Web security standards
- After the site is opened, with the exclusion of server issues, the Agency that has developed the site shall be responsible for ensuring that the site works flawlessly on the software side, taking action against software-related issues, and handling all areas (FTP, SQL, etc.) to which the Agency has access. The uptime rate must be at least 99.99 percent in combined total, including possible server problems.
- Hosting and access information (FTP, SQL, etc.) shall be provided by Hosting Company to the Agency. The website shall be hosted on the “virtual server.”
- Information concerning the capacity and operating system must be communicated and Hosting Company at least 15 days prior to the website going live, and it must be confirmed that such technical requirements can be met.
- The Agency itself shall perform periodic backups of the website. Daily backups must be performed if a website update agreement exists. If there is no such agreement, backups must be performed monthly.
- The address to be used for the testing of the website must be hosted on test.siteadi.com, that is, on Hosting Company’s servers. The website must be hosted on The Digital Agency’s virtual server pool throughout all stages, which include testing and going live.
- Before the project launch, required features must be checked with the hosting side (Hosting Company). The Agency shall bear all additional costs and damages, which includes the cost associated with the failure of the brand to go live on time, which are caused by the Agency’s decision to continue development on a different platform without obtaining prior approval.
- Vulnerabilities identified and communicated by The Digital Agency IT Security must be fixed within the specified time: Following the communication of relevant security reports to the Agency, Critical Bugs must be completely fixed within one (1) week, Severe Bugs in two (2) weeks and Moderate Bugs in one (1) month. If the Agency identifies any bug that cannot be fixed within the above-mentioned periods or that falls outside its responsibility, it must inform IT that the vulnerability or vulnerabilities cannot be fixed within two (2) weeks after the communication of the report.
- The website or its source code must not contain any information concerning the platform and application.
- Login sections must be performed in sections that are used by users to access the website. (It should not only be performed by the client).
- Information contained in Flash and active script must be checked carefully. It must not contain any information such as username, password, etc.
- Protective measures must be taken against the hacking methods of Cross Site Scripting (XSS), injection and brute-force; the website must be manually-checked against these during the testing stage.
- During all stages of the development process, “BS ISO/IEC 18028-4:2005” standards must be adhered to in addition to the in-house standards of the Agency and those that would be required by IT (This document can be retrieved through a Google search).
- FTPS shall be used to communicate files, member information, source files, passwords, etc. among the brand, Agency and third parties; these shall be encrypted in at least 10 characters in a .rar file. Passwords shall be submitted not by email, but by phone. Files containing more sensitive information shall be encrypted in a .rar file, burnt on a DVD and delivered via post or courier.
- Personal and sensitive information such as credit card information, passwords, user logins, campaign participation information, etc. shall be transferred not through HTTP, but through HTTPS.
- Directory listings on websites must be closed. Files must not be uploaded to servers that allow public access or servers that are indexed by Google but to those that allow access through an interface and a password.