I tend to enjoy following the spiral that is created when a single piece of information leads to a very involved thought process. It tends to scratch at that part of my brain that likes to see how all the pieces work together. Recently, this started with an email about a security update available for website maker WordPress. Right in the message they “strongly encourage users to perform this update.”
Looking at how organizations manage this issue in their overall patch management begs the question: Who is responsible for maintaining security updates for websites?
Oftentimes this is an “out of sight, out of mind” situation, in which there aren’t clear lines to define the particular responsibility. The agreements in place with the company that designs the website may not include it, and the contract for the vendor host for the site may not either.
If it is hosted on-site this responsibility may move to your IT department, and can be managed through the same procedures that are practiced for patch management. But, if the website is hosted elsewhere, it is important to understand the necessary update responsibilities.
Start by looking at the contract for the website to determine whether these responsibilities were outlined. This could provide a clear understanding of the expectations for both parties. Oftentimes this is not the case, however. You may need to reach out to the vendor to see whether updates are being performed. If not, is it a service that can be provided or brought in-house?
Looking deeper into the matter, you’ll want to understand not only the responsibilities involved but also the implications. Here are some additional issues and questions to consider as you review what is or is not in place:
- Does any portion of the website design or hosting involve the use of subcontractors? And does the contract allow for subcontracting to occur? You’ll want to know where the lines of responsibilities extend.
- What security practices are in place and do you feel these are adequate?
- Does the website design, hosting, or both subject to security testing?
- Is monitoring performed by the vendor or are you provided with access to monitor changes made to the website? If by the vendor, how long after a change is implemented are you notified?
- If a breach occurs, are there procedures for notification? Are there procedures for helping you address DDoS, defacement, or website hijacking?
And while the answers to these questions all provide good insight, the most important question is, “When should I ask these questions?” In most cases your services are already in place. Nevertheless, now is the best time to ask. If you are considering changes to your website, it is important to ask these key questions during the vetting of vendors you’re considering. Much like checking your car door to make sure it’s locked when you are in a public parking lot, making sure no doors are open to your website is also important.