Implementation and Deployment of State Agency Internet/Extranet Sites

Version: 2.1
Date Issued (revised): December 9, 2019
Date Effective: immediately
Supersedes: Version 2.0 February 15, 2001

Reason for Change: Eliminated all references to the Department of Information Technology (DOIT).

Purpose

The Office of Policy and Management (OPM) has established this policy and reporting requirements, and associated standards to safeguard State information and data processing facilities, to provide consistency in web site deployment and to ensure that appropriate resources can be provided in a timely and efficient manner.

Policy Statements

1. State agencies deploying an internet site (web site, home page, etc.) will utilize the internet/web hosting facilities provided by the State Data Center through the Department of Administrative Services, Bureau of Enterprise Systems and Technology (DAS-BEST) or by the designated web hosting vendor(s) as specified by DAS-BEST.

   a. State agencies will not deploy agency internet sites with external providers of web hosting services without the express approval of the Chief Information Officer (CIO). Approval by the CIO will require at a minimum a compelling business case for such deployment.

   b. State agencies will not deploy agency internet sites on internal agency facilities without the express approval of the CIO. Approval by the CIO will require at a minimum a compelling business case for such deployment.

2. Agency internet/web sites deployed on DAS-BEST facilities will comply with the product standards established by DAS-BEST.
3. Agency internet/web sites deployed on DOIT internet/web hosting facilities, that require direct access to data bases or information repositories will conform to policies and guidelines for network security as established by DAS-BEST.  Under no circumstances will the integrity of the State network or intranet be compromised.
4. In the event that an agency is given approval by the CIO to host their own internet/web site or to use an external web host provider, the agency will implement technology and policies, or obtain service level agreements, to provide the same level of network security protection and data integrity as required by DAS-BEST facilities.  This means an agency will have to deploy a "firewall" to isolate the internet server from the agency's internal network and the State network and implement appropriate disaster recovery and data backup procedures.

Agency Planning and Reporting Responsibilities

Planning:

1. Agency plans for internet/website deployment must be included in the agency's Information Technology Plan update and have an associated project profile.
2. The agency must contact DAS-BEST in advance of the publication of any Requests for Proposal (RFP) or Statements of Work (SOW) that will require the use of DAS-BEST internet/web host facilities.
3. The agency must contact DAS-BEST in advance of any Requests for Proposal (RFP) or Statements of Work (SOW) that will require the use of a Virtual Private Network (VPN), Remote Network Access System (RNAS) or digital certificates.

Implementation:

1. This policy effects all new web sites covered in the scope section below.  DAS-BEST will determine what agencies and web sites are not in compliance and help agencies develop a plan to come into compliance.
2. Agencies planning internet/web site deployment should submit a New Internet Development Projects Form as soon as plans for the internet /web site are established.
3. Agencies who will need enhanced web site security such as VPN or digital certificates should submit a VPN Access Request Form as soon as possible and in advance of any RFP or SOW publication.

Certification: N/A

This policy applies to the following entities: any State of Connecticut agency, institution, office, department, commission, council or instrumentality subject to the policies, standards and decisions of the Chief Information Officer of the Department of Information Technology as specified in Public Act 97-9).

This policy applies to the following:

1. All new agency internet sites or publicly accessible web sites developed or acquired by a State Agency, by an outside provider or consultant, or through an outsourcing arrangement.
2. All existing agency internet sites or web sites that are being replaced or re-engineered by a State Agency, vendor, contractor or other party.
3. Agency Intranet (internal) web sites that are made publicly accessible (also known as Extranets).

State Agency

For the purposes of this policy, the term State Agency refers to any State of Connecticut agency, institution, office, department, commission, council or instrumentality.

Compliant:

For the purposes of this policy, an Internet or web site or extranet site is considered compliant when it meets the criteria defined in this policy and the Network Security Policy..