Pau Lo
asked on
web site setup and risk assessment
I am trying to put together some pertinent questions in regards to our corporate website, in terms of technology, hosting, support, roles & responsibilities etc. This is to assist in an independent review of the website by a 3rd party from both accessibility, performance, security etc. Can you suggest some relevant 'fact finding' questions that if you needed to understand the setup of a website, and its hosting, and all the various technology components used to develop and maintain the site. It is not something I have ever had responsibility for, so having some queries in order to get a better understanding would be most useful.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Physical security need to be considered too, who can physically access the server room, is there any fire protection, surge protection....
You will like to know this especially if you are renting a dedicated server.
You will like to know this especially if you are renting a dedicated server.
I think it is safe to say you don't want to host a website on your own. Then if you use any reputable hosting service or cloud host like Azure or AWS, physical access is going to be a non-issue. Azure for instance is secure enough to be HIPAA (as is O365) https://www.microsoft.com/en-us/TrustCenter/Compliance/HIPAA and you can check on any of the traditional hosts sites for this type of information as well https://www.liquidweb.com/about-us/data-centers/
http://www.pentest-standard.org/index.php/Pre-engagement#General_Questions May also want to check out guideline for securing web server - short of it is how tdo the web server is hardened and stay healthy - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf
Other areas would be the governance, regulatory and compliance regime enforced. It can be the organisation driven policy and people competency managing the infrastructure hosting the setup. It would likely revolves around exploring the characteristics of a cloud ecosystem include: Ultimately, as a cloud consumer adopting a cloud-based solution you likely to follow below steps and these are areas to generate qns: Managing Cloud risk - https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=919234