Reducing Risk for Web Properties

The Reducing Risk for Web Properties Initiative is focused on developing a robust set of standards and policies in order to make sure that these websites and applications stay secured against malicious exploits, as determined by security standards, hosting standards, and website registration guidelines, keep at a baseline level of ADA accessibility, and follow University standards for the use of University domain names.

The initiative has completed an upgrade of the platform hosting key web properties and continues to remediate and retire platforms as needed. Additionally, IT Services has established a team to form the Center for Digital Accessibility, which will support unit IT partners on campus in improving the ADA accessibility of their web properties. The Center for Digital Accessibility has worked with a vendor to complete an accessibility assessment of the University’s key web properties. The team is currently reviewing the assessments and will work with site owners to determine appropriate remediation plans.

Further, University Communications and IT Services worked together to revise and develop streamlined, policy-friendly web development choices. This website, the UChicago Website Resource Center, provides valuable information to help campus community members set up a new website or update an existing website.

What website risks are the University trying to prevent?

The University has more than 5,000 web properties. (A web property is any website or web application delivered through a browser interface that is owned or controlled by the University or operated by or on behalf of the University.) These pose risks, including:

• Out of date and poorly maintained software that is vulnerable to attack
• Concerns about accessibility for users who have visual, auditory, motor, or cognitive disabilities.
• Web properties with unknown owners, leading to problems when security and accessibility issues arise.

The University is committed to making its web properties accessible to the widest possible audience, regardless of technology or ability. Moreover, it has an interest in ensuring that University of Chicago web properties are managed in a secure and professional manner. These policies ultimately require more vigilance and action from site owners. Support for this work is provided in two forms:

• The Center for Digital Accessibility can assist site owners with the evaluation of their web properties and materials and can translate what the practical and measured effort needs to be. Many site owners will have accessibility concerns, but they can be addressed incrementally.
• The University Information Security team can translate security requirements into practical and reasonable next steps. Not everyone will have security concerns that need to be addressed, especially if they are using a University-provided platform.

What are the policies and standards in this area?

The Web Properties Policy and Digital Accessibility Policy require that websites owned or operated on behalf of the University be secure, accessible, registered, and follow rules for domain name selection. Websites that are used for University business, even if they don’t bear a UChicago domain name, are subject to this policy.

The standards describe how websites can secure, accessible, registered, and follow rules for domain name selection.

If you don’t find answers to your questions, contact:

• itrisk@uchicago.edu for security,
• digitalaccessibility@uchicago.edu for accessibility,
• webhelp@uchicago.edu for registration and domain name questions.

I’ve read the standards for accessibility. How do I know if my materials and websites are accessible? If they aren’t accessible, how do I fix them?

The Center for Digital Accessibility (CDA) was developed to assist UChicago faculty and staff with their website questions. To get started, view the CDA’s FAQ.

Does every unit need to report periodically to the central administration that all of their web servers follow the standard?

Yes. The broad goal is to make sure University websites adhere to a standard that reduces risk. To demonstrate that this goal is being accomplished, every website needs to be accounted for. Similar to data centers and end-user devices, a system and standard needs to exist where measurement is possible. Because of the timing of prerequisites for each of the initiatives, the work for websites and applications will begin after end-user device efforts are further along.

Does this policy include the fourth- and lower-level domain names? e.g., www.lib.uchicago.edu

Yes. Websites such as www.lib.uchicago.edu or catalog.law.lib.uchicago.edu (which have four or five parts to their name) present equal exposure to risk and will be part of the accounting.
A quick survey of owners of these types of sites verified that these are regular websites, web applications, or are temporary sites for testing purposes. These are the same types of uses (and associated risk) seen in more commonly named sites, e.g. ssd.uchicago.edu.

In this case, each unit’s technology staff would be approached for a listing of sites and registry answers in bulk to reduce the administrative burden for registration. The goal would be to work with the unit technology staff to gather and generalize answers where it makes sense so that the data-gathering isn’t onerous, but is sufficient to make sure best practices are being followed.

If an incident were to occur, security would engage the unit’s technology staff to resolve matters.

If fourth- and lower-level domain names must be registered, does the registration include the web server information (machine, OS, web framework version number)?

Generally speaking, the registry asks for the website owner, content maintainer, technical lead, department affiliation, software platform (e.g. type of content management system, programming language), and hosting details (e.g. in a campus data center, in a cloud service).

The goal is to ask for sufficient information to better understand where the risk might be, while not going into needless detail. For example, when several major Drupal exploits were announced several years ago, a concerted effort was made to assist those running on this platform. The lack of available data on websites made it difficult to notify and assist in advance, and several sites were compromised and had to be rebuilt.

How do I make my course materials accessible for all, when it would seem I’d need to reduce my materials for everyone?

For support in creating accessible course material, the current guidance is:

• If an accommodation is requested, an effective alternative needs to be provided, but one that is arrived at through discussions with Student Disability Services and the instructor, and one that does not impose an undue burden.
• If your course materials contain items that are not straightforward to make accessible, make sure that they are hosted privately (e.g., on Canvas, or a system requiring a University-provided login). Faculty can consult with Student Disability Services or the Center for Digital Accessibility for further help on how to approach these situations so that faculty can revise their materials.

Now that the policy is revised and support services are in place, what’s next?

The University needs to ensure that its websites are following the best practices set out by the policy. University Information Security, University Communications, and the Center for Digital Accessibility will regularly report on university web properties, and these reports will be shared with senior leadership and the Provost’s office.