The University of Chicago has established policies that govern all University Web Properties. The University’s more than 5,000 associated University Web Properties are the online representation of the institution and, for many people, their window into the University. They are also often a necessary tool for teaching, researching, learning, and working. They should be secure, well maintained and accessible.
In order to help the campus community comply with these policies, standards have been outlined that include required specifications and timing:
Security and Maintenance Technologies
- Operating Systems
- Web Servers (e.g., Apache)
- Content Management Systems (CMS) (e.g., Drupal, Sitecore)
- Web Application Software
Security and Maintenance Standards
Current and Supported Technology
- When upgrading technologies or starting a new project, be sure to only use supported and up-to-date software that is actively receiving security patches by an established, reputable vendor (e.g., Microsoft, Oracle) or open-source community (e.g., Drupal, WordPress).
- If an existing technology is end of life (no longer being supported or given security updates), it should be either decommissioned or upgraded to a supported version. Maintainers of the operating systems, web servers, CMS, and application software of University Web Properties have a responsibility to stay informed of technology updates.
Security Updates
- All security patches should be quickly applied upon release.
- Critical patches must be applied within 30 days.
- All other patches must be applied within 90 days.
- Note: Patching timeframes may be accelerated at Information Security’s discretion for more severe exploits. In those cases, Information Security will communicate accelerated patch requirements via the appropriate channels.
Security Issues
- If a site includes web applications, it must address common security issues as outlined by the Open Web Application Security Project (OWASP) Top Ten Project and follow industry-accepted secure coding practices.
- Additional Resources: Overview of Critical Web Application Security Risks
Electronic Payments
- If a site will accept electronic payments, the site owner must work with the Bursar’s office to receive approval.
- Additional Resources: E-commerce Knowledge Base article
Security and Maintenance Governance
Compliance
- Per the Web Properties Management Policy, if a University Web Property is not made compliant with these standards and policies, the web property may lose permission to use a University domain name or may be removed from the network.
Enforcement
- A compromised University Web Property will be generally be quarantined by Information Security (i.e., taken off the internet) until the compromise is addressed and Information Security authorizes the University Web Property’s reinstatement.
- A University Web Property may also be quarantined if security and maintenance requirements are not met and if Information Security deems the University Web Property to put University business at risk.
- Dehosting remains an option for continued non-compliance.
Resources
If assistance is needed in interpreting these specific security requirements, please reach out to divisional IT staff, or IT Services Security staff by emailing itrisk@uchicago.edu.
Digital Accessibility Technologies
University Web Properties and digital content
Digital Accessibility Standards
Digital Accessibility: All University Web Properties, including those used for teaching, regardless of domain name, must:
- comply with the international standards of the World Wide Web Consortium’s Web Content Accessibility Guidelines version 2.1 (WCAG 2.1), Level AA.
All University websites, including those used for teaching, regardless of domain name, must:
- have a link to “Accessibility” in their footer. The link shall direct users to the Access UChicago Now website (accessibility.uchicago.edu).
Digital Accessibility Governance
Compliance
- Per the Digital Accessibility Policy, the Associate Provost for Equal Opportunity Programs and ADA/504 Coordinator, or designee, has the authority to remove any non-conforming University Web Property from the University’s network with prior notice to the appropriate website owner and approval from the Provost and CIO, or their designees.
Enforcement
- A noncompliant University Web Property may be quarantined (i.e., taken off the internet) until the issues are addressed and IT Services authorizes reinstatement.
- Dehosting remains an option for continued noncompliance.
Resources
- The Center for Digital Accessibility (CDA) is available to provide assistance interpreting these requirements, share best practices, and help ensure University Web Properties and digital content are accessible. Contact CDA staff by emailing digitalaccessibility@uchicago.edu.
- To review the digital accessibility of a new or existing University Web Property, one or more recommended tools can be used to scan the University Web Properties. Proceed to make iterative fixes until the site generates no errors when scanned and the number of warnings has been minimized.
Registration Technologies
University Web Properties
Registration Standards
All University Web Property technical and administrative information needs to be provided and regularly updated in the UChicago University Web Properties Registry to maintain an accurate record.
Registration Governance
Compliance
- Per the Web Properties Management Policy, if a University Web Property is not made compliant with these standards and policies, the web property may lose permission to use a University domain name or may be removed from the network.
Enforcement
- A non-registered University Web Property may be quarantined (i.e., taken off the internet) until accurate and up to date information is provided.
- Dehosting remains an option for continued noncompliance.
Resources
The University’s web specialists are available to answer questions and help the campus community maintain up to date registry records. Contact the staff by emailing webhelp@uchicago.edu.
Domain Name Technologies
University Web Properties
The following types of web properties must have a uchicago.edu domain (all exceptions require approval from the University Office of Communications and Provost Office):
- School and Division web properties (e.g. Law School, Social Sciences Division)
- Department web properties (e.g. Department of Computer Science, Department of Safety and Security)
- Centers and Institutes (e.g. Polsky Center, Center for Cultural Policy)
- Faculty primary page (e.g. chemistry.uchicago.edu/faculty/michael-hopkins)
- Administrative units (e.g. its.uchicago.edu)
- Note: University Web Properties will be a subdomain within the uchicago.edu domain (e.g. www.law.uchicago.edu) or a subdirectory (e.g. voices.uchicago.edu/bsdfacultyaffairs) depending on their needs and requirements.
The following types of web properties may have a non-uchicago.edu domain:
- Faculty non-primary sites/page (e.g. sites.coffeejunkies.org/mkolar/publications)
- Joint web sites between the University of Chicago and non-UChicago entities (www.uchicagocharter.org)
- Web properties of University affiliates (e.g. www.uchicagomedicine.org, www.mbl.edu)
- www.chicagobooth.edu, (known exception)
- Hostnames for web servers, internal administrative web applications (such as monitoring tools and RESTful APIs) are known exceptions to the domain name approval process.
Domain Name Standards
uchicago.edu Domain Names
- All University Web Properties are eligible to apply for a new uchicago.edu domain name by submitting a request. Requests will be subject to the University guidelines outlined below that domain names should:
- Closely conforms to your entity’s name to enhance search engine performance.
- Is not a generic word that would easily apply to multiple areas within the University. (e.g. education.uchicago.edu)
- Is between five and 20 characters long.
- Does not begin, end, or use any special characters. (e.g. communication-.uchicago.edu)
- Does not contain trademarked or copyrighted names owned by non-University entities. (e.g. pepsi.uchicago.edu)
- Does not reflect obscene, offensive, misrepresent their purpose or detrimental to the University's reputation. (e.g. stupid.uchicago.edu)
- Is a specific, descriptive word that doesn’t apply to multiple areas within the University.
Third-Level Domain Names
- A “third-level” domain name is the most common type of domain name, such as sustainability.uchicago.edu, humanresources.uchicago.edu, or socialsciences.uchicago.edu. An academic or administrative unit of the University (e.g., a school, department, center, institute, or administrative organizational unit of the University) may establish a third-level domain name.
- Note: A dean, chair, vice president, or vice provost or their designated delegate responsible for the requesting unit must initiate a request for a new third-level domain name via the University domain request form.
Fourth- and Lower-Level Domain Names
- A “fourth-level” domain name is a four-part web address, such as phoenixforge.cs.uchicago.edu. It is built upon an already approved third-level domain, in this case, Computer Science’s domain name cs.uchicago.edu. Academic or administrative units of the University that have an existing third-level domain name may establish fourth- and lower-level domain names below that third-level domain name.
- Note: These subdomain names may be requested from, and will be approved by, the relevant entity responsible for the existing third-level domain; no further approval is required. In the example above, Computer Science manages this domain name, and can establish fourth-level domain names independently.
Domain Name Governance
Compliance
- Per the Web Properties Management Policy, if a University Web Property is not made compliant with these standards and policies, the web property may lose permission to use a University domain name or may be removed from the network.
Enforcement
- The University official responsible for the academic or administrative unit having a third-level or an external domain name must ensure that the web content associated with that domain name does not misuse or misrepresent the University’s brand name and logos, and that neither copyrighted material is distributed nor trademarks used without proper authorization from the copyright or trademark owner.
- A non-compliant University Web Property may be quarantined (i.e., taken off the internet) until proper actions have been taken to resolve the issue.
- Dehosting remains an option for continued noncompliance.
Resources
- The University’s website specialists are available to answer domain name related questions. Contact the staff by emailing webhelp@uchicago.edu.
- Use of Non-uchicago.edu Domain Names Policy outlines the circumstances under which any domain name other than uchicago.edu can be used on the University network.
- Redirection of University Domain Names to External Networks Policy describes the approval process for pointing a domain name to an external network.