Careers BNL home  

search

Find People

Web Content Guidance

What should and should not be presented to the public via web pages is currently left to an individual's best judgment as there is no process for review and classification of every web page on every externally exposed BNL web server. There is guidance available from NIST for types of information that should not be revealed. This guidance should be followed when deciding to post something to the world.

There is also a section on this topic in the recently released DOE M 470.4-4A Information Security Manual but some clarification is needed whether this manual is concerned with only CPI (Critical Program Information) or all publicly available information. The relevant section of this DOE manual is presented here for additional guidance with further clarification to be added when it becomes available.


NIST Guidance

View Guidance Document (pdf)

6.1 Publishing Information on Public Web Sites

Too often, little thought is given to the security implications of the content placed on the Web site. Many organizations do not have a Web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access, and what information should be omitted from any publicly accessible repository. This is troublesome because Web sites are often one of the first places that malicious entities search for valuable information. For example, attackers often read the contents of a target organization’s Web site to gather intelligence before any attacks. Also, attackers can take advantage of content available on a Web site to craft a social engineering attack or to use individuals’ identifying information in identity theft.

Absent compelling reasons, a public Web site should not contain the following information:

  • Classified records
  • Internal personnel rules and procedures
  • Sensitive or proprietary information
  • Personal information about an organization’s personnel or users
    • Home addresses and telephone numbers
    • Uniquely identifying information, particularly SSNs
    • Detailed biographical material (that could be employed for social engineering)
    • Staff family members
  • Telephone numbers, e-mail addresses, or general listings of staff unless necessary to fulfill organizational requirements
  • Schedules of organizational principals or their exact location (whether on or off the premises)
  • Information on the composition or preparation of hazardous materials or toxins
  • Sensitive information relating to homeland security
  • Investigative records
  • Financial records (beyond those already publicly available)
  • Medical records
  • The organization’s physical and information security procedures
  • Information about organization’s network and information system infrastructure (e.g., address ranges, naming conventions, access numbers)
  • Information that specifies or implies physical security vulnerabilities
  • Plans, maps, diagrams, aerial photographs, and architectural plans of organizational building, properties, or installations
  • Information on disaster recovery or continuity of operations plans except as absolutely required
  • Details on emergency response procedures, evacuation routes, or organizational personnel responsible for these issues
  • Copyrighted material without the written permission of the owner
  • Privacy or security policies that indicate the types of security measures in place to the degree that they may be useful to an attacker.

Organizations should not use public Web servers to host sensitive information intended to be accessed only by internal users. The compromise of a public Web server often leads to the compromise of such data.

To ensure a consistent approach, an organization should create a formal policy and process for determining and approving the information to be published on a Web server. In many organizations, this is the responsibility of the CIO and/or public affairs officer. Such a process should include the following steps:

  • Identify information that should be published on the Web
  • Identify the target audience (Why publish if no audience exists?)
  • Identify possible negative ramifications of publishing the information
  • Identify who should be responsible for creating, publishing, and maintaining this particular information
  • Create or format information for Web publishing
  • Review the information for sensitivity and distribution/release controls (including the sensitivity of the information in aggregate)
  • Determine the appropriate access and security controls
  • Publish information
  • Verify published information
  • Periodically review published information to confirm continued compliance with organizational guidelines.

Any policy or process for determining and approving the information to be published on a Web server can benefit from the use of automated tools. Tools can scan incoming content for keywords, formatting, or metadata, and flag it for review, easing the burden of those required to verify content. Similarly, an internal automated system that allows users to post potential material to an internal Web site and notifies approving personnel (possibly via e-mail) of the posting allows material to be reviewed and posted to the public Web site more quickly through a repeatable process. Using an automated system also aids accountability because logs track who submitted the document and who approved it.

An often-overlooked area of Web content is the information sometimes hidden within the source code of a Web page. This information can be viewed from any Web browser using the “view source code” menu option. The source code can, for example, contain points of contact and reveal portions of the directory structure of the Web server. Organizations often do not pay attention to the contents of the source code on their Web sites, even though this code may contain sensitive information. Attackers scour not only the obvious content of the Web site but also details within the source code. Thus, Web administrators or Webmasters should periodically review code on their public Web server.

Top of Page

DOE M 470.4-4A Guidance

View Guidance document (pdf)

g. Information to be posted to publicly available websites.

(1) Before any information generated by or for the Federal Government (Government Information) is placed on a DOE, DOE contractor or sub-contractor website or is otherwise made available to the public, it must be reviewed to ensure that it does not contain classified information or CPI. Before DOE contractors or sub-contractors post Government Information to a personal or non-DOE website, it must also be reviewed for the same concerns. The review process must include a multi-layer review to ensure suitability of the information for worldwide public release.

(2) Automated analysis tools should be used to assist in the review of information to determine if it is appropriate to release it to the public. Certain categories of unclassified information are generally recognized as unsuitable for public release. These include, but are not limited to, Official Use Only information, privacy information, protected Cooperative Research and Development Agreement information, Unclassified Controlled Nuclear Information, and Export Control Sensitive Subjects information. Due to the diversity of information that must be considered within DOE, a robust review and approval process must be conducted using the following evaluation factors for determining suitability for release of information to the public. Evaluation factors include:

(a) Sensitivity. If the information is released to the public, it must not reveal or identify sensitive information, activities or programs.

(b) Risk. Information that may be used by adversaries to the detriment of employees, the public, the Department or the nation must not be approved for release. This determination must be based on sound risk management principles focused on preventing potential adverse consequences.

(3) Local procedures must be established for conducting information reviews and acquiring approval according to direction from the Head of their respective Departmental element. These procedures must identify specific information and information categories considered unsuitable for release to the public.

Top of Page

Last Modified: April 6, 2009
 


DOE, Office of Science One of ten national laboratories overseen and primarily funded by the Office of Science of the U.S. Department of Energy (DOE), Brookhaven National Laboratory conducts research in the physical, biomedical, and environmental sciences, as well as in energy technologies and national security. Brookhaven Lab also builds and operates major scientific facilities available to university, industry and government researchers. Brookhaven is operated and managed for DOE's Office of Science by Brookhaven Science Associates, a limited-liability company founded by the Research Foundation for the State University of New York on behalf of Stony Brook University, the largest academic user of Laboratory facilities, and Battelle, a nonprofit, applied science and technology organization.

Privacy and Security Notice  | Contact Web Services for help