Websites involved in e-commerce or other sensitive data
School, center, institute and departmental websites (such as trinity.duke.edu)
Individual or project-oriented websites
|Hosted by||OIT, DHTS, approved 3rd party||OIT, DHTS, Protected Network or approved 3rd party||OIT, DHTS, School, approved 3rd party||Any|
|Developed By||DHTS, Duke Web Services, School, approved 3rd party||Any|
|Audit||Annual sample of websites||Annual sample of websites|
|Typical Patching Requirement*||
Duke University: Within 72 hours
Duke Health: Refer to DUHS
Duke University: Within 1 week
Duke Health: Refer to DUHS
Patch Management Standard
Within 2 weeks
Duke Health: Refer to DUHS Patch
Senior University Leadership/Privacy and
Security Steerig Committee
Maintenance Contract & Recovery
|Required contract defining ongoing maintenance responsibility by vendor, and recovery costs/timelines; recovery requiring institutional intervention will be tracked and monitored and may incur costs||N/A|
Website Development and Hosting
Development and hosting by DHTS Web Services (https://webservices.dhts.duke.edu/).
Development and hosting by school-managed web hosting and development services, in conjunction with local IT support.
Partnering with an approved third-party hosting provider or web developer, in consultation with Duke's Web Governance Group.
Self-service development and administration (with options outlined below, including sites residing on a school/department or OIT-managed web server and/or using a service such as Duke WordPress (https://sites.duke.edu).
|If hosted by:||Operating System||Web Server Software||Content Management System||Content|
|OIT (with support option)||OIT web hosting||OIT web hosting||Customer or hired developer||Customer|
|3rd-party vendor (e.g. hosting.com)||Customer||Customer||Customer or hired developer||Customer|
|Schools/departments||School IT||School IT||School IT or Customer||Customer|
|Sites @ Duke||OIT||OIT||OIT||Customer|
Requirements for Website Owners / Administrators
Duke websites must follow the requirements documented in the Duke Web Security Standards. In particular, website owners and administrators should focus on the following requirements during initial setup and for ongoing maintenance:
- Use only supported and up-to-date software that is actively maintained by an established, reputable vendor (e.g., Microsoft, Oracle) or open-source community (e.g., Drupal, WordPress).
- Use Duke's Shibboleth service for website logins unless prior approval has been granted by the ITSO. For information on implementing Shibboleth, visit https://idms-web.oit.duke.edu/spreg/sps. If, for some reason, you cannot use Duke's Shibboleth service to authenticate users, ensure that you have configured your authentication mechanisms to occur over HTTPS and file an exception with the ITSO.
- Monitor the various security lists for software installed on or supporting the website to receive notification of security updates.
- Apply security updates to the operating system, web server (e.g., Apache), and CMS (e.g., Drupal) as they become available and in compliance with the patching timeline requirements.
- Apply the hardening standards from the Duke Web Security Standards. If a site uses a technology not included in the Duke Standard, the site administrator is responsible for working with the ITSO to determine and follow appropriate security measures.
- Those running a Drupal or WordPress site will be required to install a Duke-developed security plugin, which will report the CMS and plugin versions to the site owner and ITSO. For installation guidelines, consult the Duke Web Security Standards wiki.
Any work being done through a third-party or internal organization requires a minimum service-level agreement of 10 hours per year. Due to the changing nature of the web and the need for version and security upgrades on our preferred platforms, site owners need to ensure there is budget and calendar time available for application of security patches in compliance with the stated timeframe requirements.
For Duke Health web sites, use only approved Duke Health branding, including logos, as well as web page headers and footers (such as footers including legal and compliance notices, such as HIPAA and GDPR)
Requirements for External Vendors
- Go through a vendor risk assessment with the IT Security Office.
- Comply with PCI requirements if taking credit card payments (see below).
- Include specific security and patching requirements in contract and/or a Service Level Agreement (SLA).
- Include Duke's Data Security Agreement (DSA) in the contract where aplicable.
- Participate in monthly vulnerability scanning through the ITSO and remediate the issues reported in compliance with the patching timeline stated above.
Websites Processing Electronic Payments (PCI Compliance)
- Be hosted at Duke or with a hosting provider meeting PCI's Level 1 compliance requirements.
- Utilize DukePay (delivered via CyberSource).
- Have a plan to address the requirements for website administration and external vendors.
Register the website with the E-Commerce office for quarterly PCI vulnerability scanning and remediate the issues reported in compliance with the patching timeline stated above.
Review Frequency: Annually