Prevention is key when it comes to Website Security. Simple proven
techniques can significantly reduce the risk and consequences of an
Your website security policy should provide clear guidelines for all
employees who are able to login and manage the website.
The policy should cover rules and procedures such as who can have
administration access, password security, general website rules and
regulations, content guidelines and more.
Further information about developing a website security policy is
available via these resources:
If you collect any data from website visitors, even if it's only via a
simple contact form, you are required by Australian Law to publish a
submit to your website.
clear access for public visitors.
private policy templates can be found via these resources:
Rules to Help Manage your Website
Below are some of our key recommendations to consider when implementing
website security protocols.
1. iASP System Administration Access
iASP System Administration access provides high level
access to the website content management system (CMS). System
Administrators can edit website content, access the user database,
view user private information and more. Consider the following:
How many employees in your organisation have website system
Who are they?
We recommend limiting system administration access to 1-2
Have iASP system administrators completed the registration using
their individual business e-mail address or do multiple
administrators login using one e-mail address? i.e. a general
e-mail such as info@xxx.
We strongly recommend registering each individual system
administrator with their individual company email address.
When system administrators are accessing the website internally (in
the workplace) and /or remotely (from a portable device), what
security practices are in place? i.e. Does the administrator's
computer have automatic lock screen time-out set?
Can administrators access the site from a public computer or shared
What is the process for on-boarding and off-boarding a system
administrator? i.e. when a system administrator employment ceases,
do you remove their administration access?
2. Password Requirements
Password security plays an important role in securing your website and
the private information collected. Consider the following:
Does your business have a password policy for accessing the company
website? i.e. are system administrators required to change their
passwords every few months?
Password Privacy - When a customer has forgotten their website
login password and they contact your business, how do you identify
the customer? What is your policy for providing password
Create a password policy procedure that outlines strong password
requirements and password confidentiality
3. Content Policy
A organisational content policy can help provide a clear outline of
how content is used, conveyed, managed and protected. A content
policy could include:
The responsibilities of content authors and editors
Details of the content approval process
Roles and Responsibilities of content authors and editors
including inappropriate content and other misconduct
Ownership of content - copyright, proprietary rights, trademarks
4. Disaster Recovery Policy
If the worst happens, what are your plans to recover?
A disaster recovery policy that can be enacted immediately as required
is mandatory for all businesses publishing a corporate website.
Documenting who is responsible for specific tasks and clear
instructions relating to task priorities and execution procedures can
significantly reduce the impact of serious security breach.