GDPR and EA Commissioning a web site Part 6 of 8

The Organisation As A System
The Performance Organisers
Structured Coherent Design
Commissioning a Web Site
Part Six – Now you have a site, how do
you use it?
The introduction slide deck video can be downloaded here
This slide deck can be downloaded from:
http://www.jitsoftware.co.uk/training/websitecse/webexploit.pptx
The preceding video on web page writing can be downloaded
here

http://www.jitsoftware.co.uk
Commissioning a Web Site – Now how do you use it?

About the Author:
• Allen Woods, recently retired.
• Ex British Army (1971 – 1995) Taught Arctic Warfare, Several Years
On Operations, Funded Himself through College to Study IT
• Chartered Member of the British Computer Society for 20 years
• Member of the Chartered Status Interview Panel for BCS
• In 2010, Finalist of UK “Developer Of The Year” Competition for HSIS
• Primarily Employed in UK Defence Supply Chain and Logistics IT
since 1995 until 2019
• Credits: MoD Health and Safety Information System, Various Internal
to Defence P&G Portals, CATMIS, IQB Oversight to Defence Voyager
Programme IM Transformation
• Home Domain: http://www.jitsoftware.co.uk/portal/

Now it starts…….

Your Organisation Boundary
The Organisation Boundary
Client 1
Client 3
Client 2
Server room
Internet Service Provider
External Client
Technical Legal
Consultancy
Commissioning a Web Site – Writing a Web Page
Content
Manager

As Ever…. Security

Security Issues to consider……………………………
?
?
SAAS
And
External Code

?
?
The seduction of “free” and “simple”
SSL/TSL
Certificate

Learn about your web management utilities and consoles

Security policy should Include:
• IIS Configuration Settings.
• Response Headers (as per securityheaders.com advice)
• Role profiles.
• Web site password policy
• Records of processing activity
• Data Protection Impact Assessment (DPIA)
• Source code back up policy
• And more besides…..
It is reasonable to expect your site developer to be able to advise on
these issues…….
Not forgetting regular reviews

Web Cataloguing

Data Centers…….

Regular cataloguging cycles
Not forgetting, that
not everything
crawling the web is
benign..
ISP
Tech Support Content
Manager

Search Engine Optimisation (SEO)

Some Observations
• There isn’t just one search engine………
• Some key web promotion capabilities are not search
engines anyway
• Search Engine Optimisation is now closely aligned as
part of business models to “cost per click” type
advertising
• “cost per click” tends to mean the more you can pay, the
more frequently your site will appear in search results
• Search for “SEO Techniques”
• SEO does not come “out of the box”, it requires work.
• Many SEO techniques require traffic sharing as part of
the deal….. Don’t forget liabilities of accountability.

Optimise your content to facilitate cataloguing
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Hello World Baasic Page</title>
<style type="text/css">
.tabletitle {
font-family:Arial, Helvetica, sans-serif;
font-size: 24px;
color:#006;
height: 26;
font-style: normal;
font-weight: bold;
text-align: center;
}
</style>
<script language="JavaScript" type="text/JavaScript">
function showalert(){
alert("You clicked the text");
}
</script>
</head>
<body>
<span class="tabletitle" onclick="showalert()">Hello World. we've added a bit of code
now! Click the text</span>
</body>
</html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="description" content="A sample Hello World web page to illustrate
some of the factors to consider when building a simple web site">
<meta name="robots" content="noindex, nofollow">
<meta name="revisit-after" content="30 days">
<meta name="copyright" content="All site content copyright The Performance
Organisers">
<meta name="keywords" content="separate, keywords, and phrases, with a comma">

Cookies

“Cookies” are small files or browser specific database
entries which are stored on a user's computer. They
are designed to hold a modest amount of data specific
to a particular client and website, and can be accessed
either by the web server or the client computer. This
allows the server to deliver a page tailored to a
particular user, or the page itself can contain some
script which is aware of the data in the cookie and so is
able to carry information from one visit to the website
(or related site) to the next.
Cookies what are they?

A cookie is basically a string of text characters not
longer than 4 KB. Cookies are set in name=value pairs,
separated by semi-colons. For example, a cookie might
be a string like the following:
"theme=blue; max-age=60; path=/;
domain=thesitewizard.com"
Cookies how are they written?

Extending the organisation boundary.. Controller/Processor
Relationships
?
?
SAAS
And
External Code
?
?
The seduction of “free” and “simple”
Cookies and the organisation boundary

Cookies where are they stored?
To find out where cookies are stored you will need to
consult your browser documentation.
If you run or use more than one browser, then there is
likely to be more than one cookie location
Anything else?
Cookies can be used to provide a means to share
information by multiples of organisations.

The Use of Cookies is governed by legislation. The Privacy
and Electronic Comminication Regulations. With, for the
UK, Information Commissioner advice and guidance on
cookie use available here. The PECR is going to be
replaced by ePrivacy Regulation (ePR)
The operating principle is one of consent. But consent per
use of each cookie. Bear in mind that some components
and SAAS applications may drop any number of cookies,
for any period of time… Regardless of your privacy
statements
Cookies and the Law…..

If you do not need them
after careful
consideration, do not use
them.
Cookies and their use… Advice…

Components

Templates Code Libraries Software as a service
Types or classes of “component”

A Case study.. Live but unnamed web site

Internet Service Provider
Possible Routing……

Just “Google Analytics”…
Your sensitive visitor details are being tracked by Google…….

So.. An Alternative?
No cookies, no external code, no third party components hosted
by another domain
The Portal

OK – How do I monitor all this?
Some free to use tools:
F12 – View Source (or browser equivalent)
Baycloud
Security Headers
Web Page Testing
OWASP
Security tools
The EU Information Providers Guide
There will be many more…………………….
Its your risk, your responsibility. Take advice

Reading List:
The Personal Trainer IIS 8 Administration
Learn Search Engine Optimisation
The EU Information Providers Guide
The French Data Protection Authority (CNIL)
The UK Data Protection Authority (ICO)
The European Information Security Summit
UK National Cyber Security Centre

Monitor and Manage:
License terms
Terms and Conditions of Use – Particularly Liabilities and Indemnification
Nature of service delivery – who is processing what?
Nature of monitoring – Beacons, cookies, bots
Transfer of data – PII, other sensitive data
Contract terms – BCR’s, possible need for European “presence”.
Change control
Site ranking
Content
And more besides……
A web site is not just for Christmas

http://www.jitsoftware.co.uk
Tel: +44 07780 568449
Email: allenwoods@jit-software.com
Skype: apw808

GDPR and EA Commissioning a web site Part 6 of 8

Recommandé

Recommandé

Contenu connexe

Similaire à GDPR and EA Commissioning a web site Part 6 of 8

Similaire à GDPR and EA Commissioning a web site Part 6 of 8 (20)

Dernier

Dernier (15)

GDPR and EA Commissioning a web site Part 6 of 8