University Information Technology Services
Webserve Service Agreement
Webserve is a web hosting service and several subservices described at http://webmaster.iu.edu/. To be entrusted with a Webserve service account, users of the Indiana University computing networks must accept certain responsibilities and agree to use their accounts in accordance with certain standards.
To request any service account you must have agreed to the terms of the Institutional Data Acceptable Use Agreement (https://ams.iu.edu/UserAgreements/Agreement.aspx). This agreement supplements the Institutional Data Acceptable Use Agreement by addressing the unique aspects of the Webserve service.
Information Governance Explained
Here are the following roles for Webserve data and information.
Webserve service account owner: These are faculty and staff members who have been assigned a Webserve service account as a result of a request for a new account or have accepted the transfer of an existing Webserve service account to them. The Webserve service account owner is responsible for ensuring all Policies and Laws listed in the Institutional Data Acceptable Use Agreement are followed.
Webserve service account user: These are faculty and staff members who have been granted access to Webserve service account resources by the Webserve service account owner. The Webserve service account users are also responsible for ensuring all Policies and Laws listed in the Institutional Data Acceptable Use Agreement are followed.
Information Classification Explained
Only Public and University-internal data is suitable to be stored in a Webserve service account file system or database. Restricted and Critical data cannot be stored in a Webserve service account file system or database. For definitions of Public, University-internal, Restricted, and Critical data see Classifications of Institutional Data (http://datamgmt.iu.edu/classifications.shtml). In addition, federally and state protected data, human subjects research data, and passwords cannot be stored in a Webserve service account file system or database. For more information about data classifications see "What is sensitive data, and how is it protected by law?" (http://kb.iu.edu/data/augs.html).
The following points detail your responsibilities as you access, use, or handle information or information technology (IT) at IU.
You agree to:
- Secure the Webserve service account. Limit distribution of passwords to only the users that require access. Change the password whenever anyone that knows the password leaves. When possible use the Siteshare subservice to grant access to the service account file space to service account users.
- Before giving a user the password assure the user agrees to the terms of the "Institutional Data Acceptable Use Agreement" and this document.
- Ensure file and database permissions are secure. No directory should be world writable. No database login should have permissions greater that absolutely necessary.
- Request a web application security scan prior to adding any software in the account and rescan after any change.
- Scan in the Webserve test environment to avoid adversely impact your application and Webserve users.
- See http://protect.iu.edu/tools/scanners/web to request a scan and for related information.
- Ensure file uploads only occur in directories without execute permissions.
- Use secure programming practices such as ensuring web requests are checked for threats such as SQL injection and cross-site scripting before being processed and ensuring forms are protected from bot posting.
Failure to comply with these standards will be dealt with seriously, and may result in service account lockout – the removal of web and account owner access. Minor violations will be reported to the service account owner so they can address the problem. More serious violations, or failure to address minor violations, will result in account lockout. Restoring access in the event of a lockout will be addressed on a case-by-case basis depending on the violation.
The Webmaster team, WebTech team, UISO, and UIPO reserve the right to access the service account file space and database for troubleshooting purposes. The service account owner will be informed of any changes made. Although most violations will be addressed by permission changes, other changes could be made if warranted.
To be entrusted with access to Indiana University data and information, and access to IT accounts, systems, and applications, new or continuing faculty or staff employees must accept these responsibilities and standards of acceptable use. By accepting these terms, you agree to follow these rules in all of your interactions.
If you choose not to accept these standards of behavior, you may be denied access to the Webserve service and any of its subservices.