Web and Application Development Standards procedure

Defining the University’s approach to application development standards

Page Components

Contents

Policy statement

This control procedure defines the University’s approach to developing and securing applications, websites and web services, and directly supports the following policy statement from the Information Security Policy: 

Information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems. 

Controls to mitigate any risks identified will be implemented where appropriate. 

Systems development will be subject to change control and separation of test, development and operational environments. 

Audience

This procedure is intended to be read and understood by staff involved in the ownership, commissioning, design or development of web services processing University information or hosted on University infrastructure. 

Control statements

This control procedure refers to all web services, from traditional content-based externally-facing web sites such as www.mmu.ac.uk to web-interfaced applications such as the University’s HR or recruitment systems. 

The University expects our entire digital estate to be built following best practice development principles. This includes sites that are hosted outside the University’s IT Network. 

The University adopts Gov.uk design principles (www.gov.uk/guidance/government-design-principles) as the foundation for our digital estate and recommends all websites adopt these as well. 

  1. Site requests
  2. Development and hosting standards
  3. Branding standards
  4. Accessibility requirements
  5. Legal and External Compliance Requirements
  6. Third Party Content and Advertising requirements

1. Site requests 

New stand-alone sites or applications interfacing with the corporate website should be requested via the University’s central web team. Web interfaces to applications should be discussed with IT & Digital. 

2. Development and hosting standards

  • All websites should be built using the latest coding standards for HTML, PHP, JavaScript and CSS. 

  • The following open source CMS solutions can be used: Drupal, WordPress 

  • All backend/app development should be completed with a modern open source framework, preferably Laravel 

  • All websites must be compatible with the latest and 2 previous full versions of all major desktop, mobile and tablet browsers (Chrome, Firefox, Safari, Opera, Edge) and Internet Explorer 11 

  • All websites must be optimised to meet double A GTMetrix standards (https://gtmetrix.com/

  • All websites must be hosted on https 

  • All code must be well structured and documented 

All MMU sites must be developed with security in mind. Developers should be able to demonstrate consideration of OWASP (open web application security project) security risks and associated mitigations in both design and testing: www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

LAMPStack is the default development environment. However, other supported Platforms and versions exist (See other platforms for further information). 

  • MMU Provisioned CentOS 6 (Under approved migration plan) 

  • MMU Provisioned CentOS 7 

  • PHP 5.6 & PHP 7.0 (Under approved migration plan) 

  • PHP 7.1, 7.2 

  • MySQL v5.7 & v8.0 

  • Oracle Client 11.2, 12.1 & 12.2 

Other codebases will be reviewed by IT & Digital on a case-by-case basis. 

Websites must only use databases provided and secured by IT & Digital unless the solution is hosted externally. External solutions will have the architecture reviewed prior to approval and will be subject to regular scans and reviews. 

All Windows systems should adhere to the University’s approach to versioning, running the latest stable version of software, and no older than the previous version provided that it remains supported. 

All sites must be scanned weekly by IT & Digital using the current approved solution. Periodically sites will be scanned using an external agency; prior warning may not be provided and the website should be capable of handling this additional load. 

All internal solutions must be included in the IT & Digital patching/update schedule. Externally-hosted solutions must be able to demonstrate how patching/updates are applied in line with the University’s standards: www2.mmu.ac.uk/isds/information-security/policies/threat-vulnerability-management/ 

Other platforms 

The University’s preferred approach to hosting is to ensure that all sites are hosted on University managed and maintained environments (as described above).  Subject to approvals being sought through the Digital Compliance Working Group, and the hosting meeting the criteria outlined below the following hosting providers are permitted. 

Provider Specific criteria
Wix The hosting package must be ‘Combo’ as a minimum.

General criteria 

Sites hosted on platforms other than the University’s preferred solution must adhere to the following: 

  1. No personal data should be stored on the site.  This includes the transmission of enquiries through enquiry forms. 

  1. No advertising will be present on the website (eg the hosting platforms logo). 

  1. No references will be made to the hosting provider on the website (eg it must not contain the text ‘Hosted by Wix’). 

  1. The site must be secured with an SSL. 

  1. The site owner must commit to ensuring any plugins are regularly and routinely updated. 

3. Branding standards 

All websites must comply with the University’s brand guidelines, and be approved by the brand team.  For more information please visit:  https://www.mmu.ac.uk/brand/

4. Accessibility requirements 

All websites must meet WCAG 2.1 AA accessibility standards.  This is required of all public sector organisations. More information can be found at www.gov.uk/guidance/accessibility-requirements-for-public-sector-websites-and-apps. For a complete set of the guidelines please visit W3c (www.w3.org/WAI/standards-guidelines/wcag/). 

When the website is submitted for approval to go live, the site will be scanned (using SiteImprove.com) and any non-compliant issues will be highlighted.  All non-compliant issues must be fixed prior to launch. 

5. Legal and External Compliance Requirements 

Our digital estate must be data protection compliant. Wherever personal data is processed in a new system or process, there is a change to an existing system or there is a new use of an existing data set, a data protection assessment must be undertaken as guided by the Data Protection Assessment Procedure. This ensures that all relevant data protection risks and issues associated with the site or app are considered, managed and appropriately documented. The scale of assessment should be determined by and be proportionate to the information risk. This is in line with the University’s Privacy by Default and Design approach, and need for demonstrable compliance with data protection legislation as set out in the University’s  Data Protection Policy.   

All sites and apps should have an identified Information Asset Owner (IAO) and Information Asset Manager (IAM) for any personal data which they obtain and process. It is the IAO or IAM who will sign off the data protection assessment and accept any residual risk. Sites and apps should have an appropriate and data protection compliant privacy notice. This should be agreed with the Data Protection Officer or a representative as part of the assessment process. For further information about privacy notice requirements, including templates and example notices, see the Privacy Notice Intranet Page. If a site or app intends to capture consent of data subjects, perhaps for a marketing purpose, consent should be captured and managed in accordance with data protection requirements as set out in the Lawful basis: Consent Intranet Page.  Our digital estate must comply with cookie requirements as outlined within the Cookie Requirements Intranet Page.  

For more information on information governance and data protection visit the Information Governance Intranet Site.  Questions on data protection, GDPR, data privacy and compliance assessment should be addressed to the University’s Data Protection Officer: dataprotection@mmu.a.uk. Tel: 0161 247 3884 

6. Third Party Content and Advertising requirements 

All websites must comply with the following requirements. 

  • Save as to advertising (which is described below), third party content may be used on websites, however in such circumstances: 

  • The website owner must ensure a written agreement exists between the third party content provider and the University, and that the agreement is approved by legal. 

  • The website owner must ensure clear and explicit parameters which will determine what and how third party content will be served on the website. 

  • Data sharing with third parties is not recommended. In the event it is either required or adds value to the relationship, a data sharing agreement must be in place with the third party provider. The data sharing agreement between the third party content provider and the University must be approved by legal and the Head of Information Security. Without such agreement, no data will be shared with the third party content provider.   

  • The third party content provider must comply with our information security standards, all legal and regulatory compliance, and accessibility requirements to the standards that the University must adhere. 

  • Third party advertising is not permitted on any website. This may include, but not limited to: 

  • Platforms such as Google Adsense and DoubleClick 

  • Direct relationships with other organisations 

Compliance

Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure. 

Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board. Actions taken by the Information Security Board in respect of non-compliant applications or websites can include taking the application or website down. 

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System. 

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.