Responsible Office: Campus Technology (CT)
A. Web Development
1. Purpose
Grand Canyon University’s Campus Technology (CT) has adopted a web application development platform consisting of specific operating systems, web servers, databases, and programming tools that can be used to host web applications developed in-house or by outside contractors. The purpose of this document is to define the components of the University’s supported web development platform, coding standards, and testing and approval process so that applications can be developed in a manner consistent with accepted interoperability and security practices and be fully compatible and supportable in our environment.
2. Scope
Any University division, department, or individual that develops applications that will run on IT or departmental computing platforms. This includes both web-based and traditional client/server based applications.
3. Acceptable Technologies
In general, in-house developers or outside contractors hired to develop custom web-based applications for use on GCU supported servers should develop those applications using open standard protocols, languages, and tools. GCU IT defines open standard to mean:
“A technology whose specifications are published and freely available, (ex. HTML, XML, PHP, Java) and sufficiently detailed such that applications written according to the specification will work with any other software or platform designed for compliance with said specification.”
The list of acceptable open-standards technologies that are supported by GCU IT include but are not limited to:
- Java / JSP / JavaEE (Java is IT’s preferred platform for all application development)
- PHP 5 or later.
- W3C standards-compliant HTML, XHTML, CSS, DHTML, XML, DOM.
- Javascript/ECMAScript
- Python
- Ruby
- SSL/TLS
- Apache/Tomcat
- SQL standards such as SQL-92, 99, or 2003 (vendor-specific SQL extensions should be avoided)
Note: Web developers intending to use any technologies other than those listed above must consult with Campus Technology before any development work begins. GCU IT cannot guarantee application compatibility with our existing infrastructure if non-supported technologies are used for development or deployment.
4. Platform and Functionality Considerations
To ensure application compatibility within GCU’s campus computing infrastructure, web application developers should keep the following in mind:
- Production web applications servers at GCU primarily use Apache 2.x on Linux, and Windows Server platforms.
- Microsoft’s IIS web server and/or Active Server Pages (ASP) technologies are supported only when required by third-party applications.
- While GCU IT primarily uses Apache Tomcat, all Java web application code must be written to run in any J2EE 6 or higher-compliant web application container architecture.
- Microsoft SQL server is supported by GCU IT for traditional client-server database applications. However, the preferred database platforms for web-based applications are Postgres, and MySQL.
- Web-based applications must support recent versions of all popular web browsers, including Mozilla Firefox 17 or higher, Internet Explorer 10 or higher, and Safari 5 or higher. Adhering to W3C web standards is the best way to ensure this compatibility.
- Any user authentication mechanisms must provide an encrypted (SSL) HTTPS connection for the login screen to avoid transmitting username and password information in plain text. GCU IT can provide SSL certificates upon request.
- Authentication mechanisms that utilize GCU IDs must be done via an encrypted, anonymous bind to the campus LDAP server. Where applicable, user authorization should be handled via LDAP groups.
- Any file transfer operations, SQL queries, or directory service lookups must occur over a secure channel such as SSL, SFTP, or SCP.
5. Application Verification Testing and Development Lifecycle
- Applications should be designed based on the platforms, tools, and data connectivity guidelines presented in this document and other related University policy documents such as Safeguarding Sensitive and Confidential Information and Secure Directory Services Access for User Authentication and Authorization.
- Functional requirements for applications should consider all appropriate University policies, industry guidelines, and state and federal regulations for secure access, handling of sensitive data, and protection of personally identifiable information (PII) or financial records. Examples include HIPAA, FERPA, and PCI-DSS.
- Whenever possible, application development will be performed in a secure ‘dev’ or ‘test’ environment that is isolated from the Internet and may have limited or no access to the University’s production server farm and campus network.
- Prior to moving an application from the dev/test environment to production use, the application will be scanned by IT’s Systems and Security Group for known security vulnerabilities using automated tools such as WebInspect, AppScan, or other commercial and open-source utilities. Application developers are encouraged to request periodic security scans during the development process (i.e. at each milestone of the project) to pro-actively address security vulnerabilities and reduce the likelihood of issues arising during the final pre-production scan.
- When the pre-production application scanner has been completed, the application will be moved into the appropriate production environment and any required external firewall rules for remote communication will be enabled.
- GCU’s Systems and Security Group will periodically re-scan applications that are in production use to ensure that they are not vulnerable to new attack methods.
B. Web Publishing Policy
1. Purpose
Grand Canyon University’s web presence is essential to its mission of teaching, learning, and public service. However, any information published to a web server can potentially be viewed, copied, and redistributed by anyone who can access it via a web browser. Thus, the University’s Web Publishing policy seeks to establish standards and guidelines that will:
- Support the vision, mission, goals and traditional academic values of the university.
- Assist web publishers in developing sites that comply with university policies, rules, and regulations, and all applicable local, State, and Federal laws.
- Facilitate the official business of the University and appropriate online transactions while maintaining the necessary level of security and privacy.
- Outline mechanisms for maintaining the integrity and security of confidential/sensitive information that for legitimate business or pedagogical reasons must be stored on or accessed via a campus web server.
- Define web account creation policies to ensure that only those individuals with proper authorization can publish content to web servers in the gcu.edu domain.
This Web Publishing policy document is not intended as a style guide for the look and feel of web pages, nor does it address areas of web page design or branding. Please refer to the University Branding web pages page for guidelines pertaining to Grand Canyon University’s standards for web page design and branding. Specific requirements for the proper protection and handling of sensitive and confidential information in any medium by members of the Grand Canyon University community are described in the University’s Safeguarding Sensitive and Confidential Information policy document.
2. Scope
This policy document applies to:
- Grand Canyon University’s official website, http://www.gcu.edu
- All web pages located on servers within the gcu.edu domain, including sites hosted on the the sites.gcu.edu network.
- University-affiliated sites outside of the gcu.edu domain using approved Grand Canyon University trademarked or copyrighted materials, images, logos, etc.
- Web pages of Application Service Providers (ASPs) or vendors that have contracted with the University to deliver online services. Examples include, but are not limited to, online learning management systems and vendor “portals” for procurement of equipment, services, and supplies.
- Faculty, staff, and student pages located on any server or device connected to the Campus network that is capable of delivering web content.
- Individuals who have been assigned custodial rights to a departmental web publishing account.
3. Policy
Web publishers are responsible for the content of the pages they publish and are expected to abide by the highest standards of quality and responsibility. These responsibilities apply to all publishers, whether they are colleges, departments, student or employee organizations, or individuals.
- All web content must conform to the University’s Safeguarding Sensitive and Confidential Information policy document. Among other things, this means that sensitive University information including, but not limited to, student records, financial records, or any other confidential or private information may not be displayed on publicly-accessible web pages or stored on a web server in unencrypted form.
- Web pages may only be published to a server on the campus network using an IT-authorized user account. Examples of authorized user accounts include GCU IDs and any departmental or application-specific logins created by CT for the purposes of web content publishing.
- All accounts used for web publishing shall conform to the University’s Account Management and Password Management policies.
- Any website or online form that requests a username and password for authentication must do so over a secure (SSL/TLS) connection for both the username/password entry and the actual form submission process.
- A web site’s home page should clearly identify the person or unit responsible for its creation and maintenance. It is recommended that any sub-pages linked from the site’s home page should contain similar information.
4. College and Departmental Web Pages
Non-CT web servers that are maintained and operated by a college or department are subject to all University policies regarding server configuration, security, account management, and content as defined in the following policy documents:
- Network Connectivity Policy
- Account Management Policy
- Password Management Policy
- Safeguarding Sensitive and Confidential Information Policy
- Web Application Development Policy
At the University’s discretion, College and Departmental web server may be included in the University’s overall search engine indexing and website statistics gathering processes. At the discretion of GCU Marketing and Communication, such websites that are currently being indexed may be asked to take steps to have those sites and pages not indexed.
5. Personal Web Pages
There are numerous services available on the campus community that facilitate the publishing of personal web pages. Some examples include:
- Sites.gcu.edu (CampusPress) service or MS PowerPages
- Faculty/staff cover pages on the main University website.
- The Halo learning management system (LMS, used for course content, student portfolios, discussion groups.)
- Various college and departmental web servers, or hosted sites, that contain department or personal web pages. At the discretion of GCU Marketing and Communication, and Campus Technology, such sites may be asked to migrate their content to authorized hosted environments, such as sites.gcu.edu.
- Personal computers with web server software installed (note: access to these web servers is restricted by the University’s firewall to on-campus traffic only.)
Individuals who utilize one or more of the above services to publish web content are subject to all of the policies herein, as well as all other University computing policies, and state, federal, and local laws.
6. Copyright
All web publishers are required to respect the intellectual and creative property rights of others and abide by all applicable policies and guidelines for fair use of copyrighted materials.
7. Online forms and Transactional Web Pages
Various colleges, departments, and Administrative units have a legitimate need to collect and process information using online forms and transactional web pages. Some examples include online registration, applications for Financial Aid, Graduate School applications, event/seminar registration, and surveys. The following rules apply to any online form or transactional web page, whether it is hosted on a GCU-operated web server, college or departmental web server, or an individual’s web server.
- Individual (personal) web pages may NOT be used to gather personally identifiable information such GCU IDs and passwords, Social Security numbers, home address, or any other personal identity information as defined by applicable state, federal, and local laws.
- Colleges, departments, and Administrative units needing to gather personal identity information may only do so using web forms or transaction systems that have been provided by CT for this purpose or have been evaluated by CT for security and privacy compliance.
- Any online form or transactional website must clearly state on the site what will be done with the information collected, and provide a link to the University’s privacy policy.
- All transactional websites must comply with University policies regarding server configuration, security, account management, and content as defined in Section 3 above.
- Online forms and transactional websites should only collect the minimum amount of information that is required to complete the form or transaction.
- Where possible, give users the option of not identifying themselves.
- Clearly state who is collecting the information and provide context so that users are aware why it is being collected.
- Use and disclose personal information only for the primary purpose for which it was collected, and in accordance with the University’s Safeguarding Sensitive and Confidential Information policy.