Annex D – Technical and Security Guidelines for GWHS

Version: 1.3
Effective: November 20, 2013

Technical and Security Guidelines on the Government Web Hosting Service (GWHS)

This Technical and Security Guidelines on the Government Web Hosting Service (GWHS) is an annex to the GWHS Memorandum Circular of the Department of Science and Technology-Information and Communications Technology Office (DOST-ICT Office).

Content
1. Introduction
1.1 Objectives
1.2 Scope
2. Core Infrastructure
2.1 Application Delivery Controller
2.2 Intrusion Prevention and Detection Systems
2.3 VPN Gateway
2.4 Load Balancer
2.5 Web Servers
2.6 Database Servers
3. Web Hosting Specifications
3.1 Shared Web Hosting
3.2 Dedicated or Cloud-based Hosting
3.3 Server Colocation
4. Web Content Management Systems
4.1 Usage
4.2 Distribution
4.3 Modules, Extensions, and Plug-ins
4.4 Version Control
4.5 Security, Support, and Documentation
5. Security
5.1 Initial Audit
5.2 Code Changes
5.3 Virtual Private Network
5.4 Continuous Auditing
5.5 CMS Security
6. Migration Procedure
6.1 Prioritization
6.2 User Accounts
6.3 Gov.ph DNS Registration
6.4 Migration Checklist
6.5 Operations and Maintenance
6.6 Service Level Agreement
Annex

Purpose
The Technical and Security Guidelines for GWHS serves as the agencies’ guide on migrating to the GWHS and on maintaining their websites. This also includes a checklist that agencies will use during migration.

Further, security guidelines are included in this copy to provide the necessary steps that agencies should consider, e.g., what agencies should do before migrating, what they should do if there are vulnerabilities, what they should do if there are code changes, etc.

Issuing Authority
This document has been compiled and is issued by the Department of Science and TechnologyInformation and Communications Technology Office (DOST ICT Office) and the DOST-Advanced Science and Technology Institute (DOST-ASTI), through the Integrated Government Philippines (iGovPhil) Program.

Contact Information
Policies and associated publications under iGov Philippines Project can be found at http://i.gov.ph/. Queries, suggestions and clarifications with regard to this policy may be forwarded to inquiry@i.gov.ph.

1. Introduction
The GWHS is an initiative of the Philippine Government to provide for greater security, reliable information, state of the art online services, efficient use of technology, and a robust online network by housing government websites in one hosting service.

The GWHS is one of the components of the Integrated Government Philippines (iGovPhil) Program, which aims to enhance the effectiveness, efficiency, and transparency of the government through the use of interactive, interconnected, and interoperable government applications.

1.1. Objectives
This document provides the guidelines for a seamless migration to the GWHS. It describes a general view of the core infrastructure of the GWHS, outlines the migration procedure, and details the security audit process for a seamless migration to the GWHS. Specifically, this document aims to:

• Give an overview of the GWHS core infrastructure.
• Guide agencies in choosing their web hosting platform.
• Encourage agencies to use the recommended content management systems (CMS).
• Detail the security audit process for migrating sites and sites that are already hosted on the GWHS.
• Outline the migration procedure.
• Describe the operations and maintenance procedures of the GWHS.

1.2. Scope
The Technical Guidelines on the GWHS applies to all agencies migrating to the GWHS, including:

• National Government Agencies
• Government Financial Institutions
• Government Owned and Controlled Corporations
• Inter-agency Projects
• State Universities and Colleges
• Constitutional Bodies
• Local Government Units
• Legislative and Judicial Branches of the Government

2. Core Infrastructure
The GWHS is envisioned to be a reliable, robust, and secure service that can be easily accessed from anywhere.

The GWHS will be running on two data centers with the following characteristics:

• Redundant hardware, with automatic failover
• Multiple uplinks
• Dual-powered equipment
• Generator sets with uninterruptible power supply systems
• Redundant data communications connections
• Environmental controls such as air conditioning, humidity controls, and fire suppression
• Secure location, installed with biometrics and CCTV systems
One data center shall be located at the DOST-ICTO and one will be housed in a commercial data center. This commercial data center shall be operated and maintained solely by DOST-ICTO.

The diagram below illustrates the network infrastructure of the GWHS.

 

Figure 1 - Diagram of the GWHS network infrastructure

 

Figure 1. Illustrated diagram of the GWHS network infrastructure. Note that this is only a general representation and is not the exact configuration of the network, which cannot be disclosed due to security issues.