University of Colorado Shared Web Application Environment Use Statement

This document explains standards and guidelines for information appearing on and the use of the Shared Web Application Environment (SWAE). The University of Colorado Denver (UCD) provides central web resources, supported by The Office of Academic Technology and Extended Learning (ATEL) in cooperation with Information Technology Services (ITS), to support its mission of education, research, clinical care, and community service. This document sets forth the requirements regarding the use of, access to, and disclosure of information residing on SWAE and to assist in ensuring that the university's resources serve those purposes.

It is the goal of UCD to ensure that any information that is made available to the public is accurate and consistent with the mission of the institution. It also is the goal of UCD to enable faculty, staff and students to publish such information in conformance with state and federal laws, including copyright laws.

The following shall apply to web content that is hosted on the central UCD SWAE web servers:

1. All static web content and basic web forms are required to be maintained on the campus CMS.  Users of SWAE must obtain an exemption from the campus content management system (CMS).  Exemptions are granted when the existing functionality of the campus CMS cannot reasonably accommodate the requirements of a unit seeking to create or deploy a web application. 
   
2. Each new site request on SWAE will require an approved unique ucdenver.edu sub-domain and unique IP.  URL requests must be submitted in advance and may take up to 10 business days to process.  URL requests are reviewed by the UCD Web Administrative Team.
   
3. If public access to SWAE content is required, a UCD firewall penetration rule is required. Authorized departmental personnel must submit their request to ITS.  Site code and configuration will be scanned in accordance with ITS security standards.  Per ITS security policy, issues must be remediated before penetration requests are granted.
   
4. Quarterly security scans of the entire SWAE environment are conducted by ITS to ensure all code is capable of passing reasonable and customary penetration testing, and, follows coding best practices as defined by ITS.  Unit contacts of webs failing ITS security scans will be notified of remediation steps necessary to bring their code into compliance.  Failure to remediate issues in a timely manner will result in webs being removed from the environment to protect university computing resources and data.
   
5. System uptime and all related configuration, application stack patching, monitoring and other aspects of system administration will be the responsibility of ATEL.  Units are responsible for all other aspects of their application code and support.
   
6. ATEL will provide 24/7/365 operational support for the environment and normal UCD business hour technical support. 
   
7. Access to SWAE will be granted only to existing UCD employees or sponsored users via their Active Directory accounts.
   
8. ATEL will provide 30 days notice to the SWAE developer community and unit heads to prepare for all system wide changes.  In alignment with common application development practices, university units are strongly encouraged to maintain a test and development environment to facilitate application functionality in anticipation of system changes and development efforts.  Provisioning or support of test environments in not within ATEL’s support scope.
   
9. University units engaged in the development, purchase, or commissioning of web applications housed on SWAE are responsible for the maintenance of the underlying code and functionality on an ongoing basis.  This includes, but is not limited to, re-factoring code when necessary to accommodate changes in the server environment including all hardware and software changes.    ATEL can provide assistance, for a fee, to units to maintain their application code on a best effort and availability basis.
   
10. 24/7/365 web content availability is key to institutional credibility.  All Units with content on SWAE will appoint a qualified current UCD employee, or UCD sponsored user, as a point technical contact should issues arise with their SWAE content.  Contact information will be kept current with ATEL to ensure issue escalation can take place should it become necessary.  In the event of content availability interruption ATEL will be responsible for passing issue resolution to the unit contact once root cause diagnosis efforts have ruled out issues related to ATEL’s scope of responsibility.  If contact cannot be made with the specified unit contact, ATEL will temporarily replace content on the affected site with a standard temporary maintenance page until content can be restored.
    
11. All anonymously accessible UCD web content with an approved firewall penetration rule must adhere to the UCD Web Identity Standards Guide  and Web Publishing Policy on an ongoing basis. 
    
12. All web pages must conform to rules governing public institutions in Colorado as well as to applicable state or federal laws including export laws and regulations.
    
13. Departmental pages may not be put to inappropriate uses which include:
    1. Material that does not reflect the overall mission and the professional integrity of UCD.
    2. Information that is proprietary or confidential to UCD.
    3. Personal, commercial uses which could result in a financial benefit for the page owner or his/her associates.
    4. Use of any personal information that is not public record pertaining to other individuals without their express written permission.
    5. Use of any images or data that are abusive, obscene, harassing, threatening, or discriminatory.
    6. Use of any images or data that violate other University of Colorado or UCD policies (e.g., Sexual Harassment Policy) or local, state, or Federal laws.
    7. Creation of direct hypertext links to abusive, obscene, harassing, threatening, or discriminatory material.
    8. Use of materials whose nature or volume, compromise the ability of the system to serve other users' documents and web pages.
    9. Any use which constitutes academic dishonesty.
    10. Use of departmental pages to engage in illegal activity.