Web Hosting - Restricted Data

The Web Hosting Service has designated Linux and Windows hosting platforms that are specifically designed to secure restricted data, as defined by the office of Cybersecurity.

Platform Security

These platforms are more secure for several reasons:

  1. They reside on designated restricted data subnets and have more restrictive firewall rules in place. For example: Web-based access to the Administrative Control Panel and Secure FTP publishing are both exclusive to the static IP addresses of the developers who require access.
  2. Individual administrative accounts (Secure FTP, Admin Control Panel, etc.) are supplied to each developer who will require access
  3. Additional security software tools are used to monitor the restricted data platforms.
  4. All sites are required to use SSL certificates and encrypt server-client data transactions.
  5. Web applications are segregated. For example: Each application on the Windows/IIS platform has its own application pools and IUSR accounts. This allows for sand-boxed applications/processes and highly granular permissions.

Hosting Restricted Data

Hosting restricted data requires special precautions. If your site needs to handle restricted data, you must sign up for a Platinum Service Level account.

In addition, before your web hosting account is in production a review with Office of CyberSecurity staff and DoIT's Web Hosting team will take place.

It is incumbent upon the restricted data account contacts to apprise the Web Hosting Service as to when a staff member with access, no longer requires access--we will remove the account(s) and firewall access and update our records.

Note:

PCI

-- The restricted data platforms are NOT fully PCI compliant to process credit card data directly but offer limited PCI compliance for storefronts that are one click away from processing the credit card payment.  UW-Madison departments with E-Commerce needs are directed to utilize the CashNet service provided by Business Services.

HIPAA

-- The restricted data platform are NOT fully compliant with HIPAA security standards.   However, if patient data is de-identified, and doesn't fall under full HIPAA compliance but considered protected health information (PHI) it can be accommodated.  If any clarification is required for HIPAA it should be addressed with the Office of Compliance: https://compliance.wisc.edu/hipaa/ in conjunction with the Office of Cybersecurity.