1 / 18

Presented by FRANCIS DARMANIN HEAD COMPLIANCE AND AGENT MANAGEMENT and

STANDARDS FOR THE BUILDING OF WEBSITES HOSTED ON THE GOV.MT DOMAIN SECURITY REQUIREMENTS FOR HOSTING OF WEBSITES BY ISPs UNDER THE GOV.MT DOMAIN. Presented by FRANCIS DARMANIN HEAD COMPLIANCE AND AGENT MANAGEMENT and ALBERT CARUANA HEAD INFOSEC Monday 15 th December 2003.

beck
Download Presentation

Presented by FRANCIS DARMANIN HEAD COMPLIANCE AND AGENT MANAGEMENT and

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. STANDARDS FOR THE BUILDING OF WEBSITES HOSTED ON THE GOV.MT DOMAIN SECURITY REQUIREMENTS FOR HOSTING OF WEBSITES BY ISPs UNDER THE GOV.MT DOMAIN Presented by FRANCIS DARMANIN HEAD COMPLIANCE AND AGENT MANAGEMENT and ALBERT CARUANA HEAD INFOSEC Monday 15th December 2003 OFFICE OF THE PRIME MINISTER

  2. GOVERNMENT OF MALTA WEB STANDARDS AND SEURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN THE WEB STANDARDS Presented by FRANCIS DARMANIN – Head Compliance and Agent Management • Steps required in hosting a website on gov.mt • What about the testing of the Website? • Are there any exceptions? • How can you ensure quality in your website? • Some final considerations………. OFFICE OF THE PRIME MINISTER

  3. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN Steps required in hosting a website on gov.mt • The owner of the website applies for a domain name (application form on the CIMU website). • An application is made to CIMU by the owner of the website to have the website tested to ensure conformity to the CIMU web standards (application form on the CIMU website). • A date will be given when the website will be tested by the MITTS Ltd. Quality Assurance unit Testing department. • The website is tested by the MITTS Ltd. Quality Assurance unit Testing department. If errors are found this will be returned to the owner/supplier with the error report and the owner informed. • It is the reasonability of the owner to ensure that the supplier carries out the changes or fixes and the website is returned for testing on the agreed date. • A Certificate is issued and the website can be hosted. OFFICE OF THE PRIME MINISTER

  4. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN What about the testing of the Website? • The website will be presented for testing by the supplier on the appointed date with the knowledge of the owner. • The website is tested and if errors are found an error report will be given to both the owner and the supplier. A date will be agreed when the site is returned for the second iteration. • The site will be tested again and if further errors are found the procedure as in bullet 2 will be carried out. • CIMU will accept responsibility for the testing fees for a maximum of 3 iterations. Further iterations will be paid for by the owner. It is here recommended that this part will be agreed between the owner an the supplier when preparing the contract. A list of these additional costs is available on request. • It is the responsibility of the owner to ensure that the supplier carries out the changes or fixes and the website is returned for testing. It is also important that the supplier adheres to the standards and supplies quality code and functionality. OFFICE OF THE PRIME MINISTER

  5. GOVERNMENT OF MALTA WEB STANDARDS AND SEURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN Are there any exceptions? • The MITTS Quality Assurance unit testing department applies an incident level to the errors found. Functionality errors carry a 1 and 2 error level and must be fixed without exceptions. • Non conformance to standards carry an error 3 and must generally be fixed unless the error is trivial and due to time constraints an extension of a maximum of 3 months may be granted to fix these after the site has gone live. In this case the certificate issued will carry this condition. • Errors 4 and 5 are recommendations of good practice and while recommended will not be made mandatory • If an extension is granted an audit will be made after the three month period and CIMU reserves the right to take the website offline until these are fixed under the condition granted. OFFICE OF THE PRIME MINISTER

  6. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN How can you ensure quality in your website? • CIMU will be keeping a record of each website builder and the number of testing iterations that had to be made before the website went online. • This record will be available to the IMOs or whoever is responsible to draw up the contract with a third party supplier. • This will enable the person wanting a website to evaluate the track record of any particular supplier. • It is in the interest of third party supplier to build quality code into their websites. • This will give website builders to be at their best by simply creating a good track record thus ensuring a build-up of satisfied clients, OFFICE OF THE PRIME MINISTER

  7. GOVERNMENT OF MALTA WEB STANDARDS AND SEURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN Some final considerations………. • Your website will not be accepted for testing unless you guarantee that this is completely finished. • The web standards are available on the CIMU website http://www.cimu.gov.mt • The standards are constantly being updated and we would like to invite feedback as to how these can be improved. Please send a mail to cimu.gov.mt • Our primary interest is to help you deliver quality websites. It is in your interest to ensure that you keep the number of testing iterations to a minimum. • This will help you by obtaining a good rating and increase your potential for future business, OFFICE OF THE PRIME MINISTER

  8. GOVERNMENT OF MALTA WEB STANDARDS AND SEURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN QUESTIONS? OFFICE OF THE PRIME MINISTER

  9. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN Coffee break OFFICE OF THE PRIME MINISTER

  10. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Web Hosting Security Policy has been published on CIMU website • Web site design guidelines have been published on CIMU website • Implied Requirements to ISP and to web hosting company OFFICE OF THE PRIME MINISTER

  11. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Head of third party Web hosting services provider • To have a publicly declared target dates to achieve accredited certification to MSA BS 7799 Part 2:2003 for the scope of applicability of this Policy. (ISO/IEC 17799 part 2) • To operate Web hosting services according to the provisions of this Policy. • To establish and maintain its own DMZ. • To audit for Security Conformance. • To conduct timely and effective follow-up action to satisfactorily close items arising in internal and external security audits. • To keep updated on vulnerabilities that effect the Web hosting and have the latest security fixes in place. • Head of Internet services provider • To operate according to the provisions of the Declaration of Security Conformance issued by the third party Web hosting services provider. OFFICE OF THE PRIME MINISTER

  12. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Implications: • Audit of the DMZ devices • New or modified devices? • New or modified network settings (routes, vlans)? • New or modified set of internet-visible network services (news, ntp, pop3, mms, back orifice, subseven trojan …???) • New or modified internal services? • Are the people who access the system authorized? • Is the website being attacked? • Processes to enable auditing OFFICE OF THE PRIME MINISTER

  13. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Implications: • Security Operation Procedures • Regular review of logfiles • System configuration checks / change management • Need of patches, need of changes in security settings • VA-scanners e.g. Nessus, Cybercop, ISS • Review of who has access and how • Tripwire for Windows etc.. • Intrusion Detection System and • review of output OFFICE OF THE PRIME MINISTER

  14. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Implications: • Incident and alert response procedures • Alerts: • Evaluation of incoming alerts of POTENTIAL vulnerabilities • Clarity for path forward • Customer information procedure • Sign-off by customer to path of action OFFICE OF THE PRIME MINISTER

  15. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Implications: • Incident and alert response procedures • Incidents (security or technical) • Initial evaluation • Risk / urgency classification • Forensic approach (or keep off the grass) to preserve evidence and not disturn the scenario of the incident • Recovery process and • Notification processes OFFICE OF THE PRIME MINISTER

  16. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Security Stewardship • Positive feedback and well-meaning Advice to customers that certain aspects of the website may not be secure or best practice • Escalation through content manager/website manager , IMO(ISO) of the responsible Ministry to CIMU if needed • Restriction of access to production internet sites OFFICE OF THE PRIME MINISTER

  17. GOVERNMENT OF MALTA WEB STANDARDS AND SECURITY FOR WEBSITES HOSTED UNDER THE GOV.MT DOMAIN • Security Stewardship • Positive feedback and well-meaning Advice to CIMU that certain aspects of the website security policy may not be best practice OFFICE OF THE PRIME MINISTER

  18. STANDARDS FOR THE BUILDING OF WEBSITES HOSTED ON THE GOV.MT DOMAIN SECURITY REQUIREMENTS FOR HOSTING OF WEBSITES BY ISPs UNDER THE GOV.MT DOMAIN Presented by FRANCIS DARMANIN HEAD COMPLIANCE AND AGENT MANAGEMENT and ALBERT CARUANA HEAD INFOSEC Monday 15th December 2003 OFFICE OF THE PRIME MINISTER

More Related