This guidance outlines principles for publishing non-public content behind ‘Single Sign On’ (SSO) online. Its purpose is to address platform and compliance issues related to SSO implementation on Mosaic as part of the UAS website migration project.
The Mosaic platform was designed to host external websites and has implemented a large proportion of the Information Security Team’s baseline security assessments. On this basis, it has been formally assessed as being suitable for storing public information. However, Mosaic was not designed for storing non-public data, and there are significant issues with hosting non-public content on Mosaic, including performance and security risks.
This means that Mosaic is unlikely to be the long-term solution for internal content. However, in absence of an immediate alternative, Mosaic will be able to host some SSO content in the short-term.
Guidance on publishing content
Please use the following guidelines when considering where to publish information online:
1. Where possible, Mosaic content pages should be made public
Mosaic is a public platform. Placing individual webpages behind SSO is likely to impact the user experience and make content harder to find. The guiding principle is that pages on the platform should be made public (even if the intended audience is internal) unless there is a specific reason not to.
2. The decision to restrict access to content pages should only be made in the following instances:
a. Making it public is likely to provide a compliance risk to the University.
For example, making public information about individuals student admissions applications, staff appointments, medical or employment data is likely to breach data privacy legislation.
Content of this type should never be published on Mosaic. It should instead be hosted on SharePoint (or another platform that has been evaluated as secure enough to hold sensitive data by the Information Security team).
b. Making it public is likely to lead to operational or reputational risks.
Some content is not high risk from a compliance perspective, although making it public could adversely impact the University. For example, including the work contact details of employees could lead to an influx of unhelpful calls to staff or put them at risk of harassment, and publishing Preferred Suppliers lists could be damaging from a commercial perspective.
Content of this type should be published behind SSO on the Mosaic platform.
3. Internal (SSO) documents such as Excel, Word, PDF should only be published on SharePoint
This will help to reduce potential performance issues on the platform. Public facing documents should continue to be published on Mosaic.
This table provides an indication of where different types of content should be published. It should be used as a guide when making decisions.