Document Sample
wgl_1-12 Powered By Docstoc
					                          Guidelines for UK Government websites
                    Illustrated handbook for Web management teams

1.12 Procurement
This section provides advice on the main issues that should be taken into
account in procuring services for the design and hosting of websites. This
advice should be read in conjunction with wider guidance on government
procurement, e-Government Interoperability Framework and your Departmental
security policy. Refer to section 1.11.

1.12.1 Procurement of web design services

Contracts should distinguish clearly between the roles of the supplier and the
purchaser regarding:

      design – structure and look and feel;
      content provision;
      project management;
      maintenance including updating the site;
      warranties;
      site promotion.

Contracts should specify that copyright for those aspects of design that are not open
source reside with the Crown (the purchaser) and not the supplying designer/agency.
Where it is agreed that the supplier is retaining the intellectual property source code
then a full licence must be provided for the use of the object code with the purpose of
the licence, the duration of the licence and any geographical limitations. for example,
do you need an non-exclusive, indefinite, world-wide, royalty-free licence?
Your supplier may be using contractors and freelancers and therefore must ensure
that all third-party rights have also been assigned and moral rights waived.

Purchasing officers should consider very carefully whether to accept implementation
of proprietary code by suppliers where there is an open-source alternative. You may
not have the right to amend proprietary code when you need to, and you may have to
back to the original supplier to have this done.

In competitive tendering exercises, adherence to these guidelines should be a
prerequisite of an acceptable bid. Maintenance and redesigns

Contracts for maintenance should specify service levels, including:

      length of contract;
      number, timing and promptness of updates;
      number of templates to be provided by the contractor;
      potential cost of additional design work outside that specified in the contract;
      programme of work for ensuring effective registration with search engines and
       other forms of publicity.

Site redesigns should not be part of a maintenance contract. Redesigns should be
carried out as new work (a separate project). However, the contract should specify
the distinction between maintenance and new work, that is, work that exceeds a

                                  Procurement - 1
                           Guidelines for UK Government websites
                     Illustrated handbook for Web management teams

certain financial, timescale or scope threshold will be considered as new work under
a separate project. Other channels

In contracting for website design, departments and agencies should consider the
emerging requirement for information and services to be provided via other channels.
However, interactive digital TV is a very different medium and there are several
platforms. It is, therefore, not practical to simply delivery the same website for access
via PC and iDTV. Web managers need a multi-channel strategy and that appropriate
solutions will need to be developed for each channel.

1.12.2 Procurement of hosting services Hosting services

Choosing the correct hosting service with the right level of services requires careful
planning. Broadly there are three types of hosting:

          Virtual hosting – this is renting space on an offsite web server that is
           shared by other users. You manage the day-to-day content of your site.
          Dedicated hosting – this takes your complete web function, including the
           provision of hardware, connectivity, firewalls, reporting services and other
           management services. You manage the day-to-day content of your site.
          Co-location hosting – this service offers a secure physical location for web
           servers and equipment owned by you. The hosting service will also offer
           the connectivity. You manage the day-to-day content of your site and it
           needs to be clear who is responsible for your firewall and infrastructure
           management. Connection guarantees

The level of connectivity (availability) assurance should be agreed with the Internet
Service Provider (ISP)/hosting service, as should compensation arrangements if they
are not met. It is for the business to decide whether 100 per cent connectivity needs
to be guaranteed. If it does, it should be borne in mind that 100 per cent connection
can only be guaranteed when connectivity is provided by more than one
telecommunications operator. Where web servers are guaranteed 100 per cent
uptime, purchasers must be aware that this is only likely when the website is hosted
on two servers in different locations. Contracts should specify levels of availability
and compensation arrangements if they are not met. Purchasers must be aware of
compensation claim procedures, and whether connection and uptime guarantees are
calculated annually, quarterly or monthly and whether these are on a fixed or rolling
basis. Protection

No information appearing on a public website should be classified (protectively
marked). The level of protection provided by the ISP/hosting service site should be
sufficient to ensure the continued integrity and availability of your website. The
service provider should agree to regular and independent penetration testing to

                                   Procurement - 2
                          Guidelines for UK Government websites
                    Illustrated handbook for Web management teams

confirm the quality of the protection measures. Guidelines for access control and
physical security should be sought through your Departmental Security Officer or
equivalent responsible officer and checked against the ISP's procedures.

Refer to section 1.11 Backgrounder on securing websites. Backup

The ISP/hosting service should perform backup procedures to the client's
predetermined schedule. They should guarantee these procedures and the
maximum time to site restoration in the event of a failure. Database integration

If the purchaser wishes to implement a database-driven site, either immediately or in
the future, they must be aware of any technical limitations and cost implications
imposed by the supplier. CGI bin and scripting

Refer to section 1.11.2 The security of the web server application. HTML editor extension provision

Where the purchaser wishes to use WYSIWYG software to produce content for the
site, they must be aware of any extensions required by the server, and whether the
supplier can support this. There are two potential difficulties with the use of

          They are renowned for producing non-standard HTML or at least ‘bulky
           pages’. In additions many introduce vendor-specific functionality. This
           may produce unnecessary overheads to achieve the required HTML
          WYSIWYG tools that rely on server-side extensions for some of their
           functionality have been the cause of security difficulties. In all cases, the
           same server-side functionality can be achieved in a more secure fashion. Web server statistics

The contract should specify whether the supplier will provide web server statistical
reports, as described in section 1.4, or provide the raw log files for reports to be
generated as part of another service. Bandwidth

It should be the role of the service provider to ensure that adequate bandwidth is
available to you. However, it can be useful for purchasers to estimate growth in the
requirement for bandwidth over the course of a contract.

For some websites, bursting connection is desirable (typically useful for websites that
receive seasonal or occasional growth in traffic). Unfortunately, it becomes very
difficult to predict the overall cost of bandwidth over the year. The alternative is to
purchase fixed bandwidth. In this situation, high bandwidth (to cope with bursts of

                                  Procurement - 3
                          Guidelines for UK Government websites
                    Illustrated handbook for Web management teams

traffic) will be expensive, whereas low bandwidth will result in users being unable to
reach the site.

Contracts should include pricing for higher and lower bandwidths than those initially
purchased and conditions for changes in bandwidth requirements, including periods
of notice. It is not, however, uncommon for bandwidth charges to be based on actual
usage. Technical support

You should consider if you need 24x7 telephone technical support from your supplier. Pricing

Pricing should be transparent. Purchasers must be aware of potential 'hidden' costs,
such as:

      additional bandwidth;
      additional disc space;
      additional software;
      surcharges on quarterly as opposed to annual payments;
      maintenance of any hardware provided as part of the contract.

1.12.3 Disaster recovery

Ensure that you have written into your contract a range of information covering
protective actions, such as:

      the frequency of backup of your complete website;
      the safeguarding of the backed-up copies, eg onsite and/or offsite;
      the suppliers responsibilities and action in the event of ‘denial of service’ by
       internal or external intervention;
      the suppliers responsibilities and action if the service is compromised, eg, by
       power loss, flood or structural or similar damage to their location(s).

1.12.4 Hosting offshore

If it is proposed to host your website outside the UK then it is important that the
correct procurement procedures have been used, eg, comply with EU/WTO. As with
any ISP/hosting service ensure that you are satisfied, in writing, that they are:

      technically sound, and
      administratively sound and
      can successfully host your domain.

The contractual terms and conditions that may be applied by a supplier hosting
outside the UK may not complement the terms and conditions expected to be applied
to a UK Government website. You are advised to seek specialist procurement and
legal advice.

                                  Procurement - 4
                             Guidelines for UK Government websites
                       Illustrated handbook for Web management teams

The security clearance of personnel is an important part of a security policy. It may
be difficult for a supplier abroad to meet your security standards. You are advised to
seek advice from your security officer.

See checklist : Choosing an Internet Service Provider/hosting service

       1. Your briefing document should focus on the business case and
          objectives for the project – what your website needs to achieve.
       2. Make sure that your supplier confirms that your server or the proposed
          system solution supports all their proposals and that these proposals will
          be part of the delivered final product. You should also ensure that their
          proposals work within your declared privacy policy.
       3. Brief in your needs for documentation, staff training and content
          management and updating. Companies do go out of business, consider
          safeguarding against this by using an escrow agent – an independent
          third party that will store a copy of the source code, so that developers
          can use it in the future.
       4. When buying design services it is inadequate for the designer to simply
          present colour visuals or mock-ups of the look and feel. It is important
          that they guarantee that these can be closely reproduced on screen and
          that their HTML markup meets the W3C recommendations. When you
          buy web design you are also buying the source coding that will render
          the visual onto computer screens and the standard of this is the
          backbone in achieving HTML validation and meeting the WAI
          requirements. It is important that the successful bidder is asked to
          present a specimen to you as HTML markup.

       DOMAIN NAME REGISTRATION (Refer to section 1.9)
       If you are considering registering a domain name, it should be clearly understood
       who is undertaking this registration. If it is an agency doing so on your behalf then
       ensure that the name is to be handed over to your department/agency. Clarify what
       will happen to domain name renewal notices. Failure to clarify these lines could leave
       you vulnerable to an outside agency and possible failure to renew.

       Contractors may wish to use the relationship with you in their publicity material. It is
       important to consider including a suitable clause in your web contracts in order that
       they do not use this relationship for their press and publicity purposes without first
       ensuring that it is part of your communications strategy..

e-Government interoperability framework

                                        Procurement - 5
                              Guidelines for UK Government websites
                        Illustrated handbook for Web management teams

Checklist: Choosing an ISP/hosting service
This checklist appended to section 1.12 is intended to assist you when
choosing an Internet service provider (ISP) or supplier for your web hosting
and Internet facilities. It is important that the supplier provides the answers in
writing and that they are written into your service level agreement.

Done    Description
       Transfer your existing domain names and your content?

       How much is it going to cost?

       Are you getting virtual space or dedicated space?

       What type of server/operating system are you getting? (Mac, UNIX, Linux)? Performance, eg,
       how fast? Do you want MS FrontPage extension support or to use an ASP database?
       What type of environment is the server in, eg, secure and resilient data centre  physically
       secure, dedicated power, cooling, etc? What time standards are maintained by the server, eg,
       NTP synchronised?
       How much server space are you being offered (eg 5 Gb)?

       Support  is it effective and helpful, on 7x24, on local call rates/email? How many work in the
       support centre at any given time? Do you have a named individual responsible for support? Are
       you providing a named individual for support contact? Have you a detailed server/OS
       maintenance procedure?
       What access speeds can you expect, is it a 64 kbs pipe?

       Scalability :
       How quick could the bandwidth be expanded to support an identified or anticipated rise in
       How quickly can they expand your server space and at what cost?
       Provision of a statement of redundancy and a disaster recovery plan, eg if your site goes
       down how quickly will your hosting service switch connection? Do they have multiple
       connections and/or site mirroring arrangements? If their physical location is flooded?
       Security  provision of a security statement is essential. This must cover username/password
       protection and management policy; virus protection; what standards do they apply and how often
       are they updated. Do they conduct pentesting?
       Incident responses – including, who has the authority to decide action? Who will decide if
       police/investigation authority is to be called in? Who will answer press enquiries?
       How often will they back-up your site and what physical security is provided for the back up?

       How quick can they register and/or renew Domain on your behalf?
       How quickly can they add a new and additional domain name?
       Are server log files/traffic analysis reports provided weekly/monthly? Are they made
       available server-side?
       Will they support scripting and do you have access to your CGI bin?

       Site update procedures, eg, FTP access  for controlled uploading/downloading? Do you
       unlimited 24 hour authenticated (SSH/SSL) access?

                                        Procurement - 6
                        Guidelines for UK Government websites
                  Illustrated handbook for Web management teams

Do you want an FTP server to provide an anonymous FTP downloading facility?
Will the FTP environment have the option of SSL or SSH connection?
Do they provide any streaming facilities? If so please detail type and number.

Do you have an option for an SSL/TLS (Secure Sockets) server connection?

Do they provide email accounts and listserver facilities?

Can databases be integrated into your facility?

Do they provide facilities to host closed/open discussion groups?
(refer to section 1.6)
What are your integrity and availability requirements?
Does the service supplier have or working to achieve ISO17799 compliance?
How much is it going to cost? Have this broken down into details, including buying, leasing,
licences etc
Are you using cookies?
Do the hosting arrangements fully comply with your published privacy statement?

                                  Procurement - 7