MacSites Security – Site Content and Form Data Collection Guidelines

Security should always be a focus for any web project, but with so many people working from home, it has become more important than ever.

The primary purpose of any website is to provide information to an audience and solve specific problems. But without having specific discussions regarding privacy and security with a site provider, it should be assumed that anything published or stored on a site is public.

The MPS Web Team has built-in security features to keep sites locked down from login attacks. These measures are primarily meant to protect sites from having content modified or wiped by a cyber attack.

MacSites are public sites and information listed and captured on them should be for an open audience. MacSites do have the ability to add password protection to individual pages. However, without an explicit discussion regarding how to do this and what can be posted, it should never be implemented or modified without working directly with the MPS Web Team.

This article will outline site content and form guidelines. Following these guidelines ensures that the correct information is posted and/or collected. The information below is intended to educate content managers on what shouldn’t and shouldn’t be included on a MacSite.

What to Share/Publish – Basic Guidelines for Site Content

Here are some general rules to help decide what information should be listed on a site.

1. Content/copy on your site, whether in use or not, is public.

It’s rare to have a site with only one content manager. For this reason, it’s crucial to remember that anything on your site could be published or un-published by anyone on your team. This means there should never be information or content saved on a site that your team wouldn’t want to be made public.

2. Any files in your media library (images, PDFs, etc.) on your site, whether published or not, are public.

An important note for MacSites and WordPress is that all media files saved to your media library are public. Whether or not there is a link to the file or image on a page on your site, with the right tools they can all be accessed.

A site should never be used as a file share system for files that are not public. There are alternative solutions listed at the end of this article to use for this purpose.

3. Pages with password protection.

Pages can be set up within MacSites to be password protected.

In order to do this, there needs to be a discussion with the MPS team to ensure the flow of information has been secured and that the private pages are not sharing files or images that must also be private. Even if a page is password protected, the files, images and linked pages posted to it are public. (See item 2)

4. Use lorem ipsum for layout/design testing.

If your team is trying to test a new layout or creative idea (or if there is public information that you just don’t want to be shared quite yet) the best thing to do is to use lorem ipsum to layout the page. This will remove the risk of accidentally publishing information before you want it to be public. It’s tempting to grab a file on your desktop with the intention of deleting it before anyone sees it, but this is strongly discouraged.

For a list of fun and helpful lorem ipsum generators, please refer to the list at the end of this article.

What to Collect – Basic Guidelines for Forms

Forms are a wonderful tool to add to your site to facilitate communication or provide a service. However, the information collected should be limited to what is allowed to be collected in accordance with McMaster’s Privacy Policy.

Here are some general rules to help decide what information should be collected via the form on your site.

1. Forms should only collect simple/basic information. It should be limited to only what is needed in order to provide a specific service.

2. Forms should only collect information in accordance with the McMaster Privacy Policy. If you’re unsure, please contact the Privacy Office (University Secretariat) at privacy@mcmaster.ca

3. Form entries should be deleted when they are no longer required. It’s good practice to periodically purge form entries that have already been addressed. It’s also good practice to delete a form (and it’s entries) entirely when it’s no longer being used.

4. The information collected in a form should only be used for the purpose for which it is collected. For example, if there is a generic contact/question form on your site, the email addresses should not be automatically added to a newsletter list without a user’s consent.

5. Data/information should not be shared with other teams or departments. When entries come into a form on a site, unless the user has given the appropriate consent, the information shouldn’t be shared outside your team/department.

6. Forms should include contact information for the Privacy Office. The MPS Web Team is able to provide a general statement and add it to your form if needed.

7. Users should be able to correct/remove submitted form entries. Forms should include a section with contact information that a user may use to contact someone with the request. The MPS Web Team is able to provide a general statement and add it to forms if needed, but a contact from your department must be provided.

Alternative Tools for Managing Secure Content

File sharing alternatives:

– Microsoft OneDrive (included with Office 365)*

Forms alternative:

– Microsoft Forms (included with Office 365)*

Other resources:

– For more information on document storage guidelines, check out the McMaster Document Storage Guidelines

Lorem ipsum generators:

– Cupcake Ipsum

– Lorem Ipsum

– Cheese Ipsum

– Saganipsum