IX. Specific Notes in Producing and Developing Homepages
(C) Technical Aspects
1. Uploading files onto the Central Internet Gateway (CIG)
90. Following the setting up of CIG in early 2000, there are better protected access channels for uploading files onto CIG web server : using access token through SSL-VPN via the Internet or dial-up connection.
2. Test and production environments
91. Test and production environments are maintained for each homepage in the CIG. Web pages should be uploaded to the test environment for testing before uploading to the production environment. There should not be any interface or dependencies between the production site and the test site. No reference to the test site should be made in the production environment. For security reason, login and file transfer to the test and production web servers must go through the strong authentication using the access token dial-up connection. Bureaux/departments are accountable for the web contents and integrity of their production and test sites.
3. Account/password control
92. All webmasters must possess an access token in order to login CIG¡¦s web hosting data centre. Respective webmasters will assume full responsibility for the safe-keeping and administration of the token issued by CIG System. As the access token plays an important role in enforcement of the security and integrity of Government¡¦s Internet web content, webmasters should handle the token with great care. The token will only authenticate webmasters for access to the CIG web hosting network, user name and password will still be required for content upload to respective web content in the test and production servers. In cases where the website is not hosted under CIG, the responsible bureau/department should ensure that sufficient security measures are in place. Reference information is available in the documents promulgated vide OGCIO Circular No. 3/2006 on ¡§Revised Government IT Security Policy and Guidelines¡¨. Passwords released to service providers should be modified right after the development is completed.
93. Passwords should be changed periodically and kept secure. They should only be made known to personnel on need basis but not hardcoded in any applications, programmes or scripts. Control of accounts/passwords should not be limited to CIG login accounts only. Accounts for accessing ISPs, emails or other Internet services should be controlled.
4. Browsers
94. In theory, Government homepages should be tested on different browsers to see the effect. In practice, testing them on Netscape Navigator, Internet Explorer and Firefox will suffice. As most users do not upgrade their browsers regularly, it will be useful to try out a page with the more popular and low-end versions.
95. As quite a number of Chinese users use Chinese windows, it will be useful to produce English pages in the Chinese windows environment to avoid missing apostrophes and quotation marks.
96. Users should be reminded to use the appropriate version of browsers to view the pages. If the page requires a recent version, a link to the supplier may be provided.
5. Screen resolution
97. The lowest acceptable screen resolution should be determined at the onset before development stage. The most common screen resolution is 800 x 600 pixels. Some advanced monitors have adopted 1024 x 768 resolution. Tests should be conducted for homepages viewed under different resolution to avoid an improper page layout under certain screen resolution. It may be useful if the best resolution for browsing a homepage is stated in the index page or under ¡§Important Notices¡¨.
6. Security
98. Webmasters should heed the importance of proper security measures for Government homepages and ensure that the relevant Government IT security policy and guidelines are being observed, especially when collection or transmission of personal or sensitive information (see also para. 68 above) is involved. In this regard, the documents promulgated vide OGCIO Circular No. 3/2006 on ¡§Revised Government IT Security Policy and Guidelines¡¨.
99. An information security incident handling procedure should also be developed and communicated to all relevant parties for the detection and handling of information security incidents. Bureaux/departments should also note and observe the requirement of reporting Government information security incidents to the Government Information Security Incident Response Office (¡§GIRO¡¨). Details on the above can be found in the Information Security Incident Handling Guidelines (G54).
7. Markup validation
100. Although the current common Web browsers have high tolerance to syntax errors for Web contents written using markup languages, such as HTML or XHTML, it is desirable that Government homepages should be syntactically correct according to the specifications published by the W3C. This could better assure the compatibility and interoperability for current as well as future versions of Web browsers when accessing such contents. There are free online validation tools available such as the W3C Markup Validation Service at http://validator.w3.org.
|