This policy provides guidelines for the effective and secure configuration and management of web servers, regardless of platform. You can use it as-is or customize it to fit the needs of your organization.

From the policy:

Summary
A company web page often represents the public face of the organization and serves as the backbone upon which much of the business is conducted. Customers can research and purchase products, employees can engage in marketing efforts to attract potential commerce, and users can engage in communication or collaboration to conduct their job responsibilities.

However, due to the critical nature of many web servers and the data they transmit or contain, these systems are often attractive targets for malicious hackers. Data breaches can produce crippling financial losses and damage to company reputation, and many well-known companies have suffered compromised web servers. Even simple human error resulting in server misconfiguration or the failure to disable a former employee’s account can have a negative impact on the organization.

Purpose
This policy provides guidelines for the effective and secure configuration and management of web servers. Because there are many types of web servers—such as Microsoft’s Internet Information Services, or IIS, Apache, Nginx, Sun Java. Lighttpd, and Jigsaw—running on various operating systems, this policy is not intended to serve as a step-by-step technological guide but rather an overall series of platform-independent guidelines. Consult vendor documentation for the specifics of each policy requirement.

Scope
This policy covers employees who are responsible for configuring and managing web servers, including full-time and part-time staff, contract workers, consultants, interns, temporary workers, and other personnel. It also applies to all company-owned equipment and material related thereto.

Exceptions
There are no exceptions to this policy except where permitted in writing by the IT and/or security departments.