Content Management Systems
Information Technology Services provides a web content management system (WCMS) that complies with our campus policies. Where possible this system should be used.
If not using CSUB WCMS, then the site must be validated by Web Services and the Information Security Office.
Validation
Websites must be validated across the following domains to make sure that the site protects our campus brand and information on the site.
Web Services and Information Security will review:
It is the responsibility of the Dean, Area MPP, or controlling Office to comply with this policy. Sites that do not comply will:
Registration
Any website relating to California State University Bakersfield must be registered with ITS Information Security Office before going live or within 60 days of the adoption of this policy. Any change to the registration information must be communicated to the ITS Information Security Office (informationsecurity@csub.edu) within 30 days.
Scanning
ITS will conduct regular scans of each registered website.
ITS will distribute the report findings to the website’s Manager, site administrator(s), MPP, and Information Security Officer no later than 5 days after the completion of the scan.
Remediation
It is the responsibility of the MPP owning the site and their site administrator(s) to maintain the security of their respective sites by taking corrective action in a timely manner in accordance with this policy. The ITS Information Security Office and the ITS Web Services group are available to assist departments with the remediation process.
Web site owners and administrators must correct any Critical or High-level findings within 30 days of being notified of the finding. If a corrective action is not available for the finding, appropriate mitigations must be vetted and documented by the Information Security Office and implemented by the appropriate administrator. Any exception this to policy will require a written waiver from the Information Security Officer.
Additional Requirements
All websites must meet basic accessibility requirements as outlined by the CSUB Web Accessibility Statement
Any website that collects data must protect that data in accordance with the Information Security Privacy of Personal Information Policy
Information Technology Services provides a web content management system (WCMS) that complies with our campus policies. Where possible this system should be used.
If not using CSUB WCMS, then the site must be validated by Web Services and the Information Security Office.
Validation
Websites must be validated across the following domains to make sure that the site protects our campus brand and information on the site.
Web Services and Information Security will review:
- Brand Use
- Accessibility
- Security
It is the responsibility of the Dean, Area MPP, or controlling Office to comply with this policy. Sites that do not comply will:
- Be blocked – site will be blocked at the firewall not allowing traffic to the site
- Have a warning or disclaimer added to them before a user can traverse to that site.
Registration
Any website relating to California State University Bakersfield must be registered with ITS Information Security Office before going live or within 60 days of the adoption of this policy. Any change to the registration information must be communicated to the ITS Information Security Office (informationsecurity@csub.edu) within 30 days.
Scanning
ITS will conduct regular scans of each registered website.
ITS will distribute the report findings to the website’s Manager, site administrator(s), MPP, and Information Security Officer no later than 5 days after the completion of the scan.
Remediation
It is the responsibility of the MPP owning the site and their site administrator(s) to maintain the security of their respective sites by taking corrective action in a timely manner in accordance with this policy. The ITS Information Security Office and the ITS Web Services group are available to assist departments with the remediation process.
Web site owners and administrators must correct any Critical or High-level findings within 30 days of being notified of the finding. If a corrective action is not available for the finding, appropriate mitigations must be vetted and documented by the Information Security Office and implemented by the appropriate administrator. Any exception this to policy will require a written waiver from the Information Security Officer.
Additional Requirements
All websites must meet basic accessibility requirements as outlined by the CSUB Web Accessibility Statement
Any website that collects data must protect that data in accordance with the Information Security Privacy of Personal Information Policy
Review (Frequency and Process)
This policy shall be reviewed annually by the Associate Vice President & CIO or a designate and provided to the Vice President Business and Administrative Services for approval and then to Cabinet for final approval.