Guidelines for Information Security Audit of Websites hosted on other organisation’s Webserver

In case, a website is hosted on a webserver owned by another organisation, then the webserver system, its operating system and webhosting application software including backend database application software, if any, are under the control of the organisation hosting the website (i.e. owning the webserver) and it is the responsibility of webserver owner to take care of information security auditing of these, as the organisation owning the website contents does not have any access or control over these assets.

Information Security Audit of website contents – Scope of Audit

However, since the data / software related to the static webpages, active server pages (ASP), scripts, backend databases, and other related applications, (if any, as applicable) are under the control of the organisation owning the contents of the website, their responsibility is limited to get these audited by a CERT-In empanelled information security auditing organisation.

The organisation, owning the website contents, can select one out of the CERT-In empanelled information security auditing organisations as per their office rules & procedures and financial guidelines to get these audited. The information security audit report from the information security auditor should clearly state that these webpages, including the backend database and scripts, if any, are free from any software vulnerability or malware such as backdoor access, virus, spyware, botnet, rootkit, keylogger, sniffer, etc., which could be exploited to compromise and gain unauthorised access with escalated privileges into the webserver system hosting the said website.