Skip to main content
Close menu William & Mary
Popular Topics
Suggested Results
News Events
William & Mary
Resources FOR...
Resources FOR...
Information Technology
Services

Shared Responsibility Model

Hosting an application on the William & Mary platform is a collaborative partnership between W&M Information Technology and the application owner. To ensure a secure, reliable, and high-performing environment, both parties have distinct responsibilities regarding the infrastructure, application lifecycle, and security. 

W&M IT Responsibilities (The Platform) 

W&M IT provides the foundational infrastructure and platform services required to host your application securely. Our team is responsible for managing and maintaining the underlying systems, allowing you to focus on the application itself. 

IT provides and manages the following: 

  • Infrastructure & Platform Uptime: Maintaining the servers, network connectivity, and underlying operating systems that host your application. 
  • Default Encryption: Ensuring standard encryption protocols are applied by default to protect data in transit and at rest. 
  • Automated Backups: Routine platform-level backups to facilitate disaster recovery and data continuity. 
  • Centralized Logging: Providing logging infrastructure to capture system and platform events for monitoring and troubleshooting. 
  • Security Tools: Deploying and maintaining platform-level security monitoring and defensive tools. 
  • Deployment Tools & Pipelines: Providing standard deployment pipelines and mechanisms for the W&M hosting environment, which may include integrated automated security scanning. 
  • Scaling Consultation: Providing guidance and architectural advice on how to best leverage platform resources to scale your application. However, IT does not rewrite, optimize, or modify custom application code. 

Application Owner Responsibilities (The Application) 

As the application owner, you maintain control over your specific software, data, and user access. You are expected to manage the application lifecycle and ensure it adheres to secure development and operational practices. 

Application owners are responsible for: 

  • Application Scalability & Performance: Ensuring your application code and architecture are designed to handle concurrent users and increased load. Adding additional platform resources (CPU, memory) cannot resolve performance bottlenecks caused by algorithms or code that fundamentally do not scale beyond a single user. 
  • Application Patching & Maintenance: Promptly applying security patches, updates, and bug fixes to your application software, plugins, and libraries. 
  • Deployment Compliance & Vulnerability Remediation: Depending on your technology stack, you may be required to use IT-prescribed deployment mechanisms. These pipelines include pre-deployment security scans. Please note that known critical vulnerabilities detected during these scans will block your deployment. It is your responsibility to remediate these vulnerabilities before the deployment can proceed. 
  • Access Control & Authentication: Implementing strong authentication for all users. Integrating with W&M's Single Sign-On (SSO) services is highly preferred and recommended. We recognize that SSO integration isn't always feasible for every application; in those cases, alternative strong authentication mechanisms (e.g., multi-factor authentication, robust password policies) must be enforced. 
  • Custom Code Lifecycle: For custom-developed applications, ensuring the codebase, frameworks, and dependencies are actively maintained and kept reasonably up to date with current security standards. 
  • Application-Level Configuration: Managing your specific application settings, user roles, and data integrity. 
  • Website Accessibility: All university digital content, information and communication technologies (ICT) must be accessible to individuals with disabilities and must comply with applicable state and federal laws, as well as the Web Content Accessibility Guidelines (WCAG). 

External APIs & Third-Party Integrations (Collaborative Responsibility) 

Modern applications frequently rely on external services and APIs (e.g., AWS Services, Twilio, or AI platforms like Amazon Bedrock, OpenAI, and Anthropic). Because these services involve data leaving the W&M environment, managing them is a shared endeavor. 

Even when utilizing "free" tiers of external services, coordination with W&M IT is required: 

  • Application Owner Role: Before integrating an external API, you must initiate a conversation with IT. You are responsible for identifying what data your application will send to the third party and ensuring sensitive W&M data is not transmitted without approval. 
  • W&M IT Role: IT will help you navigate these integrations safely. By coordinating with us, we can often leverage existing enterprise agreements that provide better pricing, enhanced support, and—most importantly—the necessary legal and data privacy protections that standard consumer tiers lack. 

Security Incidents & Enforcement 

Protecting the W&M community and the integrity of our network is our highest priority. 

If W&M IT identifies a significant security risk, vulnerability, or active compromise associated with your application, we reserve the right to take immediate protective action. This may include temporarily restricting network access to the site or taking the application completely offline. 

In the event of an intervention, IT will notify the application owner as soon as possible. The application will remain restricted until the underlying security issues have been fully remediated and verified. 

Learn more about additional Information Security policies