|
Security Requirements for Hosting Web Content
So you ask,
"Where can I publish my Web content?"
First, everyone publishing Web content should
be familiar with Section
17 of the HOOP. Then, become familiar
with these security requirments.
Define Security Classification of Content
- Is information confidential and/or sensitive?
- If information is not confidential and/or sensitive, does it
require authentication and authorization by individual users for
access? If yes,
- Does access require IP address authentication?
- Does access require user authentication and authorization?
- Are both IP address authentication and user authentication/authorization
required?
- Are the Web pages to be published dynamic - e.g. are they "jsp"
or "asp" pages instead of "html" pages?
Hosting Options for Various Security Requirements
Individual Web information systems are configured to provide
specific levels of security.
Confidential and sensitive information must be published only
on systems that
- meet specific, high-level security standards, and
- require authentication and authorization of individual users
to grant access.
Non-confidential and non-sensitive information available for
restricted access via the Internet must be published on systems
that minimally
- meet specific, medium-level security standards, and
- require authentication and authorization of individual users.
Non-confidential and non-sensitive information for public access
via the Internet must be published on systems that minimally
- meet specific low-level security standards, and
- do not require user authentication and authorization
Inherent in the above schema is the fact
that
- all information handled by an information
system having a specific security configuration, whether or not
the information is confidential and/or sensitive, is subject to
all the mandatory security controls of that system.
|