University Websites

Scope

Anyone at IU who manages any university website which fulfill any of the following:

• All university websites and digital properties using the copyright and/or trademark of Indiana University.
• Managed in the official web content management system.
• Hosted by Indiana University.
• Using IU-managed, grant or ICR-funded, or IU Foundation funds to purchase a domain, content management system, or tool to create a website.

This includes, but is not limited to, the following domains and their subdomains:

• https://iu.edu
• https://indiana.edu
• https://iupui.edu
• https://iue.edu
• https://iuk.edu
• https://iun.edu
• https://iusb.edu
• https://ius.edu
• https://iupuc.edu
• https://iufw.edu

Student media websites are excluded from compliance with this policy.

In the event of a conflict, this policy shall supersede all campus, school and college, program, department, center, institute, and unit policies on any core or regional campuses of Indiana University. 

Back to top

Policy Statement

IU websites and digital properties are owned by the Trustees of Indiana University and governed by the Office of the Vice President for Communications and Marketing (VPCM). VPCM, in partnership with University Information Technology Services (UITS) and the Office of the Vice President, General Counsel (OVPGC), and the University Compliance Office also ensures that websites reflect the university brand and are compliant with applicable law, including accessibility requirements.

Back to top

Reason for Policy

The purpose of this policy is to ensure strategic focus, accessibility, compliance, security, quality, continuity, optimization, marketing, and brand integrity for all websites that represent Indiana University and all associated brands (e.g., IU Alumni Association, IU Foundation).

Back to top

Procedures

Usage eligibility

Organizations that operate independently from, or are not officially recognized by, Indiana University and do not support the university’s mission are not eligible to use IU web infrastructure.

Content

Site stewards are responsible for maintaining accurate, current content per IU’s Enterprise Content Strategy.

Files 

All uploaded files must comply with the UA-02: Americans with Disabilities Act (ADA).

Brand Alignment 

Websites must  follow IU’s brand guidelines per VPE-01: Marketing and Communications. The following are also prohibited:

• Altering functionality and presentation of the established design system
• Using designs, fonts, colors or visual identity outside the University web template and brand guide
• Creating different templates, layouts, elements, components, chunk types, and code snippets that do not meet guidelines provided by UITS and UCM.

Exceptions to this may be made by requesting and receiving approval.

Content Management System

UITS manages IU’s web content system in partnership with UCM. UITS assigns web roles and removes user access as needed.

IU websites must be built and maintained using the university's enterprise web content management system, Cascade CMS (WCMS), and must use the enterprise framework to remain compliant with other IU policies, including VPE-01: Marketing and Communications, UA-02: Americans with Disabilities Act (ADA), and ISPP-24: Website, Web Application, and Web Services Privacy Notices. IU entities intending to use another content management system to create or maintain a website for informational, documentation, or marketing purposes may request an exception to this requirement by completing the CMS requirement exception form. Exceptions exist for centrally supported systems. Questions about whether an exception exists for a specific tool can be directed to the policy contact.

Websites published from the WCMS are intended solely for marketing and informational purposes.

Websites published from the WCMS are hosted in the university’s approved hosting environment.

IU Blogs 

IU Blogs should only be used for blogging and not as a substitute for an IU website.

Website approval

 All units at Indiana University, whether they already have a website or intend to create a new website, are subject to review and approval through the website approval process   when requesting a new site or significant changes to an existing site. The following types of requests are subject to review and approval through the website approval process:

• Creation of a new website
• Creation of a new IU domain
• Creation of a new WCMS site
• Requested exception to any provision of the University Websites policy
• Purchase of domains, services, or content management systems outside of the WCMS

Requests for standalone websites that fulfill any of the following criteria are prohibited and requests for new sites for these purposes will not be approved.  

• Sites that will be live for less than three years
• Sites for an individual degree program
• Sites that host course materials
• Sites for a conference or one-time event
• Sites made primarily for a short, easy to read URL
• Sites for self-governed student organizations
• Sites intended to be a blog
• Sites only for news and stories

Content about the above topics should be added to an existing IU website or use an enterprise tool. Course materials must live on Canvas or another university-supported platform for housing instructional materials. For more information about best practices for creating the above types of content on the web, please view the list of alternative options.

Existing websites are subject to this requirement. Website stewards may be contacted with instructions to bring their websites into alignment.

Requests for websites must be submitted by a full-time IU faculty or staff member with active employment.

Questions about this process may be directed to the policy contact.

Analytics

IU provides website performance reporting via an enterprise-wide ("Global") installation of Google Analytics (GA) via the IU Global Google Tag Manager. All IU websites will report usage data via the Global GA installation. At no time and under no circumstances should a vendor or non-IU entity be allowed to install custom GA code to IU websites. Requests for exceptions to this can be made by filling out the GA exception request form.

Web tag management system

A tag management system provides site stewards with a tool to simplify the process of adding, updating, and managing marketing and analytics code (“tags”) across websites. For such purposes, all websites within IU's web portfolio shall use Google Tag Manager (GTM). All IU sites will use the “Global” GTM by default, deployed via the university's enterprise CMS, Cascade CMS. Site stewards may request custom GTMs from UCM for purpose of additional analytics tracking or custom tags for marketing purposes on a site-by-site basis. At no time may a vendor or another third party attach a GTM to any IU site.

Approved vendors and/or third parties may add/update/edit tags but may never publish those updates. Only approved IU web stewards and/or UCM staff may publish tag updates after thorough review.

Fundraising 

Non-university fundraising may not be conducted on any university web page.

Images, fonts, and other licensed materials 

 All images, fonts, and other licensed materials must comply with federal laws, state laws, and university policies. Images and fonts must be original content, considered public domain, or be purchased with appropriate licensing.

Outsourcing 

University websites cannot be outsourced, built, designed, or hosted by a third party without review and approval. UCM and UITS, in partnership with IU Purchasing, shall review all requests to use university funds to build or maintain websites or web content. 

Personal use 

Only IU personnel, or vendors under the direct supervision of IU personnel, may have access to the University’s CMS and may publish to IU web servers. Using university resources for non-university purposes or personal use is prohibited.

Hosting, domains, and web addresses

IU Websites must be published under the relevant university domain unless an exception is approved through the website approval process.

All web domain and subdomain requests are reviewed by UCM and UITS for adherence to the university’s strategic priorities and are subject to revision or denial.

IU domains shall not redirect to non-IU domains.

UITS is responsible for the governance of web hosting at Indiana University. They maintain security and technical infrastructure. Users of that infrastructure will be required to follow UITS standards.

Prohibited content 

Prohibited content and code includes: 

• Copyrighted or licensed materials for which the necessary permissions for use have not been obtained.
• Advertising of outside organizations, products, or services.
• Material or speech that is unlawful.
• Material that is intended to damage, interfere with, or place an excessive load on a computer system or network.
• Content or links that imply institutional endorsement of outside organizations, products, or services.
• Outdated or unpatched software, including but not limited to programming languages, frameworks, or applications past their end-of-life (EOL) date, without active support from their maintainer/publisher.
• Outdated or unpatched software, including but not limited to programming languages, frameworks, or applications past their end-of-life (EOL) date, without active support from their maintainer/publisher.
• Code that fails to adhere to recognized security best practices, such as those outlined by OWASP (Open Web Application Security Project) or equivalent industry standards.
• Vulnerable code, including but not limited to code that permits injection attacks, cross-site scripting (XSS), and insecure deserialization.

Site monitoring 

UCM and UITS will actively monitor the university’s web presence to ensure web standards and university brand are followed. Site stewards will be contacted if issues are found, and remediation will be required on an appropriate timeline determined by UCM.

Vulnerability scanning and remediation

All websites, applications, and code hosted in the university's enterprise hosting environments must meet UITS standards, and are subject to scanning, monitoring, and removal by UITS in the event that vulnerabilities are discovered and not remediated on an appropriate timeline determined by UITS and based on the severity of the vulnerabilities found.

Before launch

Before any new or redesigned website is launched and production is enabled, all sites are required to be reviewed, including for, but not limited to, the following:

• Adherence with content strategy
• Adherence to UA-02: Americans with Disabilities Act (ADA) and accessibility requirements
• All applicable security scans
• Content quality control
• Successful installation of IU’s enterprise instance of Google Analytics 4 and Siteimprove analytics
• Adherence to  ISPP-24: Website, Web Application, and Web Services Privacy Notices

Site stewardship and attestation

Website stewards are required to complete an annual attestation including, but not limited to,  attesting their compliance with this policy. Website stewards are responsible for keeping university website inventory records accurate, including assigned stewardship.

Website stewards must be actively employed IU faculty or full-time staff members.

Site stewards are responsible for ensuring that all contributors to an IU website comply with this policy.

Website lifecycle management

Websites no longer needed must be decommissioned promptly. Sites with any of the following are subject to review and potential removal: no validated purpose, minimal traffic, or out of date content. Websites being retired must follow retirement procedures.

Security

Website stewards are responsible for ensuring compliance with security requirements and risk mitigation in alignment with university policies, including IT-28: Cyber Risk Mitigation Responsibilities and ISPP-26: Information and Information System Incident Reporting, Management, and Breach Notification.

Back to top

Definitions

IU Website: Any web property with its own IU domain name, whose content is primarily static, and which exists for informational, documentation, or marketing purposes.

IU Web Infrastructure: University-managed hosting environments, enterprise installation of Cascade CMS (WCMS), IU-owned domains.

Website Steward: The group account owner, technical contact, or defined website steward in the website directory. Responsible for the oversight of the website.

Back to top

Sanctions

Those who do not follow university policy may receive notification if steps are not taken to remedy the violation. Failure to comply with required actions may result in involvement with the site steward.

Sites without valid, annually renewed attestations and/or IU employee sponsor are subject to removal following notification of the relevant Dean or Vice President.

The university will take immediate action to remediate sites that violate university policy or  applicable law, including revoking CMS access, revoking server access, and/or removing the DNS entry. Site stewards and other employees responsible for a university website who fail to comply with this policy may face disciplinary actions, up to and including termination.

Back to top

History

June 2025 – New policy

December 2025 – Substantive revisions

Back to top