Audit of the Department's Websites

The OIG has a draft out of their Audit of the Department's websites. Unfortunately, the cover letter asks that the draft not be shared. However, our response to the draft report can be shared (or in this case summarized).

LBL requires that all systems, whether they are workstations, servers, devices, microscopes, PDAs, or webservers, be managed in an appropriate, secure manner which integrates security into the lifecycle.

This approach is consistent with the philosophy that line management owns security - we want to push responsibility for appropriate configuration to the person responsible for using and managing the machine. This approach is also consistent with how most large research Universities manage websites (many servers, run at the Department or project level).

It is not consistent with the view that consolidation is always superior to decentralization.