Checking non-public-facing websites
Some UC locations (not all) allow site owners to use Siteimprove to scan a password-protected site, as long as it contains no sensitive information and the owner accepts a security statement.
- Site owner completes a form to request a scan of a non-public-facing site and accepts a security statement.
- After the form is submitted, the location Siteimprove admin, the site owner/sender, and firstname.lastname@example.org receive an auto receipt: "For security reasons, your location Siteimprove administrator must authorize use of Siteimprove on your non-public-facing website. Siteimprove will not proceed without receiving approval from your Siteimprove location admin. Your location admin will respond to you and Siteimprove with a decision."
- The location admin responds to "all" with an email, which may describe an internal location step, such as "We will discuss your request internally with security and then respond to you with a decision."
- After the location internal steps are completed, the location admin sends a message to all, including the site owner (so that Siteimprove has access to their email address), to either "approve or deny" the request.
- If it's approved, the location admin includes for Siteimprove the correct naming protocol and tags for the site.
- Upon receiving an "approve" email, Siteimprove emails the site owner to explain they need to receive the site credentials and to request a time to call the site owner.
- Upon coordinating a time, Siteimprove calls the site owner to get the site credentials.
- Once Siteimprove confirms to the location admin that the site has been successfully crawled, the location admin is responsible for assigning the appropriate site access to any additional users beyond the site owner.
Security Statement for Scanning Non-Public-Facing or Password-Protected Sites
No sites with PII, PHI, or other confidential information should be scanned. Siteimprove reports capture a point-in-time copy of your website and all the information presented. That copy, including any sensitive data, could be forwarded to people who are not authorized to have access to it. Note that the non-public-facing or password-protected site to be scanned must be available over https or through the location's VPN, and should be in a development environment with no access to production data.
If you have a non-public-facing or password-protected site that does not contain confidential information and that you'd like to scan using Siteimprove, you as the site owner must:
- Consult with your location's Information Security Office.
- Create a dummy access account with an expiration date (don't use your own credentials). Be sure the credentials are secured, unique, and do not have access to other systems.
- Use a strong password (pdf).
- Routinely spot-check the access logs to ensure that only Siteimprove IPs are using that login. If you don't know how to find this information, check with your application support team.
- Routinely spot-check the usage of dummy access accounts, ensuring dormant accounts are disabled and privileges revoked.
- Follow UC policy, IS-3 Electronic Information Security (pdf).