Website Security

All UCSF websites must meet minimum security standards, as outlined by UCSF Information Technology Services and the University of California Electronic Information Security Policy. For more information, visit Application and Website Security about vulnerability scanners available. 

For most websites that contain only public data your website software must be patched with security updates within 21 days of the patch being released.

Should you choose not to use the UCSF Drupal web hosting, you are responsible to put in sufficient controls to mitigate risk.

Best Practices

  • Do not share credentials amongst admins and content creators.
  • Create unique logins and passwords for each person that works on your site.
  • Review user accounts for your site on a regular basis. Delete users no longer performing admin tasks or creating and editing content.
  • Be cautious of allowing non-authenticated guests to submit webforms.
  • Do not allow non-authenticated guests to upload files via webforms.

UCSF Drupal Template Websites

If you are using the UCSF Drupal Template, then Web Services does the heavy lifting. The UCSF Web Services team applies the Drupal security patches weekly so you don't have to. If you are getting email notifications that a security patch is available for Drupal, you can change the frequency or turn off these notifications.

Non-Drupal Websites

If you are not using the UCSF Drupal Template or your website is being hosted by a non-UCSF 3rd party hosting company, such as SquareSpace, WiX, or DreamHost, security is still your responsibility. 

IT Services offers Netsparker Cloud, a self-service web application vulnerability scanner, which is able to find OWASP based web application vulnerabilities such as SQL injection, and cross-site scripting (XSS) within a web application. 

To get started, contact the Service Desk at 415-514-4100, and submit a request, or email [email protected].