Introduction
This guidance outlines principles for publishing non-public content behind ‘Single Sign On’ (SSO) online. Its purpose is to address platform and compliance issues related to SSO implementation on Mosaic as part of the UAS website migration project.
SSO limitations
The Mosaic platform was designed to host external websites and has implemented a large proportion of the Information Security Team’s baseline security assessments. On this basis, it has been formally assessed as being suitable for storing public information. However, Mosaic was not designed for storing non-public data, and there are significant issues with hosting non-public content on Mosaic, including performance and security risks.
This means that Mosaic is unlikely to be the long-term solution for internal content. However, in absence of an immediate alternative, Mosaic will be able to host some SSO content in the short-term.
Guidance on publishing content
Please use the following guidelines when considering where to publish information online. You can also find information about the University’s approach to classifying different types of information on the Information Security website.
1. Where possible, Mosaic content pages should be made public
Mosaic is a public platform. Placing individual webpages behind SSO is likely to impact the user experience and make content harder to find. The guiding principle is that pages on the platform should be made public (even if the intended audience is internal) unless there is a specific reason not to.
2. The decision to restrict access to content pages should only be made in the following instances:
a. Making it public is likely to provide a compliance risk to the University.
For example, making public information about individual student admissions applications, staff appointments, medical or employment data is likely to breach data privacy legislation. This would be classified as ‘confidential’ within the University’s framework.
Content of this type should never be published on Mosaic. It should instead be hosted on GPDR-compliant services such as Core HR and SITS/eVision, in restricted-access documents in SharePoint, or on another platform that has been evaluated as secure enough to hold sensitive data by the Information Security team.
b. Making it public is likely to lead to operational or reputational risks.
Some content is not high risk from a compliance perspective, although making it public could adversely impact the University. The University’s classification for this information is ‘internal’. For example:
- including the work contact details of employees could lead to an influx of unhelpful calls to staff or put them at risk of harassment;
- publishing Preferred Suppliers lists could be damaging from a commercial perspective;
- sharing draft internal consultations and plans with the public before staff could undermine University planning processes and put unconfirmed or confidential information in the public domain
- Allowing non-University members to respond to internal feedback channels could limit how informative these channels are, as data would not be assured to be from an internal audience.
Content of this type should be published behind SSO on the Mosaic platform.
3. Internal (SSO) documents such as Excel, Word, PDF should only be published on SharePoint
This will help to reduce potential performance issues on the platform. Public facing documents should continue to be published on Mosaic.
Please note that Information can change classification over time. For example, an announcement can be confidential or internal until a pre-arranged publication date. Early publication can cause reputational and operational issues for University.
Examples
This list provides an indication of where different types of content should be published. It should be used as a guide when making decisions.
MOSAIC (PUBLICLY AVAILABLE)
'Public' classification
All content that does not specifically need to be restricted from public access.
This includes:
- Public facing documents
- Committee memberships (non-sensitive topics)
- Information about internal training
- Policy documents (non-sensitive topics)
- Employee's work email addresses and phone numbers (where the individual has consented to their contact details being made public)
MOSAIC (BEHIND SSO)
’Internal’ classification
Content on web pages that is likely to lead to operational or reputational risks if it becomes public.
This includes:
- Preferred suppliers lists
- Employees’ work email addresses and phone numbers
- Policy documents on internal topics (such as security arrangements, exams and disciplinary procedures, building regulations)
- Committee memberships (where they handle sensitive issues)
- Communications intended for staff such as draft plans and consultations
- Feedback channels where responses should be only from staff.
Note: The above relates to content pages only. All SSO documents should be published on SharePoint, not Mosaic
SHAREPOINT
’Confidential’ classification
All SSO documents
Sensitive personal data such as:
- Admissions applications
- Job applications