web site setup and risk assessment

pma111 used Ask the Experts™
I am trying to put together some pertinent questions in regards to our corporate website, in terms of technology, hosting, support, roles & responsibilities etc. This is to assist in an independent review of the website by a 3rd party from both accessibility, performance, security etc. Can you suggest some relevant 'fact finding' questions that if you needed to understand the setup of a website, and its hosting, and all the various technology components used to develop and maintain the site. It is not something I have ever had responsibility for, so having some queries in order to get a better understanding would be most useful.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018

though it is on security testing but the pre-engagement qns would add on to the list that you can considered.
7.1 Network Penetration Test
7.2 Web Application Penetration Test
7.3 Wireless Network Penetration Test
7.4 Physical Penetration Test
7.5 Social Engineering
7.6 Questions for Business Unit Managers
7.7 Questions for Systems Administrators
May also want to check out guideline for securing web server - short of it is how tdo the web server is hardened and stay healthy - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

Other areas would be the governance, regulatory and compliance regime enforced. It can be the organisation driven policy and people competency managing the infrastructure hosting the setup. It would likely revolves around exploring the characteristics of a cloud ecosystem include:

• Broad network access,
• Decreased visibility and control by cloud Consumers,
• Dynamic system boundaries and comingled roles/responsibilities between the cloud Consumer and cloud Provider,
• Multi-tenancy,
• Data residency,
• Measured service, and
• Significant increase in scale (on demand), dynamics (elasticity, cost optimization), and complexity (automation, virtualization).
Ultimately, as a cloud consumer adopting a cloud-based solution you likely to follow below steps and these are areas to generate qns:

1. Describe the service or application for which a cloud-based solution may be leveraged;
2. Identify all functional capabilities that must be implemented for this service;
3. Identify the security and privacy requirements and the security controls needed to secure the service or application. ,
4. Analyze and select the most appropriate cloud Ecosystem architecture, by combining a cloud deployment model (public, private, hybrid, community) and cloud service model (IaaS, PaaS, SaaS):
5. Identify and select the cloud Actors involved in orchestrating the cloud Ecosystem (e.g., Provider(s) and/or Broker(s));
6. Understand the cloud Provider(s)’ and Broker(s)’ security posture and inherited security and privacy controls. Tailor the security and privacy controls to fulfill the security and privacy requirements for the particular use case or identify additional compensating security controls, when necessary;
7. Assign specific values to organization-defined security parameters via explicit assignment and selection statements;
8. Supplement baselines with additional security and privacy control enhancements, if needed; and
9. Provide additional specification information for the implementation of security and privacy controls.
Managing Cloud  risk - https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=919234
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013
> in terms of technology, hosting, support, roles & responsibilities

I think you are missing out on function.  That is the most important.  The rest is going to depend on what the function of the site is and how much you expect to update manually vs automatically.  Is this going to be a static online brochure? Or are there going be ways to interact, obtain email or phone numbers for sms alerts? Interact with your billing system or sell products?  To me, without knowing this, it would be hard to make a suggestion for the rest.

In terms of technology, there are many ways to get to the same visual experience and the front end is going to consist of html, css and javascript. That is a given. From there the real conversation should go back to functionality. What is the strategy for different devices (Desktop, Mobile, Wearable)?  Is the site going to be responsive ? or will there be a separate app for each device outside of a desktop (ios mobile, ios tablet, android mobile, android tablet)?  If app? will it be a responsive web app inside of a webview (frame) or native?  What are the benefits and drawbacks of each? What are the costs of each? Which gives the best user experience?  vs cost?  

On the front end technology, there are more choices from using a responsive grid like https://getbootstrap.com/ or https://foundation.zurb.com/.  There are also choices for javascript libraries such as https://jquery.com/, https://angular.io/, https://reactjs.org/ or https://vuejs.org/.   My view is unless you already have a strong opinion from experience, these types of questions should be left up to the developer.   In the end, it is the functionality that you should focus on.

Next will be the back end tech where you have multiple choices for databases and back end languages. (.NET, PHP, Java, server side javascript, Ruby). All are capable of delivering the same visual experience.  

On the line of functionality is updating the site. Is this something you want to pass off to your vendor or do you want a Content Management System (CMS) to allow your own people to update the site?  If that is the case, take into consideration who is updating and what their own experience is.  There are some CMS systems that are very complex and others that are easy.

Still another aspect that gets taken for granted is the design and copy.  Are you going to use a pre-made theme and fit in your own images to make it your own? Or are you going to hire a right brained designer that will be in charge of creating a custom look that gets handed over to the developers? Many times a development firm will have in house designers but they could be fresh out of school and lack real world experience. Who is in charge of hiring a copy writer?

The type of questions for hosting I would ask is if the client is in charge of hosting or the development firm?  What are the benefits of each? Should you use a traditional hosting service  or a cloud service like Azure or Amazon? What have they used in the past and why? What is the experience with support.  See my own experience here .  What are their views on using a Content Delivery Network (CDN)? How does that fit in with hosting?

Support -
Is there anything written about up time? If the site goes down, who is responsible? First person to call? What days/times can this person be contacted? Can you contact the hosting service on your own (or do you need to manage the hosting service to do this?).  

If you are using a database that is expected to have continual updates, what is the back up plan? Once a day or every hour?  Is the database going to be backed up off site? Who has access?
Physical security need to be considered too, who can physically access the server room, is there any fire protection, surge protection....
You will like to know this especially if you are renting a dedicated server.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

I think it is safe to say you don't want to host a website on your own. Then if you use any reputable hosting service or cloud host like Azure or AWS, physical access is going to be a non-issue.  Azure for instance is secure enough to be HIPAA (as is O365) https://www.microsoft.com/en-us/TrustCenter/Compliance/HIPAA and you can check on any of the traditional hosts sites for this type of information as well https://www.liquidweb.com/about-us/data-centers/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial