Our more than 5,000 associated University Web Properties are the online representation of our institution and, for many people, their window into the University. They are also often a necessary tool for teaching, researching, learning, and working. Therefore, they should be inclusive of all range of abilities, reflective of our world-class institution, and secure.
In order to help the campus community, standards have been outlined that include required specifications and timing:
Operating Systems, Web Servers (e.g., Apache), Content Management Systems (CMS) (e.g., Drupal, Sitecore), Web Application Software
Current and Supported Technology
When upgrading technologies or starting a new project, be sure to only use supported and up-to-date software that is actively receiving security patches by an established, reputable vendor (e.g., Microsoft, Oracle) or open-source community (e.g., Drupal, WordPress). If an existing technology is end of life (no longer being supported or given security updates), it should be either decommissioned or upgraded to a supported version. Maintainers of the operating systems, web servers, CMS, and application software of University Web Properties have a responsibility to stay informed of technology updates.
All security patches should be quickly applied upon release.
- Critical patches must be applied within 30 days.
- All other patches must be applied within 90 days.
- Note: Patching timeframes may be accelerated at Information Security’s discretion for more severe exploits. In those cases, Information Security will communicate accelerated patch requirements via the appropriate channels.
If a site includes web applications, it must address common security issues as outlined by the Open Web Application Security Project (OWASP) Top Ten Project and follow industry-accepted secure coding practices.
Additional Resources: Overview of Critical Web Application Security Risks
If a site will accept electronic payments, the site owner must work with the Bursar’s office to receive approval.
Additional Resources: E-commerce Knowledge Base article
A compromised University Web Property will generally be quarantined by Information Security (i.e., taken off the internet) until the compromise is addressed and Information Security authorizes the University Web Property’s reinstatement.
A University Web Property may also be quarantined if security and maintenance requirements are not met and if Information Security deems the University Web Property to put University business at risk.
Dehosting remains an option for continued non-compliance.
If assistance is needed in interpreting these specific security requirements, please reach out to divisional IT staff, or IT Services Security staff by emailing firstname.lastname@example.org.
University Web Properties and digital content
Digital Accessibility: All University Web Properties, including those used for teaching, regardless of domain name, must:
- comply with the international standards of the World Wide Web Consortium’s Web Content Accessibility Guidelines version 2.1 (WCAG 2.1), Level AA;
- have a link to “Accessibility” in their footer. The link shall direct users to the Accessibility page of the Equal Opportunity Programs website.
University Web Properties with significant accessibility issues are subject to review by the Associate Provost for Equal Opportunity Programs.
- The Center for Digital Accessibility (CDA) is available to provide assistance interpreting these requirements, share best practices, and help ensure University Web Properties and digital content are accessible. Contact CDA staff by emailing email@example.com.
- To review the digital accessibility of a new or existing University Web Property, one or more recommended tools can be used to scan the University Web Properties. Proceed to make iterative fixes until the site generates no errors when scanned and the number of warnings has been minimized.
University Web Properties
All University Web Property technical and administrative information needs to be provided and regularly updated in the UChicago University Web Properties Registry to maintain an accurate record.
The University’s web specialists are available to answer questions and help the campus community maintain up to date registry records. Contact the staff by emailing firstname.lastname@example.org.
University Web Properties
The following types of web properties must have a uchicago.edu domain (all exceptions require approval from the University Office of Communications and Provost Office):
- School and Division web properties (e.g. Law School, Social Sciences Division)
- Department web properties (e.g. Department of Computer Science, Department of Safety and Security)
- Centers and Institutes (e.g. Polsky Center, Center for Cultural Policy)
- Faculty primary page (e.g. chemistry.uchicago.edu/faculty/michael-hopkins)
- Administrative units (e.g. its.uchicago.edu)
- Note: University Web Properties will be a subdomain within the uchicago.edu domain (e.g. www.law.uchicago.edu) or a subdirectory (e.g. voices.uchicago.edu/bsdfacultyaffairs) depending on their needs and requirements.
The following types of web properties may have a non-uchicago.edu domain:
- Faculty non-primary sites/page (e.g. sites.coffeejunkies.org/mkolar/publications)
- Joint web sites between the University of Chicago and non-UChicago entities (www.uchicagocharter.org)
- Web properties of University affiliates (e.g. www.uchicagomedicine.org, www.mbl.edu)
- www.chicagobooth.edu, (known exception)
Hostnames for web servers, internal administrative web applications (such as monitoring tools and RESTful APIs) are known exceptions to the domain name approval process.
uchicago.edu Domain Names
All University Web Properties are eligible to apply for a new uchicago.edu domain name by submitting a request. Requests will be subject to the University guidelines outlined below that domain names should:
- Contain between 5-15 characters.
- Closely conform to the entity’s name.
- Avoid the use of generic terms that could apply to multiple entities within the University or misrepresent the site’s purpose.
- Avoid obscene or offensive terms that are detrimental to the University’s reputation.(e.g. stupid.uchicago.edu)
- Not use any special characters. (e.g. its-.uchicago.edu)
- Not contain trademarked or copyrighted names owned by non-University entities. (e.g. pepsi.uchicago.edu)
Third-Level Domain Names
A “third-level” domain name is the most common type of domain name, such as sustainability.uchicago.edu, humanresources.uchicago.edu, or socialsciences.uchicago.edu. An academic or administrative unit of the University (e.g., a school, department, center, institute, or administrative organizational unit of the University) may establish a third-level domain name.
Note: A dean, chair, vice president, or vice provost or their designated delegate responsible for the requesting unit must initiate a request for a new third-level domain name via the University domain request form.
Fourth- and Lower-Level Domain Names
A “fourth-level” domain name is a four-part web address, such as phoenixforge.cs.uchicago.edu. It is built upon an already approved third-level domain, in this case, Computer Science’s domain name cs.uchicago.edu. Academic or administrative units of the University that have an existing third-level domain name may establish fourth- and lower-level domain names below that third-level domain name.
Note: These subdomain names may be requested from, and will be approved by, the relevant entity responsible for the existing third-level domain; no further approval is required. In the example above, Computer Science manages this domain name, and can establish fourth-level domain names independently.
The University official responsible for the academic or administrative unit having a third-level or an external domain name must ensure that the web content associated with that domain name does not misuse or misrepresent the University’s brand name and logos, and that neither copyrighted material is distributed nor trademarks used without proper authorization from the copyright or trademark owner.
- The University’s website specialists are available to answer domain name related questions. Contact the staff by emailing email@example.com.
- Use of Non-uchicago.edu Domain Names Policy outlines the circumstances under which any domain name other than uchicago.edu can be used on the University network.
- Redirection of University Domain Names to External Networks Policy describes the approval process for pointing a domain name to an external network.