The University of Alabama, Division of Strategic Communications

Web Policy

Unit:  Division of Strategic Communications
Contact: Kyle Fondren
Title:  Director of Web Strategy
Effective Date: 03/02/2022
Revision Date: 03/02/2022


Purpose

The University of Alabama seeks to ensure all official University websites and web resources align with the University’s identity standards and strategic goals; provide a consistent navigation and user experience for all; and comply with all applicable UA, state and federal requirements.

Policy

Administrative Responsibilities

The Division of Strategic Communications is authorized to and/or responsible for the following:
  • Providing strategic leadership to ensure that the campus web environment is meeting the needs of the University;
  • Establishing the official University website uniform brand strategy, including developing web design guidelines that are consistent with and promote the University’s brand integrity and strategic goals;
  • Developing and supporting the official University web framework which includes content management system, themes, templates, and user experience elements for official University websites;
  • Approving new university-level web initiative requests and assigning any new official University domain addresses;
  • Approving and assigning new official subdomain addresses under the ua.edu domain in compliance with this policy;
  • Taking necessary action to ensure all University websites and web resources are compliant with the mandatory requirements of this policy, including removal of content and/or websites; and
  • Coordinating a quarterly forum on campus for all employees with official web-related responsibilities.
Site authorizers are responsible for the following:
  • Ensuring that their website(s), web resources and content comply with University policies and all applicable state and federal requirements;
  • Approving and assigning new web addresses within the web architecture of their respective colleges, schools, departments, divisions, research centers, and/or administrative office; and
  • Documenting and resolving any compliance issues, including accessibility, in coordination with Strategic Communications and/or other relevant campus offices.
The Office of Information Technology (hereinafter referred to as OIT) is authorized to and/or responsible for the following:
  • Setting the standards for website security;
  • Removing any official or unofficial University website that shows any indication of a security breach, including but not limiting to inappropriate content or malicious code;
  • Website hosting arrangements for University resources; and
  • Ensuring third party technologies meet University standards.
The Division of Strategic Communications, site authorizers, and OIT are not responsible for the development, oversight and quality of unofficial University websites and/or web resources.

New Web Initiatives

Any new official University website/web resource must be approved by the Division of Strategic Communications and follow the Brand Guidelines, Web Developer Guidelines, and all applicable University policies. Existing sites are addressed under the “Compliance” section of this policy.
 

Mandatory Requirements

Mandatory requirements in this policy apply to all official University websites. Unofficial websites are not covered by these requirements, but should always comply with all applicable campus, state and federal policies, laws and regulations, including but not limited to any addressing compliance, copyright, accessibility, privacy and website security.

Brand Guidelines and Web Development Guidelines: Every official University website must comply with the Brand Guidelines and Web Developer Guidelines, which specifically address the required visual and technical details to achieve compliance.

University Framework: In order to ensure compliance with this policy, all official University websites must use the official University framework developed by the Division of Strategic Communications and detailed in the Web Developer Guidelines.

Ownership Information: All official University websites must clearly display ownership information on each page in the form of a contact email address belonging to the unit represented on the page. In circumstances when an email address cannot be provided, a contact name and telephone number may be substituted.

Disclaimer: All official University websites and pages must display the official University disclaimer as provided in the official University framework.

Compliance:  All websites, web resources, pages, and/or documents must be compliant with all other University policies, including and especially those related to computer use, privacy, human resources, and those outlined below.

Copyright: All websites, web resources, pages, and/or documents must comply with the University’s copyright statement

Accessibility: All websites, web resources, pages, and/or documents must comply with the University’s Web Resources Accessibility Policy.

Privacy: All websites, web resources, pages, and/or documents must comply with all applicable state and federal laws, including but not limited to FERPA, HIPPA, GDPR, the official University privacy statement, and any privacy policy implemented in the future by the University.

Website Security:  All websites, pages, and/or documents must comply with the security standards set by OIT and any current University security policies or any security policies implemented in the future by the University.  Additionally, all official University websites must comply with all security requirements specified in the Web Developer Guidelines.    

Revenue-generating Activity and Advertising: Any official University website desiring to conduct revenue-generating  activity, including receipt of online credit card, debit card, or web check payments, must receive authorization from the Office of Student Account Services (SAS). SAS will review the website's plan, including the adequacy of transaction security, make recommendations on the type of electronic credit or debit card or other process needed, and provide cost information. If the revenue-generating activity involves receipt of online credit or debit card payments, SAS will obtain a merchant ID, if appropriate, under the domain of the University's central merchant services contract, and provide training regarding Payment Card Industry requirements, data security, as well as recording and depositing the funds on University records. Any website discovered to be in violation of this provision is subject to removal from the UA domain.
 
Links to commercial entities must be related to the University's missions of research, teaching, and service and must not imply endorsement by the University.

Content Life Cycle: As part of the University’s website quality assurance, all official University websites must be reviewed by the site authorizer, at a minimum, once a year to ensure that content, mandatory requirements, accessibility, and security measures are current and in compliance with this policy. 

Exemption(s):  The University recognizes that some websites are maintained as archives and/or are legacy web resources. Site authorizers may be allowed an exemption for these websites upon request to the Division of Strategic Communications, and on a case by case basis. The site authorizer must submit a Legacy Web Resource Form to the Division of Strategic Communications.  The Division of Strategic Communications is responsible for all approvals of exemptions to this section and shall maintain a record of all exempt websites. 

Social Media

All University social media accounts must comply with the social media guidelines and accessibility policy.

Unlawful Content

Content on any website, page, and/or document not in compliance with applicable state law, federal law, or University policies is strictly prohibited and subject to removal.

Security Breaches and Misconduct

Any website, page, and/or document, including any unofficial University website, that displays any indication of a security risk or threat, including malicious code or inappropriate content, is subject to be taken down, removed, or blocked immediately and without any prior notice being given to the site authorizer.

Misconduct by a faculty or staff member will be addressed by the Department of Human Resources and may result in disciplinary action up to and including termination of employment and/or criminal prosecution, depending on the nature of the misconduct.

Misconduct by a student will be addressed by the Office of Student Conduct through the processes outlined in the Code of Student Conduct.

Compliance

New websites: All official University websites created or official web resources implemented after the effective date of this policy will be required to comply with this policy without exception.

Existing websites: All official University websites or web resources in existence on the effective date of this policy are required to completely comply with this policy within eighteen (18) months from the effective date.

Extension: In the event a site authorizer foresees that it is not possible to meet the deadline set out above, the site authorizer must submit a Web Policy Extension Request Form to the Division of Strategic Communications, within ninety (90) days from the effective date of this policy.  Extensions may be granted by the Division of Strategic Communication on a case by case basis.  If an extension is granted, the Division of Strategic Communications and the site authorizer are responsible for setting up a written plan for compliance.

Non-Compliance process: For official University websites in existence on the effective date of this policy, this section will not apply until (1) after the eighteen (18) month period as stated above or (2) at the end of the extension period as addressed in the written plan for compliance when an extension has been granted.

If an official University website violates a mandatory requirement as stated above, the Division of Strategic Communications shall give the site authorizer notice of the violation immediately. A violation must be remediated within fifteen (15) University business days from the date of notice to the site authorizer. If the violation is not remediated by time specified, the Division of Strategic Communication has the authority to take necessary corrective action, including removal of the website from the ua.edu domain.

Web resource exemption: Web resources are required to comply with the mandatory requirements section of this policy, to the extent possible. When compliance (1) is not technically possible or may require extraordinary measures due to the nature or intent of the web resource, or (2) would result in a fundamental alteration of the web resource and not satisfy the original intent, a request for exemption may be made by submitting a Web Policy Exemption Request Form to the Division of Strategic Communications. Exemptions will be evaluated and approved on a case-by case basis.

Web resources are subject to all security and accessibility requirements as stated in the mandatory requirements section herein.

Web Professionals Forum

The Division of Strategic Communications will coordinate the date, time, and location for a quarterly web professionals forum. Employees campus-wide with web-related official responsibilities are encouraged to submit web-related issues, questions, and/or concerns that impact the University’s web environment to the Director of Web Strategy in the Division of Strategic Communications. The forum agenda will include discussion on any submitted issues, questions and/or concerns affecting the campus wide web environment as well as an open discussion.

Unofficial University Websites

All unofficial University websites should always comply with all applicable campus, state and federal policies, laws and regulations, including but not limited to any addressing compliance, copyright, accessibility, privacy and website security.

Additionally, unofficial University websites must carry the following disclaimer: "The views, opinions, and conclusions expressed in this website/webpage are those of the author or organization and not necessarily those of The University of Alabama or its officers and trustees. This website has not been reviewed or approved by the University of Alabama, and the author or organization is solely responsible for its content."

The University of Alabama will not undertake to pre-approve or review unofficial University websites. However, any website, page, and/or document discovered in violation of applicable policies, regulations or laws is subject to be taken down, removed, or blocked immediately and without any prior notice.

Unofficial University websites, unless excluded from the scope of this policy or explicitly authorized through the UA Legal Counsel’s Office, may not be used for commercial purposes or for personal financial gain or benefit. The University of Alabama is not responsible for any liability resulting from any such activities.

Definitions

  • Breach - any incident that results in unauthorized access of data, application, services, networks and/or device.
  • Inappropriate content – dangerous or derogatory images, text, or assets that do not reflect the goals and strategic plan of the University.
  • Legacy web resources - web resources that are no longer edited or kept current, that were put into use before November 15, 2015, including those that are kept for archive, reference, or retention purposes.
  • Malicious code – program code intended to perform an unauthorized function or process that will have adverse impact on the confidentiality, integrity or availability of a web resource.
  • Official University website - Websites or webpages created by University of Alabama entities including, but not limited to, its colleges, schools, departments, divisions, research centers, and administrative offices purporting to represent The University of Alabama.
  • Site Authorizer - a faculty/staff member, employed by the University, and assigned by a college, school, department, division, research center, and/or administrative office to oversee the approval and quality of official University websites that fall under within their college, school, department, division, research center, and/or administrative office.
  • Threat – any circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact University operations, assets, individuals or other organizations.
  • Unofficial University website - Websites or webpages that are not sanctioned by a University college, school, department, division, research center or administrative office to represent the University of Alabama, including, but not limited to, websites or webpages created by individual University employees, faculty, staff, students, and student organizations to represent individuals, groups, or organizations.
  • Web professionals forum – a quarterly meeting of campus-wide web professionals (UA employees with official web-related responsibilities) coordinated by the Division of Strategic Communications to discuss web issues impacting the University.         
  • Web resources – web applications, web pages, videos, images, documents (including pdf’s), and other digital materials delivered via the web.

Scope

This policy applies to all University websites, pages, and documents, campus-wide, with the exception of any website(s) created by or on behalf of the University’s Department of Intercollegiate Athletics.     


 

Division of Strategic Communications

Approved by Monica Watts, Associate Vice President, Communications, 03/02/2022