PROCESS FOR UPDATING WEBSITES AT NASA LARC. Organizational Unit Manager (OUM) or designee. Approve? (see Note 1) Yes

Similar documents
Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

OUTDATED. Policy and Procedures 1-12 : University Institutional Data Management Policy

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

California Code of Regulations TITLE 21. PUBLIC WORKS DIVISION 1. DEPARTMENT OF GENERAL SERVICES CHAPTER 1. OFFICE OF THE STATE ARCHITECT

NASA Policy Directive

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Electronic Signature Policy

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

01.0 Policy Responsibilities and Oversight

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

Emsi Privacy Shield Policy

Department of Public Health O F S A N F R A N C I S C O

WEB ACCESSIBILITY. I. Policy Section Information Technology. Policy Subsection Web Accessibility Policy.

Springfield, Illinois Police Department

Data Security and Privacy Principles IBM Cloud Services

Cellular Site Simulator Usage and Privacy

CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Marketing and Communications Missouri University of Science and Technology

Virginia State University Policies Manual. Title: Change/Configuration Management Policy: 6810 A. Purpose

Cybersecurity Risk Management

Privacy Shield Policy

Ashford Board of Education Ashford, Connecticut POLICY REGARDING RETENTION OF ELECTRONIC RECORDS AND INFORMATION

Texas A&M University Controlled Substances Guidelines Training Module. September 2017

Data Protection Policy

HPE DATA PRIVACY AND SECURITY

Subject: University Information Technology Resource Security Policy: OUTDATED

I. PURPOSE III. PROCEDURE

SECURITY & PRIVACY DOCUMENTATION

UN FREEDOM OF INFORMATION POLICIES INTERNATIONAL TELECOMMUNICATION UNION (ITU)

Accessibility Implementation Plan

7/21/2017. Privacy Impact Assessments. Privacy Impact Assessments. What is a Privacy Impact Assessment (PIA)? What is a PIA?

Cloud First Policy General Directorate of Governance and Operations Version April 2017

SECURITY PLAN CREATION GUIDE

Handbook AS-508 August 2002 Transmittal Letter

UTAH VALLEY UNIVERSITY Policies and Procedures

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

INFORMATION ASSURANCE DIRECTORATE

Information Official District information as defined herein and/or by other Board policy.

Goddard Procedures and Guidelines

NIST Special Publication

SPRING-FORD AREA SCHOOL DISTRICT

Palo Alto Unified School District OCR Reference No

Wireless Communication Stipend Effective Date: 9/1/2008

Agency Guide for FedRAMP Authorizations

Cyber Security Program

1. Purpose of Policy Alerts Scope of the Internet Domain in Handling Complaints Types of Complaints 4

SECTION 10 CONTRACTING FOR PROFESSIONAL SERVICES CONSULTANT COMPETITIVE NEGOTIATION ACT (CCNA)

The Open Group Certification for People. Certification Policy. for Examination-Based Programs

GENERAL ORDER PORT WASHINGTON POLICE DEPARTMENT

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

TITLE SOCIAL MEDIA AND COLLABORATION POLICY

SAC PA Security Frameworks - FISMA and NIST

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE INTELLIGENCE COMMUNITY POLICY MEMORANDUM NUMBER

AGENCY APPLICATION AND PARTICIPATION AGREEMENT MISSOURI POLICE CHIEFS CHARITABLE FOUNDATION CERTIFICATION PROGRAM

Standard for Security of Information Technology Resources

HFL MEDICAL/PHARMA DRUG REGISTER BOOK. Nov, 2012

A company built on security

Apex Information Security Policy

KSU Policy Category: Information Technology Page 1 of 5

Number: USF System Emergency Management Responsible Office: Administrative Services

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Privacy Policy Effective May 25 th 2018

Checklist: Credit Union Information Security and Privacy Policies

NEWTON COUNTY OPEN RECORDS ACT POLICY

Wireless Communication Device Policy Policy No September 2, Standard. Practice

RECORD RETENTION POLICY

American Association for Laboratory Accreditation

ecare Vault, Inc. Privacy Policy

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

Information technology Security techniques Information security controls for the energy utility industry

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Element Finance Solutions Ltd Data Protection Policy

Why is the CUI Program necessary?

8/28/2017. What Is a Federal Record? What is Records Management?

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

IBM Watson for Oncology

Architecture Tool Certification Certification Policy

ACCESSIBILITY POLICY. Adopted: May 9, 2017

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

5/6/2013. Creating and preserving records that contain adequate and proper documentation of the organization.

RMU-IT-SEC-01 Acceptable Use Policy

Article I - Administrative Bylaws Section IV - Coordinator Assignments

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Wireless Communication Device Use Policy

SYSTEMS ASSET MANAGEMENT POLICY

USDA ISO Guide 65 Program Accreditation for Certification Bodies

Postal Inspection Service Mail Covers Program

The Common Controls Framework BY ADOBE

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

SSL Certificates Certificate Policy (CP)

TERMS OF USE. 1.3 This Site is intended for personal use only. Any commercial use without the prior written consent of Eretz Hemdah is prohibited.

Ohio Supercomputer Center

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Orion Registrar, Inc. Certification Regulations Revision J Effective Date January 23, 2018

Transcription:

Section 1 Web Site Development, Maintenance, and Removal Responsible NASA Official (RNO) START WEB SITE DEVELOPMENT, DEPLOYMENT, MAINTENANCE, AND REMOVAL Section 1 Web Site Development, Maintenance, and Removal New web site? Section 2 Web Site Deployment Section 3 System Configuration Changes Request OUM approval for web site development Does site content contain instructional/ procedural information that should be a Center process? Organizational Unit Manager (OUM) or designee Approve? (see te 1) tify RNO that web site development is approved Objectives: -to ensure adherence to Agency and LaRC requirements for web site development, deployment, maintenance, and removal -to ensure security of Center networks and computer systems -to ensure security of web information Approval _original signed on file 7/14/08_ Associate Director Date Contact the Directives Manager for guidance tify RNO that web site development is disapproved Does site contain controlled/ automated forms? Contact the Forms Manager for guidance Removal of existing web site? Is technical information such as data sheets or specifications being released to public? Center Export Administrator Review for release of technical information and inform the RNO of any information restrictions Page 1 of 8

From previous page PROCESS FOR UPDATING WEBSITES AT NASA LARC Responsible Official NASA (RNO) From previous page From previous page Is NASA scientific and technical information (STI) being released? (see te 2) Initiate review following LMS-CP-5904 Modify web site? Design, develop, populate, and finalize web site including moving to production environment (see te 3) Follow Section 2, Web Site Development, of this procedure (see te 4) Organizational Computer Security Official (CSO) Submit/resubmit content changes to organizational CSO for approval prior to implementing changes (see te 5) Ensure changes do not adversely affect current information technology security procedures (NPR 2810.1) In compliance? Work with RNO to resolve issues Page 2 of 8

From previous page Responsible NASA Official (RNO) From Organizational previous page Computer Security Official (CSO) Changes impact Agency Web Site Registration System (AWRS) site registration information? Update AWRS record and renew registration (in addition to required registration renewal) (see te 6) tify RNO to proceed with changes Implement web site content changes tify OUM and organizational CSO of their responsibility to ensure proper removal/deletion of web site and/or web server Technical Point of Contact Ensure proper removal/deletion of web site and/or web server Make appropriate changes in AWRS (see te 6) Remove firewall rules and notify system administrator Page 3 of 8

Section 2 Web Site Deployment NASA Responsible Official (NRO) START Has web server been inventoried in AWRS? (see te 6) Contact TPOC to inventory server in AWRS Register web site in AWRS (see te 6) (CS) Team Following full approval of web registration in AWRS, notify organizational CSO of approval (see te 7) Organizational Official (CSO) Perform IT screening of server (see te 8) Is site for an audience external to LaRCNET? Request information technology (IT) screening of web server Pass IT screening? Work with system administrator to resolve issues Release web site to intended audience (see te 7) tify RNO of passed scanning Create firewall rules, and notify CSO Page 4 of 8

Section 3 System Configuration Changes System Administrator START Organizational CSO Work with the system administrator to ensure changes meet established NASA guidelines Submit modification to organizational Official (CSO) for approval prior to implementing change (see te 9) Team Perform information technology (IT) screening (see te 8) Implement changes and notify Team Pass IT screening? Technical Point of Contact Make appropriate changes in AWRS (see te 6) Page 5 of 8

General Information The following records are generated by this procedure and are maintained in accordance with LMS-CP-2707: -Web Site Registration Record A list of acronyms and definitions used in this procedure may be found at the end of this procedure. The following URLs contain information and guidance relevant to this procedure: -NASA OCIO Web Site http://insidenasa.nasa.gov/ocio/home/ -NASA Internet Publishing Content Guidelines http://nodis-dms.gsfc.nasa.gov/restricted_directives/tech_guidance/n_itr_2810_3_.html -NASA Logo Policy http://www.hq.nasa.gov/pao/insignia/text/newlogopolicy.html -NASA Insignia Use http://www.hq.nasa.gov/pao/insignia/text/ -Export Control guidance http://expcon.larc.nasa.gov/ -LaRC Organizational Official (CSO) Information https://computer-security.larc.nasa.gov/itservices.htm -Section 508 of the Rehabilitation Act guidance http://www.section508.gov -Agency Web Site Registration System (AWRS) https://webregister.larc.nasa.gov General te Web sites shall be reviewed yearly for public web sites and every three years for all other web sites by the RNO for the web site. This review shall be reflected by renewal of web site registrations in AWRS. Policy and content reviews shall be performed yearly for public web sites and every three years for all other web sites by Center subject matter experts tracked by AWRS as required by the Agency and LaRC Office of Chief Information Officer (OCIO). Any violations of these policies and content restrictions constitute grounds for removal of the web site from the LaRC Network. The RNO for web sites that do not meet established guidelines will be contacted and informed of necessary changes. Failure to incorporate required changes within 30 days will necessitate removal from the LaRC Network. Network scans are performed periodically by the LaRC OCIO. Any violations of the established NASA guidelines for information technology security constitute grounds for removal of the web site from the LaRC Network. The RNO and organizational Official (CSO) for web sites that do not meet these guidelines will be contacted and informed of changes necessary to avoid removal from the LaRC Network if guidelines are not met. If apparently unresolvable issues of web site approval, compliance with policy or guidelines, or IT screening are identified at any point in the procedure, individuals responsible for that portion of the procedure must inform the appropriate contacts (e.g., RNO, organizational CSO, system administrator, Team) of the situation and provide instructions about any actions that must be taken, e.g., cancellation or reversal of web site release or modification, or cancellation or reversal of system configuration changes. Any party may request arbitration by the LaRC CIO to help resolve disputes between the parties. te 1 (Section 1) OUMs or their designees have the responsibility to approve development of web sites that originate in their chain of command. The following approval criteria shall be used: -Web sites shall be directly related to the official duties and responsibilities of individuals and organizations within NASA. -Web sites are subject to the same laws and regulations as are hard copy materials and must follow all appropriate policies, regulations, and directives as mandated by the Agency. te 2 (Section 1) NPR 2200.2, "Requirements for Documentation, Approval, and Dissemination of NASA Scientific and Technical Information," defines STI as "the results (facts, analyses, and conclusions) of the Agency's basic and applied scientific, technical, and related engineering research and development. STI also includes management, industrial, and economic information relevant to this research. Examples include, but are not limited to, technical papers and reports, journal articles, meeting, workshop, and conference papers and presentations, conference proceedings, preliminary or non-published STI, including any of these examples that will be posted to a public website." Page 6 of 8

te 3 Review the web site to ensure the web site and information: -is accurate and current. -is suitable for dissemination. -is secure pertinent to its sensitivity. Proprietary, export controlled, procurement confidential, Privacy Act, and other sensitive information requires adequate computer security. -is not management required instructions. -does not contain unsuitable links. External links must be consistent with sound public policy and in support of the web site's purpose. Links to external sites shall be clear to the user, either through explicit labeling in the link itself, or through a visual cue, such as opening a new web browser window. -meets accessibility standards required by Section 508 of the Rehabilitation Act (29 U.S.C. 794d), which requires that members of the public and Federal employees with disabilities have access to information that is comparable to that provided to individuals without disabilities. Each page within the web site shall display: -the full name of the Responsible NASA Official (RNO) who must be a NASA Civil Service Emloyee. -the Page Curator. -a date. Static web pages must display the date the page was last updated. Dynamic web pages must display an appropriate date such as the current date, date the content was last updated, date the associated database was last updated, date the web page was last reviewed, etc. For web sites that are publicly accessible: -the home page and any web pages where substantial information is collected from the public will display a link to the Agency's official web site privacy statement, and this link must be labeled with at least the words "Privacy Statement." URL for this statement is http://www.nasa.gov/about/highlights/hp_privacy.html. -the home page must contain a link to www.nasa.gov. For web sites using commercial off the shelf (COTS) interfaces: -if the interface can be modified, the web site shall adhere to the standards set forth in this procedure. te 4 (Section 1) Release, marketing, and public availability phase of web site must be completed only after Section 2 of this procedure is completed. te 5 (Section 1) Web Site Content Changes include: -Addition of subdirectories that relate to current web site information under an approved web site -Additional pages on an approved web site -Substantial changes to content of existing pages on an approved web site Substantial changes to web site content must be evaluated by the organizational CSO prior to implementation. Changes involving grammatical corrections and spelling errors can be done immediately by the RNO. See te 3 for review criteria. te 6 (Sections 1 and 2) Agency Web Site Registration System (AWRS) AWRS is an Agency OCIO mandated, centralized, web-based system for conducting web site registration and web/ftp server inventory. The term web site as used by AWRS is a generic term referring to static web sites, dynamic web applications, and FTP sites. AWRS provides an easily accessible, yet secure web space data location; enhances the ability of the Centers to meet compliance mandates; provides efficient enterprise architecture management; and improves security management, operations, and support. AWRS URLs: -request an account: http://requestaccount.larc.nasa.gov -register web site inventory web server (host): https://webregister.larc.nasa.gov te 7 (Section 2) Publishing Public Web Sites Web sites must be fully approved in AWRS prior to being allowed access through Langley's firewall. This means that an AWRS system generated e-mail has been received by the sites registrant, RNO, and web site curator stating that the site has been approved by Langley's policy and content reviewers. External web site registrations are required to be renewed yearly, internal sites every 3 years. When notified by e-mail from AWRS that renewal of web site registration is due, complete the renewal in AWRS. te 8 (Sections 2 and 3) Final IT screening includes: -htaccess screening -machine vulnerability screenings -verify the machine is maintaining access logs Page 7 of 8

te 9 (Section 3) System configuration changes include: -operating system changes -hardware and software changes -modification to access log collection -htaccess changes -internal/external access changes Acronyms AWRS - Agency Web Site Registration System CSO - Official FTP - File Transfer Protocol HTML - HyperText Markup Language HTTP - HyperText Transfer Protocol LaRCNET - Langley Research Center Network OUM - Organizational Unit Manager RNO - Responsible NASA Official STI - scientific and technical information TPOC - Technical Point of Contact URL - Uniform Resource Locator WWW - World Wide Web Definitions File Transfer Protocol -used to transfer data from one computer to another over the internet, or through a network Page Curator -A person or group performing the service of publishing and maintaining information on each web page in a web site as assigned by the Responsible NASA Official. Public Sites -A web site that is accessible from outside the the NASA network or non-nasa IP address space. Responsible NASA Official -A NASA Civil Service employee responsible for a NASA web page or web application. The RNO is accountable for reviewing and approving accuracy, timeliness, and appropriateness of information posted on a web site, making sure that both the content and structure comply with applicable policies and guidelines. Technical Point of Contact -An individual responsible for input and maintenance of web host information in AWRS for a NASA Center. Web Manager -The individual at Langley who is responsible for informing Langley's web curators and Responsible NASA Officials of Agency policies and guidelines for publishing NASA content on the internet. Web Page -A block of data available on the WWW and referenced by a URL. Typically it is a file containing HTML, although it may be dynamically generated HTML as well. Web Server -A computer running the HTTP which, at a minimum, allows clients running web browsers to access resident web pages. Web Site -A collection of one or more files (static content) and/or programs (dynamic content) that are accessible on the WWW using a common URL, including FTP sites. Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback