Implementation and Deployment of State Agency Internet/Extranet Sites
Date Issued (revised): February 15, 2001
Date Effective: Immediately
Supersedes: Previous version of April 29, 1999; May 24, 1999
The Chief Information Officer for the State of Connecticut and the Department of Information Technology have established this policy and reporting requirements, and associated standards to safeguard State information and data processing facilities, to provide consistency in web site deployment and to ensure that appropriate resources can be provided in a timely and efficient manner.
- State agencies deploying an internet site (web site, home page, etc.) will utilize the internet/web hosting facilities provided by the State Data Center at DOIT or by the designated web hosting vendor(s) as specified by DOIT.
a. State agencies will not deploy agency internet sites with external providers of web hosting services without the express approval of the CIO. Approval by the CIO will require at a minimum a compelling business case for such deployment.
b. State agencies will not deploy agency internet sites on internal agency facilities without the express approval of the CIO. Approval by the CIO will require at a minimum a compelling business case for such deployment.
- Agency internet/web sites deployed on DOIT facilities will comply with the product standards established by the EWTA Domain Team(s).
- Agency internet/web sites deployed on DOIT internet/web hosting facilities, that require direct access to data bases or information repositories will conform to polices and guidelines for network security as established by the EWTA Domain Team(s).
Under no circumstances will the integrity of the State network or intranet be compromised.
- In the event that an agency is given approval by the CIO to host their own internet/web site or to use an external web host provider, the agency will implement technology and policies, or obtain service level agreements, to provide the same level of network security protection and data integrity as required by DOIT facilities. This means an agency will have to deploy a "firewall" to isolate the internet server from the agency's internal network and the State network and implement appropriate disaster recovery and data backup procedures.
- When implementing internet/web sites on DOIT or vendor hosting facilities, agencies will follow the policies and guidelines found in the ConneCT Web site Policy and in the Universal Website Accessibility Policy.
Agency Planning and Reporting Responsibilities
- Agency plans for internet/web site deployment must be included in the agency's Information Technology Plan or plan update and have an associated approved project profile..
- The agency must contact DOIT in advance of the publication of any Requests for Proposal (RFP) or Statements of Work (SOW) that will require the use of CATER internet/web host facilities.
- The agency must contact DOIT in advance of the publication of any Requests for Proposal (RFP) or Statements of Work (SOW) that will require the use of a Virtual Private Network (VPN), SNET RNAS, or digital certificates.
- This policy effects all new web sites covered in the |Scope| section below. DOIT will work with CMAC to determine what agencies and web sites are not in compliance and help agencies develop a plan to come into compliance.
- Agencies planning internet/web site deployment should submit a New Internet Development Projects Form as soon as plans for the internet /web site are established.
- Agencies who will need enhanced web site security such as VPN or digital certificates should submit a VPN Access Request Form as soon as possible and in advance of any RFP or SOW publication.
This policy applies to the following entities: any State of Connecticut agency, institution, office, department, commission, council or instrumentality subject to the policies, standards and decisions of the Chief Information Officer of the Department of Information Technology as specified in Public Act 97-9).
This policy applies to the following:
- All new agency internet sites or publicly accessible web sites developed or acquired by a State Agency, by an outside provider or consultant, or through an outsourcing arrangement.
- All existing agency internet sites or web sites that are being replaced or re-engineered by a State Agency, vendor, contractor or other party.
- Agency Intranet (internal) web sites that are made publicly accessible (also known as Extranets).
For the purposes of this policy, the term State Agency refers to any State of Connecticut agency, institution, office, department, commission, council or instrumentality.
For the purposes of this policy, an Internet or web site or extranet site is considered compliant when it meets the criteria defined in this policy and the Network Security Policy.