Guidelines for berkeley.edu websites

Campus website owners must comply with campus and systemwide policies in order to use a berkeley.edu domain. These policies include (but are not limited to):

• Privacy
• Brand protection
• Security
• Accessibility

Summary

Campus website owners must identify a Security Contact who will receive notifications of any security issues. If the website is hosted on a third-party hosting service, the site owner must also identify a Resource Proprietor who takes responsibility for ensuring that the site meets campus IT policy requirements and includes a privacy statement, which indicates what personal data the website collects from visitors and how that information is used. This is done through the Socreg asset registration portal, a campus self-service asset registration portal, which includes registration for offsite hostnames.

Campus website owners should also ensure that their data collection practices align with the UC Statement of Privacy Values. For example, campus websites should not engage in prohibited activities such as the use of third-party advertisements or analytics that track and provide users’ personal data to third parties.

Third-party "no-code" web hosting services are not suitable for berkeley.edu domains because they do not make it possible to comply with Privacy, Brand Protection, Security, Accessibility, and other applicable policies. Examples of these services include Squarespace, Weebly, Wix, and Webflow.

Below is an outline of the requirements and processes for setting up a Berkeley.edu hostname for a website. The word "domain" is often used in this context; however, "hostname" is the correct term, and will be used on the rest of this page.

Notes on terminology

• A domain is a top-level name in the Domain Name System (DNS).
  • Domain examples: berkeley.edu, google.com.
    
    
• A subdomain is a lower level domain, which may contain other DNS names.
  • Subdomain examples: technology.berkeley.edu, security.berkeley.edu. 
    
• A hostname is an individual name within a domain or subdomain. Hostnames typically point to a web site or the IP address of an individual device.
  • Hostname examples: www.berkeley.edu, www.eecs.berkeley.edu, ns1.berkeley.edu

Requirements and Guidelines

Campus departments must receive approval from the Information Security Office (ISO) to use a berkeley.edu hostname with an offsite hosting service. Additionally, any new hostname within the top-level Berkeley.edu zone must be approved by the Domain Approval committee.

Security Contact and Socreg

To complete the offsite hostname registration process in Socreg, the campus department must choose a "Security Contact" for the offsite hostname. A Security Contact is a role used by authorized members to register IT Resources in Socreg and to receive security notices involving those resources. If others in your department have a Security Contact role in Socreg, ask them to request the offsite hostname.

If you do not know your department's Security Contact, you can begin the registration process by logging into Socreg and creating a new offsite hostname registration. ISO staff will help you find your department's Security Contact as part of the registration and approval process.

The Security Contact will need to know the following information in order to register an offsite hostname:

• Offsite hostname: The requested berkeley.edu hostname.
• Hosting Service: The offsite hosting service (such as Pantheon or WPEngine).
• Data Protection Level: Select the approved Data Protection Level for the service; for example, sites on Pantheon are only approved for Protection Level P1.
• Description: Simple description of website.
• Additional notes to Domain Name System (DNS) Administrator: The DNS (Domain Name System) information provided by the offsite hosting service. The DNS Administrator needs this information in order to point the berkeley.edu hostname to the hosting service in the campus DNS.

Domain Approval

Once a top level hostname has been approved to be used with an offsite hosting service, that hostname will also need to be approved by the Domain Approval committee. For each hostname, the DNS Administrator will need answers to the following prompts as a part of the Domain Approval process:

• The purpose of the hostname, who will be using it, and its relationship to the university's mission.
• A responsible contact for the hostname.
• Acknowledgment that all relevant university policies will be followed, including those on campus website accessibility. https://dap.berkeley.edu/get-help/report-web-accessibility-issue

The campus department will be informed accordingly once their hostname has been approved or if their proposed hostname does not align with the Domain Approval requirements.

Related Knowledge Base Articles

• Offsite Hosting Process
• Onsite Hosting Process

Additional Resources

Web Accessibility Resources

• Digital Accessibility Program
• Siteimprove - required automated accessibility tool for websites