S 2.172 Developing a concept for using the web
Initiation responsibility: Top Management, IT Security Officer
Implementation responsibility: Administrator, Head of IT
Before setting up a website, a concept must first be created that describes which information and services the website should offer via the web server. The concept should contain one general section and one organisational section at a minimum:
The general section should describe the following:
- the goals the organisation is pursuing using the website (is it a purely informational offer, an e-commerce offer, or an e-government offer?),
- the target groups for the website, and
- the information or services to be made available on the website.
The organisational section should provide a general overview of who is responsible in the institution for the following:
- preparing and updating the information, and
- designing and maintaining the visual appearance of the website (web design).
The organisational section of the web concept should also specify who is responsible for technical aspects of the operation of the web server.
The concept for the website should be examined regularly to ensure it is up-to-date. When the goals or strategies of the institution change, then the web concept must be checked to see if it is affected by the changes.
The following aspects should be taken into account when developing a concept:
A website can be used solely as an internal information service, as the primary application on an intranet, or to offer various services to the general public on the Internet. The security requirements placed on the web server also depend on the design of the planned website. In a small institution, the requirements placed on a web server that is operated as an intranet server without any critical applications are much different from those placed on a web server that will be connected to the Internet and will maybe even contain data that should not be accessible to everyone.
If web services will be offered in the intranet as well as on the Internet, then it is recommended to use two separate systems: an intranet web server and an Internet web server. If the Internet web server will also be connected to the internal network, then the gateway to the internal network should be protected by a firewall (see module M 3.1 Security gateway (firewall)).
If you plan to obtain some of the content of the web server from a database, then the connection to the database also needs to be taken into account in the firewall concept for the web server. The aspects to take into account when designing the information server landscape are described in safeguard S 2.77 Integration of servers in the security gateway. When creating the concept for a website, you should at least specify in general how connections to the Internet will be controlled and what types of connections to the internal network are needed.
The website should only be connected to the Internet after determining that all associated risks can be handled with the web concept selected as well as with the personnel and organisational resources available.
A web server providing the Internet presence of an institution does not necessarily have to be operated by the organisation itself. If the operating costs or the time and expense required for administration are too high or the residual risks appear to be incalculable, then it is possible to contract the operation of the web server to a corresponding Internet service provider or another type of service provider. In this case, module M 1.11 Outsourcing must be taken into account.
Review questions:
- Is there a concept for web use with a general and an organisational part?
- Are the goals of the organisation, the target groups and the information or services of the website defined?
- Are persons responsible for provisioning and updating information, designing and maintaining the visual appearance of the website, and for the technical aspects of web server operation determined?
- Is the concept for the website regularly checked for up-to-dateness and adjusted, if required?
- Do the security requirements correspond to the intended use of the web server?
- If the Internet web server is connected to the internal network: Is the transition from the web server to the internal network protected by a firewall?
- If the web server is connected to a database: Is the connection of the web server to the database also included in the firewall concept?