A Web Publishing Policy governing the appropriate dissemination of information on business websites and social media pages SHALL be implemented.

Almost every business in today’s day and age has a website, social media pages, or more likely a combination of them. Publicly accessible content about your business is essential for marketing, customer communication, and maintaining good public relations. Because of this, it seems like a no-brainer that pages on the public Internet are a prime target for threat actors. A threat actor can perform passive reconnaissance on your webpages to gather intelligence with which to formulate attacks. If your web services are unsecured, threat actors can launch attacks that take advantage of vulnerabilities to cause destruction to both your tangible and intangible assets. Common threats relating to public webpages and services include:

  • Website defacement
  • Directory traversal
  • SQL injection
  • Cross-Site Scripting (XSS)
  • XML injection

A good first layer of security for business websites and social media pages is to implement a web publishing policy specifying what kind of content cannot be published online. While this will not prevent threat actors from taking advantage of technical vulnerabilities in your web services, it will help eliminate potentially sensitive information from your digital footprint.

Content that should not be published online includes:

  • Any internal, confidential, or restricted business data.
  • Protected Health Information (PHI)
  • Details on business security controls
  • Very specific details on hardware and software platforms used in the business environment
  • Information that hints at present vulnerabilities in digital infrastructure
  • Internal business policies and procedures
  • Plans, blueprints, diagrams, and photographs of the business's physical property and assets
  • Personally Identifiable Information (PII) about employees, customers, or other stakeholders. Contact information for employees should be limited to their name, business phone number/email address. No personal contact information of any kind should be connected with business webpages.
  • Information on the composition or preparation of hazardous materials or toxins
  • Sensitive information relating to homeland security
  • Information related to government contracts
  • Schedules and associated locations of internal business events
  • Investigative records
  • Financial records that have not been published and are not expected to be
  • Policies and procedures regarding emergency response, disaster recovery, and business continuity
  • Copyrighted material without the explicit permission of the owner

The policy structure should closely resemble the following:

  1. The information that should not be published online as stated above.
  2. The target audience and roles of the policy.
  3. Negative ramifications of non-compliance, both external and internal.
  4. Responsible personnel regarding regular compliance with the policy.
  5. Procedures for vetting information before online publishing
  6. Points of contact for questions or concerns regarding any aspects of the policy

Businesses are free to add additional restrictions as needed by their organizational policies and protocols. The web publishing policy should be shared with all company webmasters, multimedia creators, social media managers, and customer service representatives. These roles should be trained on this policy as part of their onboarding process, and continued compliance shall be ensured through audits and regular reviews of published web content.