ISC Web Hosting Service
Web Hosting Terms of Service
All customers should be aware of ISC's Terms of Service for web hosting, including what is and is not included in web hosting service.
- Maintain highly available, physically secure and redundant web servers as described in our Web Hosting Service Details and Technical Specifications.
- Maintain highly available services as described in our Web Hosting Service Details and Technical Specifications, including daily backups of user and system data and Akamai caching.
- Patch and maintain ISC-run server software (PHP, MYSQL, Perl, Python, OpenSSL, Apache and Apache server modules).
- Provide customers with access to daily activity logs and weekly summary activity reports.
- ISC does not monitor web traffic or scan for suspicious activity.
- ISC reserves the right to apply security and performance patches to
customer sites in situations that would otherwise be the customer's
responsibility at ISC's discretion such as in cases where doing so
preserves operational integrity and security. In such cases, ISC will
notify providers of such changes after the fact.
- Develop and maintain all content.
- Ensure all applications are coded in a secure manner and with the appropriate level of access.
For example, apply the principles of the OWASP guides for development, code review and testing to secure application design, development and deployment.
At a minimum, applications should address the vulnerabilities defined in the OWASP Top 10 list.
- Patch and maintain all software and tools that are not administered directly by ISC, including, but not limited to, Drupal, WordPress, Joomla, Java Scripts, jQuery, etc.
- Make use of encryption for storing form results that may contain sensitive information.
- Purge application data stored in the database and network as appropriate.
- Abide by all University regulations regarding appropriate use of electronic resources.
- Regularly review daily activity logs and weekly summary reports provided by ISC.
- Regularly assess the security of applications, sites, and platforms, including security scans for new and modified applications.
- For hosted databases, enforce strong password rules to ensure that passwords are resistant to dictionary attacks and meet ISC's basic password selection rules.
- Register web sites and platforms that house confidential or highly sensitive University data with ISC as Critical Components. This will result in regular platform vulnerability scanning by ISC Information Security.
- Annually complete a site profile that lists elements and data that are used by your site.
- If the site is handling any sort of sensitive data as defined in the Computing Security Policy, it is the responsibility of the customer to perform an annual Security and Privacy Impact Assessment (SPIA). Customers should feel free to reach out to ISC if they need help with this assessment.