UIS.501.6 Website Hosting Guidelines

In support of UIS.501 Vendor Security Policy

Georgetown University Information Services (UIS) is ensuring that all third-party cloud hosting vendors are approved and authorized for any cloud hosting services, Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) or any other option of hosting services.  Website hosting vendors must go through technical review and approval process before employing its services or gaining access to University technology assets, data, systems, servers, and networks. 

Any website hosting services obtained from technology vendors for the purposes of University business must meet UIS minimum security requirements and abide by the applicable policies and guidelines associated with UIS vulnerability management, data privacy and handling and protection, and configuration management. 

Website Hosting Security Requirements  

  1. University Information Services (UIS) reserves the right to define, document, and audit how third-party website hosting services comply with information security controls and requirements. 
  2. Agreements with third-party technology vendors for information systems must include the following for technical review with UIS and the Office of Procurement:  
    • The course of action and remedy if the third-party technology vendor’s security controls are inadequate such that the security, confidentiality, integrity or availability of the University’s data cannot be assured.
    • The third-party technology vendor’s ability to provide an acceptable level of security, service and/or support during contingencies or disasters or failures. 
  3. UIS must ensure that the SLA includes requirements for regular monitoring, review, and auditing of the service levels and security requirements as well as incident response and reporting requirements. The SLA must state how the third-party technology vendors is responsible for data stored or shared with the provider.
    • UIS performs monitoring, review, and auditing of services to monitor adherence to the SLA and to identify new vulnerabilities that may present an unreasonable risk. 
    • UIS enforces compliance with the SLA and must be proactive with third parties to mitigate risk to a reasonable level. 
    • Changes to an SLA and services provided must be controlled through formal change management that established in Change Management Guidelines.
  4. Contracts with technology vendors providing website hosting services must require the vendor to provide the University with an annual third-party risk assessment report to establish compliance with the University information security policies.
  5. Technology vendors must ensure that any layers of operating systems, web server, databases, application programming language, application software and any application plugins are compliant with security vulnerability management practices and remediated as quickly as possible.
    • Third-party technology vendors must acknowledge and accept the responsibility and breakdown of who will be responsible, what they are responsible for at what level.
    • Third-party technology vendors must provide report on performed vulnerability scans, timeline, and remediation plan
  6. Third-party agreements must contain, or incorporate by reference, all the relevant security requirements necessary to ensure compliance with the University’s information security policies, standards, data retention schedules, and business continuity requirements. 
    • Website hosting vendors must provide DDOS protection and agree to give uptime guarantees for website hosting.
    • Website hosting vendors must allow or use the University’s SSL certificate to enable HTTPS URL functionality.
    • Website hosting vendors must ensure that georgetown.edu subdomains are used and active and hosted server or application are configured following UIS Configuration Management Policy
  7. UIS reserves the right to remove websites from the public-facing internet if those websites hosted by technology vendors are compromised or significantly non-compliant with security standards.
  8. UIS must monitor, review, and audit technology vendors for website hosting services for security control compliance on an ongoing basis. 

Refer to UIS Web Services for additional website design and hosting information.