Applicable To: 

Duke University

Duke Health

Version 2.0


Duke University Chief Information Security Officer

Duke University Vice President for Public Affairs and Government Relations

Duke University Health System Chief Information Security Officer


Duke has a longstanding practice of using websites to communicate, share information and transact business with internal and external constituents. Over the years, Duke’s web presence has grown to include:

  • Institutional websites including and

  • Websites involved in e-commerce or other sensitive data

  • School, center, institute and departmental websites (such as

  • Individual or project-oriented websites

These websites can be hosted at Duke or with external hosting companies. External hosting providers should be reviewed by Duke’s Web Governance Group and/or the Duke Health Information Security Office (ISO) before use. Website support responsibilities may range from full support by a Duke web hosting group or a third party to best effort by a faculty, student or staff member.

Duke websites present a very viable risk to the university and can provide an avenue of attack against other Duke systems. There is a direct relationship between website compromises and unpatched web environments and associated servers.

Duke's Web Governance Group is charged with providing strategic direction and guidance for Duke's web presence and infrastructure. It includes representatives from the IT Security Office, Office of Information Technology, Duke Public Affairs and Government Relations, and other schools, departments and campus units.

In an effort to improve the security of all Duke’s websites, the IT Security Office (ITSO), Office of Information Technology (OIT) and Duke's Web Governance Group have developed guidance and options for those managing websites at Duke.


This policy applies to Duke-affiliated websites and web applications maintained either on the Duke network or with a third-party (external) hosting provider and to internal or third-party developers responsible for building or maintaining Duke websites.


Website Categories

Websites at Duke are grouped into four general categories. Duke's Web Governance Group, in consultation with the website owner and the ITSO, will determine categorization of a particular website.

  1. Institutional: Websites that are highly visible, provide institutional services or carry a higher level of scrutiny (e.g., and main navigation/landing pages).
  2. Sensitive Data: Websites that are dealing with sensitive data in some manner (e.g., credit card processing, protected research data).
  3. School/Department: Websites that are more focused on a particular group (e.g., a school, department, institute).
  4. Individual: Websites that have a smaller audience or smaller scope by nature (e.g., a personal or course website, or a website set up to provide details on a research project) and are not hosted by central services.

The Web Governance Group can assist website owners in determination of the appropriate category as needed.

The following table outlines the requirements for each category of websites:

RequirementsInstitutionalSensitive DataSchool/DepartmentIndividual
Hosted byOIT, DHTS, approved 3rd partyOIT, DHTS, Protected Network or approved 3rd partyOIT, DHTS, School, approved 3rd partyAny
Developed ByDHTS, Duke Web Services, School, approved 3rd partyDHTS, Duke Web Services, School, approved 3rd partyDHTS, Duke Web Services, School, approved 3rd partyAny
AuditAnnual sample of websitesAnnual sample of websitesAnnual sample of websitesAnnual sample of websites
Typical Patching Requirement 1

Duke University: Within 72 hours

Duke Health: Refer to DUHS

Duke University: Within 72 hours

Duke Health: Refer to DUHS

Duke University: Within 1 week

Duke Health: Refer to DUHS

Patch Management Standard

Duke University:

Within 2 weeks


Duke Health: Refer to DUHS Patch 



Compromise Quarantine 2ImmediateImmediateImmediateImmediate
Risk Acceptance

Senior University Leadership/Privacy and 

Security Steering Committee

Senior University Leadership/Privacy and 

Security Steering Committee

Maintenance Contract & RecoveryRequired contract defining ongoing maintenance responsibility by vendor, and recovery costs/timelines; recovery requiring institutional intervention will be tracked and monitored and may incur costsRequired contract defining ongoing maintenance responsibility by vendor, and recovery costs/timelines; recovery requiring institutional intervention will be tracked and monitored and may incur costsRequired contract defining ongoing maintenance responsibility by vendor, and recovery costs/timelines; recovery requiring institutional intervention will be tracked and monitored and may incur costsN/A

Patching timeframes may be accelerated at the ITSO’s discretion for more severe exploits. In those cases, the ITSO will communicate accelerated patch requirements via campus communication channels including the security liaisons email list at

A compromised website will be quarantined by the ITSO (i.e., taken off the public-facing Internet) until the compromise is addressed and the ITSO authorizes the website’s reinstatement. A website may also be quarantined if patching requirements are not met.

Website Development and Hosting

Duke University websites in the Institutional, Sensitive or School/Department categories must be hosted and/or developed by vendors who have met Duke standards for security and design and have been approved by Duke's Web Governance Group.

Many pre-approved options are available to the Duke community for developing, hosting and managing websites, including:

  • Development and hosting by Duke Web Services ( and the Office of Information Technology (OIT), which provides a centralized web hosting environment that includes complete management of the web server and content.

  • Development and hosting by DHTS Web Services (

  • Development and hosting by school-managed web hosting and development services, in conjunction with local IT support.

  • Partnering with an approved third-party hosting provider or web developer, in consultation with Duke's Web Governance Group.

  • Self-service development and administration (with options outlined below, including sites residing on a school/department or OIT-managed web server and/or using a service such as Duke WordPress (

Websites often have multiple layers with different responsibilities at each layer. Layers may include the operating system (OS), web server software, and a content management system like Drupal or WordPress (CMS). Websites at Duke are expected to have an identified administrator at all layers. A website administration (referred to below as the customer) may include the data or content owner or the individual responsible for coordinating the implementation of the website.

The following table outlines responsibility for ongoing patching and maintenance of each layer/component of a Duke website:

If hosted by:Operating SystemWeb Server SoftwareContent Management SystemContent
OIT (with support option)OIT web hostingOIT web hostingCustomer or hired developerCustomer
3rd-party vendor (e.g. or hired developerCustomer
Schools/departmentsSchool ITSchool ITSchool IT or CustomerCustomer
Sites @ DukeOITOITOITCustomer

When a developer is hired to build a website, the contracting unit must ensure that arrangements have been made to provide ongoing support, especially for addressing security vulnerabilities and patching of the content management system.

Hosting or developing a website with a 3rd party outside of Duke does not absolve the Duke website owner of their responsibility to keep the website patched.

Requirements for Website Owners / Administrators

Duke websites must follow the requirements documented in the Duke Web Security Standards. In particular, website owners and administrators should focus on the following requirements during initial setup and for ongoing maintenance:

  • Use only supported and up-to-date software that is actively maintained by an established, reputable vendor (e.g., Microsoft, Oracle) or open-source community (e.g., Drupal, WordPress).
  • Use Duke's Shibboleth service for website logins unless prior approval has been granted by the ITSO. For information on implementing Shibboleth, visit If, for some reason, you cannot use Duke's Shibboleth service to authenticate users, ensure that you have configured your authentication mechanisms to occur over HTTPS and file an exception with the ITSO.
  • Monitor the various security lists for software installed on or supporting the website to receive notification of security updates.
  • Apply security updates to the operating system, web server (e.g., Apache), and CMS (e.g., Drupal) as they become available and in compliance with the patching timeline requirements.
  • Apply the hardening standards from the Duke Web Security Standards. If a site uses a technology not included in the Duke Standard, the site administrator is responsible for working with the ITSO to determine and follow appropriate security measures.
  • Those running a Drupal or WordPress site will be required to install a Duke-developed security plugin, which will report the CMS and plugin versions to the site owner and ITSO. For installation guidelines, consult the Duke Web Security Standards wiki.
  • Any work being done through a third-party or internal organization requires a minimum service-level agreement of 10 hours per year. Due to the changing nature of the web and the need for version and security upgrades on our preferred platforms, site owners need to ensure there is budget and calendar time available for application of security patches in compliance with the stated timeframe requirements.
  • For Duke Health web sites, use only approved Duke Health branding, including logos, as well as web page headers and footers (such as footers including legal and compliance notices, such as HIPAA and GDPR).

Requirements for External Vendors

All external vendors must:

  • Go through a vendor risk assessment with the IT Security Office.
  • Comply with PCI requirements if taking credit card payments (see below).
  • Include specific security and patching requirements in contract and/or a Service Level Agreement (SLA).
  • Include Duke's Data Security Agreement (DSA) in the contract where aplicable.
  • Participate in monthly vulnerability scanning through the ITSO and remediate the issues reported in compliance with the patching timeline stated above.

Websites Processing Electronic Payments (PCI Compliance)

Any Duke-affiliated website wishing to take electronic payments must first contact Duke's E-Commerce office ( for approval. Websites taking credit card payments must:

  • Be hosted at Duke or with a hosting provider meeting PCI's Level 1 compliance requirements.
  • Utilize DukePay (delivered via CyberSource).
  • Have a plan to address the requirements for website administration and external vendors.
  • Register the website with the E-Commerce office for quarterly PCI vulnerability scanning and remediate the issues reported in compliance with the patching timeline stated above.


Any person who is responsible for a Duke-related website consents to the policies outlined above. Website owners have a responsibility for the security of their websites. Violations of the policy may result in the loss of usage privileges, administrative sanctions (including termination or expulsion) as outlined in applicable Duke University disciplinary procedures. These policies are subject to review and audit by Duke's Office of Internal Audit.


All owners and administrators of Duke websites are responsible for implementing the policies described in this document.

Review Frequency: Annually

Updated: 7-August-2019


Duke Security Website

Duke E-Commerce Office:

Duke Acceptable Use Policy

Duke Web Security Standard

Duke Vulnerability Management Policy

Document Type: Policy