@ erooney:
2.1:
HTTPS should be a standard by which ALL UNM content is served. The service should include HTTPS by default.
[DONE, v2.0] Agreed. This will be added to 2.1. I believe that the current cPanel architecture has this already.
2.1.1 bullet 2:
Ensuring that the hosted web sites are secure and updated is a shared responsibility with end users responsible for things like secure code and keeping WordPress installations up-to-date and web infrastructure security a responsibility of the hosting provider.
[DONE, v2.0] Agreed. My proposed new language: “Ensure that hosted websites’ code, content, and installed web apps (such as WordPress) are secure and updated (compromised websites because of code, content, and/or installed web apps will be shut down at UNM IT’s discretion);”
2.2.2: The calculation for availability is vague. There should be specifics on the exact calculation used when determining availability.
Are network outages or degradation, as an example, part of the service and accounted for in the calculation? Are those outages part of the web service or excluded from the calculation.
Example:
YEARLY UPTIME CALCULATION = [(hours service up) / ((365.25*24) – (hours down for scheduled updates and maintenance[1]) – (hours down for emergency security updates[2]))] * 100
[1] Schedule updates and maintenance are posted at least 7 days prior to the update or occur during UNM IT’s scheduled maintenance windows described here:http://it.unm.edu/availability/index.html
[2] Patches and updates that are flagged as “critical” or higher by the vendor may be installed outside of the scheduled maintenance windows.
I think you should join our Agreements (SLAs, Standards) Review Team at IT. I will bring this back to IT Agreements for review.
3.2 bullet 8: This provision risks deleting code or work product that a department may have on cPanel servers if their backup was performed prior to the cPanel snapshot reversion. A customer could be performing backups at reasonable intervals and still be harmed by this provision of the SLA. Will UNM IT notify users when a snapshot reversion will take place allowing users to make backups?
Agreed, but as a complete restore from a snapshot is only done as a last measure to restore service, I am not certain if informing Users of the restore would help Users to do backups if the service is unavailable.
3.3 bullet 5: A department could store or host sensitive info on a non-UNM IT hosted service through a UNM IT hosted web site that would violate the spirit of this item.
I think that we are missing a bigger opportunity here where we could leverage enterprise web infrastructure, services and data (including existing institutional data assets) to allow departments to more securely collect and store sensitive information that may exist elsewhere on campus (Banner, ODS, etc.). It seems like a UNM enterprise service web service should strive to provide this environment where the end-goal is less duplication, better security, and a better understanding by the enterprise about where we are housing and storing, potentially, sensitive data.
Agreed. This is in planning – to make a more secure and restricted environment in which websites/web applications that touch sensitive data (such as Banner) can be hosted. This is a popular request, and IT will make reasonable efforts to accommodate this request.
- This reply was modified 8 years, 5 months ago by tbui.