University Websites

Scope

All university websites and digital properties using the copyright and/or trademark of the Trustees of Indiana University, managed in the official web content management system, social media, blogs, or hosted by Indiana University. This includes, but is not limited to, the following domains and their subdomains:

• https://iu.edu
• https://indiana.edu
• https://iupui.edu
• https://iue.edu
• https://iuk.edu
• https://iun.edu
• https://iusb.edu
• https://ius.edu
• https://iupuc.edu
• https://iufw.edu

Back to top

Policy Statement

Indiana University’s websites and digital properties are owned by the Trustees of Indiana University and governed by the Office of the Vice President for Communications and Marketing (VPCM). VPCM ensures that websites reflect the University brand and are compliant, accessible as determined by the US Office of Civil Rights, and in partnership with UITS, and aligned with the university’s strategic priorities.

Back to top

Reason for Policy

The purpose of this policy is to ensure strategic focus, accessibility, compliance, security, quality, continuity, optimization, marketing, and brand integrity for all websites that represent Indiana University and all associated brands (e.g., IU Alumni Association, IU Foundation).

Back to top

Procedures

Content

The appropriate academic and administrative unit(s)and their specific site owners that publish information on an official University website are fully responsible for maintaining accurate and up-to-date content, as well as developing and editing content per the University’s Enterprise Content Strategy, which is inclusive of the voice, tone, and editorial style guide.

Files

All files, such as PDFs, Word documents, etc. are subject to accessibility requirements as outlined by the university’s ADA policy.

Brand alignment

University websites must align with the University brand, as outlined in Indiana University’s Marketing and Communications Policy.

Content Management System

University Information Technology Services (UITS) governs the University’s enterprise web content management system in strategic partnership with University Communications and Marketing (UCM). They assign web roles or remove user access as needed to ensure University policies, Federal and State laws, Web Content Accessibility Guidelines (WCAG) 2.1 AA level, web standards, and University brand are followed.  

Websites and digital properties hosted within the University web content management system must follow brand guidelines; include links to privacy, accessibility, copyright, and College Scorecard notices; and are owned by the Trustees of Indiana University. 

All new websites at IU must be built and maintained using the university's enterprise web content management system, Cascade CMS (WCMS). This requirement applies to any web property with its own IU domain name, whose content is primarily static and which exists for informational, documentation, or marketing purposes. IU entities looking to create or maintain a website for informational, documentation, or marketing purposes may request an exception to this requirement by completing the CMS requirement exception form. 

Websites published from the WCMS are intended solely for marketing and informational purposes. Applications and transactional systems must be hosted in secure, approved environments. 

Websites published from the WCMS are hosted in the university’s approved hosting environment with limited access to internal university systems. 

Within the content management system, users are prohibited from doing the following without written permission and coordination of UCM and UITS:   

• Altering functionality and presentation of established design system
• Creating content, folders, domains, subdomains, or webpages that do not support the university’s enterprise content strategy or search engine optimization strategy
• Using designs, fonts, colors or visual identity outside the University web template and brand guide
• Creating different templates, layouts, elements, components, chunk types, and code snippets that do not meet guidelines provided by UITS and UCM.
• Permission to request custom functionality may be requested by filling out the custom functionality request form.

Domains and web addresses

Official University websites must use the University’s domains, unless permission is provided in advance. Permission can be obtained by filling out the domain request form.

All web domain and subdomain requests are reviewed by UCM and UITS for adherence to the university’s strategic priorities and are subject to revision or denial.

Analytics

IU provides website performance reporting via an enterprise-wide ("Global") installation of Google Analytics (GA) via the IU Global Google Tag Manager. All IU websites will report usage data via the Global GA installation. At no time and under no circumstances should a vendor or non-IU entity be allowed to install custom GA code to IU websites. Requests for exceptions to this can be made by filling out the GA exception request form.

Web tag management system

A tag management system provides site stewards with a tool to simplify the process of adding, updating, and managing marketing and analytics code (“tags”) across websites. For such purposes, all websites within IU's web portfolio shall use Google Tag Manager (GTM). All IU sites will use the “Global” GTM by default, deployed via the university's enterprise CMS, Cascade CMS. Site stewards may request custom GTMs from UCM for purpose of additional analytics tracking or custom tags for marketing purposes on a site-by-site basis. At no time may a vendor or another third party attach a GTM to any IU site.

Approved vendors and/or third parties may add/update/edit tags but may never publish those updates. Only approved IU web stewards and/or UCM staff may publish tag updates after thorough review.

Fundraising

Non-university fundraising may not be conducted on any University web page.

Images, fonts, and other licensed materials

All images, fonts, and other licensed materials must comply with federal laws, state laws, and University policies. Images and fonts must be original content, considered public domain, or be purchased with appropriate licensing.

Outsourcing

University websites cannot be outsourced, built, designed, or hosted without review and approval. UCM and UITS, in partnership with IU Purchasing, review all requests to use university funds to build or maintain websites or web content.

Personal use

Access to the University’s CMS and publishing rights to IU web servers are restricted to those managing and maintaining official Indiana University websites. Using University resources for commercial or personal use is prohibited.

Hosting and domain use

Organizations not officially recognized by Indiana University, including those initiated by faculty, staff, students, or partners, are prohibited from utilizing University hosting services, the University content management system, and the iu.edu domain or University social media channels for their digital presence.

UITS is responsible for the governance of web hosting at Indiana University. They maintain security and technical infrastructure. Users of that infrastructure will be required to follow UITS standards.

Prohibited content

Website content that meets University policies, Federal and State laws, Web Content Accessibility Guidelines (WCAG) 2.1 AA level, web standards, and University brand standards can be published on Indiana University websites. Prohibited content and code includes:

• Copyrighted or licensed materials for which the necessary permissions for use have not been obtained
• Advertising of non-university entities, businesses, organizations or products
• Material or speech that is unlawful, unless it includes a disclaimer for illustrative academic purposes only
• Material that is intended to damage, to interfere with, or place an excessive load on a computer system or network
• Content that implies institutional endorsement of entities, businesses, organizations, products, projects or services
• Content that is inconsistent with the University’s mission
• External links to pages that are inconsistent with the University’s mission
• Code that introduces vulnerabilities, such as outdated or unpatched software, including programming languages, frameworks, or applications past their end-of-life (EOL) date without active support from the publisher
• Code that fails to adhere to recognized security best practices, such as those outlined by OWASP (Open Web Application Security Project) or equivalent industry standards
• Code that contains common vulnerabilities, such as injection attacks, cross-site scripting (XSS), or insecure deserialization

Site monitoring

UCM and UITS will actively monitor the University’s web presence to ensure web standards and University brand are followed.

Vulnerability scanning and remediation

All websites, applications, and code hosted in the university's enterprise hosting environments must meet UITS standards, and are subject to scanning, monitoring, and removal by UITS in the event that vulnerabilities are discovered and not remediated on an appropriate timeline determined by UITS and based on the severity of the vulnerabilities found.

Before launch

Before any new or redesigned website is launched and production is enabled, all sites are required to be reviewed for, but not limited to, the following:

• Adherence with content strategy
• Adherence to ADA policy and accessibility requirements
• All applicable security scans
• Content quality control
• Adherence to the Copyright & Trademark policy
• Adherence to the Privacy Notice policy

Site stewardship and attestation

Website stewards are required to complete an annual attestation including, but not limited to, their responsibility for ensuring all contributors operate in compliance with this policy. Those creating websites are responsible for keeping university website inventory records accurate, including assigned stewardship.

Website lifecycle management

Websites no longer needed must be decommissioned promptly. Sites with any of the following are subject to review and potential removal: no validated purpose, minimal traffic, or out of date content.

Incident response plan

If a website is involved in a security incident, UITS will coordinate containment, investigation, and communication. All affected website stewards must comply with UITS requirements and participate in post-incident reviews.

Back to top

Sanctions

UITS and UCM will actively monitor the University’s web presence to ensure they are in alignment with the university’s strategic priorities and enterprise content strategy.

Those who do not follow university policy may receive notification if steps are not taken to remedy the violation. Failure to comply with required actions may result in involvement with the site steward.

Sites without valid, annually renewed attestations and/or IU employee sponsor are subject to removal following notification of the relevant Dean or Vice President.

The university will take immediate action to remediate sites that violate university policy or federal, state, or local laws, including revoking CMS access, revoking server access, and removing the DNS entry.

Back to top