Web standards and procedures

Register your website or application

Standards

• In order to sustain continuity, ensure accessibility and information security, a list of existing websites (those containing an *.ucsc.edu url) will be kept by the Information Technology Services (ITS) Web Services. 
• All new websites and applications will register with the Web Services.
• All existing websites and applications will coordinate with their website liaisons to ensure local units are aware of local websites and applications connected to their division, department, school, college, or unit.  

Procedure

1. At the time of requesting a new website or hosting, Web Services will track a record of all websites and applications. 
2. Website liaisons will coordinate with Web Services to document existing websites and applications and relay updated local lists of websites and applications. 
3. Registration will include: website URL, site contact/owner, and email address.

Hosting on UCSC servers

Standards

• All divisions, departments, schools, colleges, or units that design, create, develop, purchase, manage, administer, host, and/or support digital resources and information technology intended for human interaction or engagement for the purposes of teaching, learning, research, service, employment, administration or other university functions at UCSC must meet defined UCSC information security, accessibility, and identity standards.

Procedures

1. Register all websites with the Web Service.
2. All requests for websites, hosting, or other web services must go through the Web Service.
3. Do not share credentials amongst anyone administering your website, web app, hosting provider, etc.
4. Non compliance can lead to refusal to host at launch of the website or application. For existing websites and applications, a review process will be initiated to help bring the website or application up to standards before hosting is approved.

Responsibilities

• Website owners are responsible for ensuring their web content meets accessibility, security, and identity standards, even when outsourcing website work  
• The Web Service is responsible for hosting, WordPress Theme maintenance, Theme iterations, site performance, WordPress plug-in functionality and maintenance, content strategy training, questions, status communications, and support for all websites using the UCSC WordPress theme as outlined in the UCSC WordPress Service Level agreement.
• Any development outside of the standard UCSC WordPress theme, while hosted on UCSC servers, is considered custom development. In this situation (example: use of a different theme,) Website Owners will be responsible for the ongoing functionality, support, maintenance, development, security, updates, accessibility, and identity standards for their Content Management System, and associated themes and plug-ins.  

Domain names (CNAME)

Standards

Campus domain names (e.g., unitname.ucsc.edu) in the UCSC domain are jointly approved by Information Technology Services and University Relations who may authorize, deny, or reclaim the use of Domain Names. Permission to use a UCSC Domain Name should generally be granted only to meet campus-wide strategic communication objectives. All promoted UCSC Domain Names should take visitors to sites that are in compliance with UCSC Web Standards.

• Individuals registering domain names outside the UCSC domain that serve an official university purpose, are advised to consult with Information Technology Services, Web Services prior to launching a site on that domain.
• The following UCSC Domain Name standard outlines the names that are permissible and those that are not. It also describes the type of naming requests that may be considered.
• Categories that may be granted with permission include:
  • Academic and Administrative Divisions (e.g., science.ucsc.edu)
  • Academic departments (e.g., politics.ucsc.edu)
  • Colleges (e.g., stevenson.ucsc.edu)
  • Major administrative units (e.g., police.ucsc.edu)
  • Well-established research centers or other activity centers (e.g., seymourcenter.ucsc.edu)
  • Functional names (e.g., news.ucsc.edu)
  • Recurring annual events (e.g., http://pacificrim.ucsc.edu/)
  • Student Organizations (e.g. sua.ucsc.edu)
• Campus Domain Names will not be granted for the following uses in the interest of consistency and persistence of information:
  • Individual pages, including student pages (Official profiles should exist within the department site structure, and may provide links to individual pages)
  • Courses
  • Shortcuts (redirects) to a single page in an existing website
  • Sites that only need to exist temporarily (e.g., one-time events)
  • To enable multiple names to point to the same site (Multiple names should be handled through redirects when necessary)
• Third and fourth level domains
  • Decisions to create third or fourth level domains (e.g., name.science.ucsc.edu, or first.last.science.ucsc.edu) should be made by local website liaisons and their respective organization leadership for strategic alignment. 

Procedure

1. Requests should first be discussed with the local website liaison for the division or department for approval, to ensure identity standards for the division/department. 
2. Requests for domain names (CNAME) should be submitted at the time of requesting a website or application and full context of the request, including name of person and unit requesting, requested domain name, and context for the request will be shared with Web Services and University Relations. 
3. Web Services will approve the domain name (CNAME) and consult with University Relations if needed.
4. Requests for domain names are subject to approval by University Relations, in a timely manner. 

Information Security

All UCSC websites must meet minimum security controls, as outlined by UCSC Information Technology Security and the University of California Electronic Information Security Policy and Data Security Policy (pdf).

Standards

• Public facing websites can contain data and information from protection levels P1 and P2. However, exercise caution with P2 data as defined in the UC Institutional Information Security Policy.
• Any website customizations outside of services provided by the ITS Web Services may be subject to security review including; websites, software, and applications.   

Procedure

1. Complete required security awareness training for all UC employees.
2. Keep software up to date, be aware of security bulletins and critical vulnerabilities. 
3. Be careful of what you put on your site. All HTML comments and JavaScript code can be seen by site users.
4. Review user accounts for your site on a regular basis. Remove user accounts no longer performing admin tasks or content creation.
5. Be cautious of allowing non-authenticated guests to submit data through forms, especially files.
6. Do not share credentials amongst anyone administering your website, web app, etc.
7. Create unique logins and passwords for each person that works on your site
8. Intranets that may include use of P2 data should use some level of authentication for access. 

Accessibility

Standards

• UC System policy (pdf), contract and purchasing guidelines require that all electronic products or services procured by the University be accessible to individuals with disabilities.
• All divisions, departments, schools, colleges, or units that design, create, develop, purchase, manage, administer, host, and/or support digital resources and information technology intended for human interaction or engagement for the purposes of teaching, learning, research, service, employment, administration or other university functions at UCSC must meet Web Content Accessibility Guidelines. This includes digital resources and information technology hosted or provided by third parties.
• Examples include websites, electronic documents, audio, video, web applications, mobile applications, and software, in addition to related, university-provided IT hardware and other IT devices that are a part of the user experience.
• Prior to submitting a requisition for electronic products or services, end users should review the UCOP Accessibility Guide. N.B.(pdf). Any website or application hosted on UCSC servers or using a ucsc.edu domain needs to be compliant with WCAG 2.0 AA standards. 

Procedure

1. Follow UC System policy and contract and purchasing guidelines in outsourcing and developing accessible websites and applications.
2. Use SiteImprove, a third-party tool that helps content authors identify broken links, misspellings, ADA compliance issues, Search Engine Optimization (SEO), and application or server response. 
3. Check your websites for accessibility
4. Conduct Quality assurance testing of any web content before publishing.

Identity 

Standards

• Follow existing identity standards set forth by UC Santa Cruz Communications when it comes to website editorial, voice, tone, logo placement, typography, and color. 

Quality assurance

Standards

• All websites hosted by UCSC servers will conduct a quality assurance (QA) review before launch to ensure accessibility, usability, and design.

Process

1. Website owners will conduct a quality assurance review of their own content as part of their migration or review process. A template will be provided by the web service. 
2. The Web Service will conduct a review to check websites for accessibility problems, and broken links.  A report will be provided to the website owner to remediate. 
3. The Web Service will conduct a heuristic review for websites in a reasonable time frame before launch, including a report noting any usability problems and recommendations for remediation. 

Outsourcing

Hiring a supplier (also known as a design/digital agency, third-party company, or individuals outside of UCSC) to perform work involved in a website redesign may be part of a successful strategy.

Guide: Outsourcing your website redesign

Standards

• All divisions, departments, schools, colleges, or units that design, create, develop, purchase, manage, administer, host, and/or support digital resources and information technology intended for human interaction or engagement for the purposes of teaching, learning, research, service, employment, administration or other university functions at UCSC must meet defined UCSC Information Security, accessibility, and identity standards, regardless of whether they are designed, developed, or maintained by a supplier/outside vendor or contractor. 
• Written contracts are required any time the campus engages in a transaction with an outside entity for the procurement of goods or services.
• Ensure the sustainability, costs, and workflows of the work you are getting help with.
• Insurance requirements must be met for contracted suppliers/vendors.

Procedure

1. Assume you will build with WordPress on CampusPress
   1. Themes:
      1. Should follow WordPress theme standards.
      2. Should be developed using theme unit test data.
      3. Should pass theme check.
   2. Plugins:
      1. Should follow CampusPress code guidelines.
      2. Should follow WordPress plugin guidelines.
   3. Interoperability:
      1. Identify sources of external data and verify you have access.
2. Contracted UCSC vendors/suppliers should be given first priority to ensure proper vetting, contract, and insurance requirements are met.  Early engagement with ITS and the Unit Information Security Lead is encouraged to discuss the types of data expected to be used on the website/application.
3. Suppliers must answer and submit questions included in the University of California System Web Accessibility Requirements (pdf).