We understand that there are occasional situations where exceptions to the web governance structure is required and full adherence to this policy could delay business critical initiatives or could increase costs. These need to be assessed on a case-by-case basis. If you are hosting a service on campus that requires continuous access from off campus, e.g. a website or web application. Please review the Website Hosting Request Exception Process and complete the Website Hosting Exception form.
Types of exception
The following scenarios are examples of typical web hosting exception requests:
- The need to host public-facing web servers outside the C ascade CMS system
- In exceptional cases where the work of NMSU researchers require persistent network connections between NMSU and off-site resources,
- Special interactive and transactional sites where specifically where persistent connections are required.
Please note all exceptions are carefully screened to prevent unnecessary exceptions, which create cyber threat vulnerabilities and/or fraudulent activities.
Process
If you are hosting a service on campus that requires continuous access from off campus, e.g. a website. Please complete the Website Hosting Exception form.
In order to cater for these exceptions, the following process has been implemented:
- The originator of the exception request needs to document the rationale for the exception and submit the form to Executive Digital and Web Governance Committee for review.
- If approved by the Executive Digital and Web Governance Committee, the exception request will be submitted to the Chan cellor’s Office for documentation and then routed to Systems Administration in ICT to process the application. If additional information isrequiredthis will be requested from the System Administration. Additional documentation may be required. Exception requestors may be required to complete a Risk Acceptance form determined by the ICT Chief Information Officer.
Note: Because technologies change, the rationales for exceptions will also change over time. Therefore, all exceptions will be granted with a review period of a maximum of 12 months to decide whether they should continue to be exceptions.
Exceptions are carefully screened to prevent unnecessary exceptions, which create cyber threat vulnerabilities and/or fraudulent activities. Serious threats include ransoming user data, stealing sensitive employee and student information, and stealthily commandeering systems to launch further attacks. When evaluating exception requests, these security risks are a critical factor in determining which exceptions are granted and denied.
Guidelines
A web server may qualify for registration outside the Cascade CMS web hosting environment if:
- The site is commercial in its operation and hosting it on a centralized CMS would breach conditions ofuse
- The website is developed as part of the core business processes of aunit
- The system is a ‘sandbox’ learning or experimentalenvironment
- Technology constraints limit the ability of the site to be compliant, eg : incompatibility with standard software or hardware used for researchpurposes
- The application requires persistent connections, either technical or in terms of usability.
Where exception is approved, then a ‘system custodian‘ must be appointed who will ensure compliance with the NMSU’s Information Systems Security policies and guidelines.
General exception criteria:
- Time criticality – the site needs to be implemented by a deadline, eg. the start of a new academic year, and cannot be made compliant by thatdate
- Resource prohibition – the cost or effort required to make the site compliant would outweigh the business benefits, thereby destroying the business case for the initiative.
General criteria for approval:
- Maintenance – Approvedexternally-hostedwebsites are the sole and permanent responsibility of the sponsoring unit/department including all expenses associated with their creation and maintenance.
- Security – the sponsoring unit/department is responsible for keeping critical software updates and malware protection up to date for all network accessible devices that are administered .
- Review – all severs on campus will be subject to an initial vulnerability scan followed by routine scheduled scans; critical vulnerabilities identified by these scans must be remediated immediately to obtain and retain the exception.
