UChicago Website Resource Center

What are we required to do about 3rd-party websites and web applications that do University business but may not be accessible or secure?

Contact the digitalaccessibility@uchicago.edu to discuss accessibility issues, and security@uchicago.edu for security concerns.

What should be done if a website has accessibility and/or security gaps and the site depends on the vendor's schedule for delivering new versions?

While it's best to let your vendor make accessibility and security updates, be sure to get written clarification from your vendor on when and what will be remediated. There is guidance on the CDA website regarding procurement of accessible products and working with vendors. The University also has a set of preferred vendors that can be accessed via the Website Resource Center.

Why is digital accessibility important?

Web properties should be easily navigated and understood by a wide range of users, including users with disabilities. Digital Accessibility:

• Offers a better user experience for everyone
• Strengthens our commitment to an accessible, diverse, and inclusive working and learning environment
• Our digital representation online should reflect our academic excellence
• Strengthens the University’s compliance regarding accessibility laws and reduces risk
• Enhances Search Engine Optimization (SEO)

For all other accessibility-related questions, visit the Center for Digital Accessibility’s FAQ.

Do these policies apply to my website?

The policy applies to any University Web Property, that is, any website or web application “owned or controlled by the University or operated by or on behalf of the University.”

Examples include:

• A website using a University domain name, or a website redirected from a University domain name.
• A website without a University domain name (and is not redirected from a University domain name) but:
  • is used for University business.
  • uses University branding and logos.

What is university business?

University business includes, but is not exclusive to teaching, publishing research, marketing university events, university groups, and research labs.

Do the new policies apply to student-led group websites, such as RSOs and newspapers?

We recommend that student-led group websites, such as RSOs and newspapers regularly review the accessibility and security of their websites. These groups should avail themselves of the Center for Digital Accessibility and the Website Resource Center.

Do the new policies apply to faculty lab groups, which sometimes use non-university domain names?

Yes. These are considered university business.

Do the new policies apply to faculty personal web pages?

If the personal webpage

• does not bear a University domain name
• performs no University business
• and bears no University logos 

e.g. a faculty website with only personal content, such as CVs, photos, or a blog, then the policy does not apply.

Do the new policies apply to social media sites and Zoom calls?

Yes. UChicago-branded social media and linked social media is considered content and should be accessible.

Social media should be accessible before posting. The list of considerations include color contrast choices, adding alt-text to images, human-generated or -corrected captions or transcripts, limiting the use of emojis, and using CamelCase in hashtags so screen readers can more easily distinguish each word. Links to resources can be found on the Content Creators page of the CDA website, including a helpful social media blog post from Siteimprove.

For guidance regarding captioning of live events, course content, and public-facing content, please visit the CDA website.

Do the new policies apply to emails?

Yes.

From an accessibility standpoint, please apply guidelines for content creators. Make sure to follow specifications for things like alt-text for images (including logos, images of text, and images used as headers or footers), sufficient color contrast, properly structured tables, and meaningful link text (instead of using "click here" or the URL). Please reach out to the CDA (digitalaccessibility@uchicago.edu) for help with digital accessibility.

From a security standpoint, there are University resources to provide guidance:

• Mass email use and abuse
• Create secure and trustworthy emails

Do the new policies apply to websites that are old and not changing?

Yes. We ask that Site Owners make best efforts on these sites.

Make sure new sites and content are born accessible.

For existing content on a website or social media platform:

• Fulfill user requests regarding accessibility in a timely manner.
• Prioritize updating sites and content with the highest visibility.
• Assess whether sites or content should be removed if no longer necessary or relevant.

Does the University provide support for making these website revisions?

There may be costs associated with making needed changes to be in compliance with the new policies. You are encouraged to discuss this with your unit budget manager.

• There are many things you can do to strengthen your compliance without incurring any expense, including:
  • Security: Reduce risk. Sometimes, making simple choices about product configurations or data can avoid compliance or security costs.
  • Digital accessibility: Address some of the “easy changes” mentioned earlier, like adding alt-text to images and creating meaningful link text.
• The University has provided organizational resources to assist with this effort:
  • Website Resource Center
  • Center for Digital Accessibility
  • Enterprise accessibility tool

Do the new policies apply to hand-coded applications and SaaS applications?

Yes. These apps perform University business.

Do the new policies apply to apply to internal (limited access) websites?

Internal websites, sites with a very limited audience, are still subject to the policies.

What is the definition of a "substantial revision" to a website or content?

Changes to the navigation, the visual treatment (colors), and a change in content to a majority of the pages, change of platform, anything that could disrupt the accessibility or security of your website.

When do these policies not apply?

The policies may not apply to some web properties, even if they reference the University.

If the personal webpage

• does not bear a University domain name 
• performs no University business
• and bears no University logos

e.g. a faculty website, anexampleofaprofessorswebsite.wix.com,  with only personal content, such as CVs, photos, or a blog, then the policy does not apply. 

If a web property is not subject to the University policies, site owners should still ensure that the property is accessible, secure, and maintained. These practices benefit the owners and reduce risk to reputation and security.

If you have questions about the policy, please contact webhelp@uchicago.edu.

I'd like to find out which sites have already been registered.  How do I find that out?

If you'd like to know which websites are currently registered to you or your division, please contact webhelp@uchicago.edu for a report.

I'm an IT person who administers many websites.  Am I responsible for registering them?

Site owners, the faculty or staff who have a business need for their website, are responsible for registering their sites. Seldom is the site owner also the technical support for the website. However, if as an IT person, you have bulk information for the ownership of these sites, you can work with us to leverage that data. Contact webhelp@uchicago.edu.

What happens to sites that are not registered?

Over time, sites without registered owners will be reviewed with unit and divisional leadership. Sites that cannot be assigned after these best efforts may be subject to shutdown.

Where do I register my website?

https://websites.uchicago.edu/policies-standards/website-registry/

What could happen if a web property is not secure?

Potential scenarios include:

• Data breach or exposure of sensitive information
• Defacement (e.g., posting inflammatory information)
• Criminals attacking website visitors with malware or viruses
• Theft of accounts and passwords which could then be used for malicious purposes on other systems (e.g., phishing)
• Being taken offline by University Information Security, leading to interruption of service

If you have a site hosted through a “reputable” site - i.e. wordpress, Squarespace, do you need to reach out about a critical patch?

Hosting providers can make updates on your behalf, but not all do in all circumstances. Official Wordpress hosting, for example, includes updates and you should not need to worry about patching. Other providers may not. It is important to understand what your provider will do for you and not assume it is included.

What about virtual machines?

Virtual machines have many of the same security concerns as real metal computers - typically still requiring patches to both the software they run, the virtual machine management infrastructure (like VMWare, HyperV, or the like), and any supporting software they may run.

What do website owners need to do security wise?

When buying a product or developing a new web property, have a plan to maintain it going forward. Budgets may be required for patches, maintenance, or other requirements.

• Understand who “owns” a web property –what happens if the website manager changes jobs or leaves the University?
• Be prepared to take quick action if there is a security issue and stay connected with your local technology team.
• Keeping a website secure is a continuous process.
• For security questions, please contact your local technology teams or the University Information Security team at security@uchicago.edu or 773.702.CERT

What makes for a secure web property?

• Current and supported technologies–When upgrading technologies or starting a new project, be sure to only use supported and up-to-date software that is actively receiving security patches by an established, reputable vendor (e.g., Microsoft, Oracle) or open-source community (e.g., Drupal, WordPress). 
• Security updates–Critical patches must be applied within 30 days. All other patches must be applied within 90 days.
• Secure development practices–If a site includes web applications, it must address common security issues as outlined by the Open Web Application Security Project (OWASP) Top Ten Project and follow industry-accepted secure coding practices.
• Electronic payments and Payment Card Industry (PCI) compliance–If a site will accept electronic payments, the site owner must work with the Bursar’s office to receive approval.

Are websites on the "Voices" platform through the University already considered secure?

The Voices platform is managed by a vendor on behalf of the University and there is no need to take special action for security.

Is there a central UChicago-oriented resource, some sort of checklist perhaps, that I could point my vendor to, or verify my website against?

Your starting point should be the standards. This list acts as your "checklist" for your site. Depending on the complexity of your site, some of these items will be simple. For others, such as WCAG 2.1 AA conformance, you can seek further help on the Center for Digital Accessibility website.

Our department maintains a webserver. Can we just copy our sites over to one of the University options?

Quite possibly. Review the hosting options at the Website Resource Center and contact webhelp@uchicago.edu to see what might work for you.

We’re updating this FAQ as more questions come in.

Email webhelp@uchicago.edu with your general questions or digitalaccessibility@uchicago.edu with accessibility-specific questions.