This guidance outlines principles for publishing non-public content behind ‘Single Sign On’ (SSO) online. Its purpose is to address platform and compliance issues related to SSO implementation on Mosaic as part of the UAS website migration project.
The Mosaic platform was designed to host external websites and has implemented a large proportion of the Information Security Team’s baseline security assessments. On this basis, it has been formally assessed as being suitable for storing public information. However, Mosaic was not designed for storing non-public data, and there are significant issues with hosting non-public content on Mosaic, including performance and security risks.
This means that Mosaic is unlikely to be the long-term solution for internal content. However, in absence of an immediate alternative, Mosaic will be able to host some SSO content in the short-term.
Please use the following guidelines when considering where to publish information online:
Mosaic is a public platform. Placing individual webpages behind SSO is likely to impact the user experience and make content harder to find. The guiding principle is that pages on the platform should be made public (even if the intended audience is internal) unless there is a specific reason not to.
a. Making it public is likely to provide a compliance risk to the University.
For example, making public information about individuals student admissions applications, staff appointments, medical or employment data is likely to breach data privacy legislation.
Content of this type should never be published on Mosaic. It should instead be hosted on SharePoint (or another platform that has been evaluated as secure enough to hold sensitive data by the Information Security team).
b. Making it public is likely to lead to operational or reputational risks.
Some content is not high risk from a compliance perspective, although making it public could adversely impact the University. For example, including the work contact details of employees could lead to an influx of unhelpful calls to staff or put them at risk of harassment, and publishing Preferred Suppliers lists could be damaging from a commercial perspective.
Content of this type should be published behind SSO on the Mosaic platform.
This will help to reduce potential performance issues on the platform. Public facing documents should continue to be published on Mosaic.
This list provides an indication of where different types of content should be published. It should be used as a guide when making decisions.
All content that does not specifically need to be restricted from public access.
Content on web pages that is likely to lead to operational or reputational risks if it becomes public.
Note: The above relates to content pages only. All SSO documents should be published on SharePoint, not Mosaic.
All SSO documents
Sensitive personal data such as:
Lead editors - email firstname.lastname@example.org
Site editors should only contact the lead editor of their site
See information on the UAS website support process