Web Server Policies and Procedures

- It is highly recommended that the Chief Information Officer formally approve the content and operation of any Web server to be connected to any organization system.

- Any and all Web site content and features must be approved and installed by the organization's Webmaster.

- Under no circumstances will sensitive information be made available on any company Web site internally or externally accessible.

- All enterprise Web sites must be reviewed, vetted, and approved in the same fashion as officially released reports or other outside correspondence.

- At all times, copyrights will be protected and observed.

- There should be no reason for control of the Web server other than from the Web server's console. Logging on to the Web server from any device other than this console is not permitted, and the server's software should be configured accordingly.

- Systems administrators, firewall administrators, and Webmasters are to report any and all attempts to gain unauthorized access to the Web server located on either the Internet or internal intranet.

- Incoming packet traffic will be scanned and connections to unapproved Web sites will be immediately reported to senior managers.

- Systems maintenance will include the installation of operating systems and applications patches.

- Senior administrators and Webmasters are responsible for change management. Any and all changes must be justified, documented, and submitted to a thorough quality control process before installation.

- Senior administrators and Webmasters are responsible for monitoring system performance, taking appropriate security measures, and ensuring Web sites reflect the highest quality standards.

- Implementation of common gateway interchange (CGI) scripts will be strictly monitored and controlled.

- In order to avoid buffer overflows, systems developers must keep buffer sizes defined when accepting data. In order to avoid CGI vulnerabilities, regular testing will be performed and appropriate security measures taken.

- All user input to any Web site, internal and external, will be filtered for appropriate content.

- In the case of third party applications interacting with programs that contain buffers that do not check for incoming data correctness, it is important that these applications are monitored and patched appropriately.

0 comments:

Popular Posts