YaleSites Secure Feature

YaleSites Secure is a Feature that offers additional security for sites that store or collect sensitive data for research projects or collecting information for study participants. YaleSites Secure has all the features that are included in a standard YaleSite with the following differences:

• Security (SSL) - Provides a secure version of the http protocol (https). Data is encrypted between client and server.
• Field Encryption - Provides the ability to select which fields can be concealed from unwanted sources using encryption.
• Native user login - Together with SSL allows the creation of secure accounts for study participants.
• Search Indexing Prevention - Site is not indexed by search engines, content would not appear as part of Google, Yahoo, etc. 

Data that should NOT be stored

The following is a list of the types information that should NOT be included in your site.

• No user identifiable data including email addresses
• De-identification Fields are listed in Exhibit 5039 - EX.A
• Further information can be found under HIPAA Procedure 5039 - PR.1

Before you develop your secure website

The following is a list of important points that require consideration before developing your site with YaleSites Secure.

Prior to any development:

• All sites must through a preliminary Security Design Review (SDR) with the Yale Information Security Office (ISO).
• You must participate in YaleSites secure onboarding* to ensure the process is understood 

Going Live:

• Once your site has been built, a final Security Design Review (SDR) scan will be performed to validate URLs and site security.
• Any SDR Scan issues found in the final scan must be fixed and approved before the site can go live. Sites will not be moved to production until the final SDR scan is fully approved and issues have been resolved.
• Resolving/approving these changes may take 2-4 weeks. Please plan your site warranty based on the approval date of the final SDR scan rather than the day development is completed. The warranty period should begin after website is in production.  

Requ​esting YaleSites Secure Site

1. Complete the Request a YaleSite form.
2. Click on the checkbox to indicate you want YaleSites Secure.
3. Request a Security Design Review (SDR) with the Yale Information Security Office (ISO). 
4. Participate in onboarding* meeting setup by YaleSites Web Team and ISO.

*YaleSites Secure Onboarding

In order to ensure the policies and process required for YaleSites Secure are understood, the vendor and site owner must attend a preliminary onboarding meeting. During this meeting the YaleSites Web Team and Yale Information Security Office (ISO) will provide you with the requirements necessary to build a YaleSites Secure site. Development on the site cannot take place prior to the onboarding meeting.

Important Note: The request and approval process for YaleSites Secure may take 2-4 weeks. Please plan accordingly.

Site U​RLs

YaleSites are provisioned in the development stage (.dev) unless otherwise requested.

• Development: https://site_name.dev.ys.yale.edu
• Production: https://site_name.ys.yale.edu
• If someone types in http://site_name.yale.edu, they will be redirected to https://site_name.ys.yale.edu

Website A​ccess

Access to the site is determined by role a person has in development, participation and/or viewing the content. Important Note: Anyone who has access to the information on a YaleSites Secure site must complete HIPAA Privacy and HIPAA Security training on Yale’s Training Management System (TMS).

Site Building and Maintenance

1. Administrators, Site Builders and Site Editor roles have access to administrative pages for the purpose of building functionality and maintaining the site content.
2. VPN is required to access administrative pages when working on the site on or off-campus.
3. Administrators, Site Builders and Site Editor roles must login using CAS (append cas to the end of their URL https://site_name.dev.ys.yale.edu/cas)

Participants

A participant is identified as someone who has access to the site to contribute to the study or research program, but does not have permission to access the administrative pages. Participants are given access to the site using native Drupal login.

1. Direct participants to https://site_name.ys.yale.edu/user where they will be asked to login or create an account. Please use the following guidelines:

• Login accounts and passwords may not be user identifiable and may not be email addresses
• Users should not be able to receive email with their login / password
• Users should not be able to request passwords (module NoReqNewPass installed and configured)
• All login and passwords provided must be at least 8-14 characters as per Yale Compliance Requirements
• Third Party Authentication (HybridAuth) is NOT supported.

Participants who are logged in a given the default role of authenticated user. Additional Roles can be assigned to participants as dictated by site requirements.

Important Note: Email notification for new accounts must be setup to change the language to meet program/project needs.

Site Visitors

Anonymous users will only be able to view public pages of the site as determine by the root directory. 

Page URLs and Site Structure

YaleSites Secure is setup to allow participants, anonymous users or site visitors to view pages that are in the public virtual directory. In order to create the virtual public directory, you must create a URL alias for each Content Types of any pages that will be viewed by the public (public/[node:title]). All pages that are available to anonymous users or people who are just visiting the site are stored in the public virtual directory.

• https://site_name.ys.yale.edu (index page)

• https://site_name.ys.yale.edu/public/page-url

Restricted Access

Configuration and administration pages are restricted to Administrator, Site Builder and Site Editor roles. The following URLs are helpful for administrators to determine the path necessary when coding advanced template files and modules to ensure the path is correct.

/sites/default/files/* (images, pdf, other digital assets)  

/sites/all/modules/* (modules used by the website)

/sites/all/themes/* (js, css used by the website)

/user/* (user profile details available only to authenticated user)

/flag/* (allowing for bookmarks using flag module)

/sites/all/libraries/* ()

/cas (allowing users to login with Yale CAS)

Security Standards

Digital Assets

All digital assets (images, pdf, etc.) cannot contain user identifiable information, examples include:

• PDF documents with contact information or personal information
• Images with text containing personal or contact information

Secure Login - Username and Password Creation

• Login accounts and passwords may not be user identifiable and may not be email addresses
• Users should not be able to receive email with their login / password
• Users should not be able to request passwords (module NoReqNewPass installed and configured)
• All login and passwords provided must be at least 8-14 characters as per Yale Compliance Requirements
• Third Party Authentication (HybridAuth) is NOT supported.

Prevent Search Engine Indexing

• This feature contains a robots.txt file with following content to prevent search engines indexing pages. 

User-agent: *
Disallow: /