State of New Mexico

Public School Facilities Authority

Website Posting Policy

Posting Policy and Best Practices

IST is the owner/operator of PSFA public website technologies. IST requires staff who have authority to post materials ("Posters", or "Editors") to adhere to baseline best-practices when posting content to PSFA public websites. "Public Websites" are those that are available to the public at-large without the need for security authentication, i.e., "logging in". The purpose of this policy is to protect PSFA business Operational Property (OP) from the potential for being misused by the general public having free and unrestricted access to PSFA Websites.

Policy

Posters are accountable for how material published for public consumption on PSFA public websites is or may be utilized. To help posters make informed decisions with respect to sensitive data, IST has produced best-practice guidelines, which when followed, will reduce opportunity for fraud and abuse of otherwise, public information.

    Artifacts and PII

    For purposes of this policy, "Artifacts" are documents posted to public websites. PII (Personally Identifiable Information) may be contained within artifacts, or simply published as content within the website itself.

    Best Practices for Posting to Unrestricted Access Areas of Public Websites

    • Artifacts should be posted as "PDF" files (static or fillable), and/or as "PNG" images. Never post documents written in MS Word, Excel, or PowerPoint, or any other modifiable format, even if password protected.
    • Artifacts containing email addresses of persons (especially those in authority), should have their email address redacted from posted artifacts, including those of PSFA constituents.
    • PSFA email addresses should be removed from unrestricted areas and instead the use of a "Contact" form will be used to facilitate general public contact with specific staff members.
    • Artifacts containing Purchase Order numbers, Contract Numbers, Account Numbers, Tax ID numbers, completed W-9 forms, etc. must be redacted.
    • "Wet Ink" signatures shall have the signature obscured (redacted).
    • Any artifact that cannot be secured, should be considered for sharing using alternate methodology (such as PSFAConnect).
    • Presume that someone knows how to "hack" document artifacts, for instance, it requires less than a minute to "unprotect" a Microsoft Word document and learning how is as simple as asking the Bing search engine:

      Q: How do I remove the password from a Microsoft Word document?

      A: To remove a password from a Microsoft Word document:

      • Open the password-protected document in Microsoft Word. Click on "File" in the top-left corner of the screen. Click on "Protect Document" in the left-hand menu. Select "Encrypt with Password" from the drop-down menu. Delete the existing password from the "Password" field. Click "OK" to save the changes.
      • If the document is protected by a password to allow modification, open the password-protected document in Microsoft Word. Click on "File" in the top-left corner of the screen. Click on "Save As" in the left-hand menu. Choose a new name for the file or leave the existing name. In the "Save as type" drop-down menu, select "Word Document (*.docx)". Click on the "Tools" button next to the "Save" button and select "General Options". Delete the password from the "Password to modify" field. Click "OK" to save the changes. Click "Save" to save the new file without password protection.

    Grandfathering

    IST, upon request of the document owner, will repost unsensitized artifacts and information on the public website until such time as the owner can complete sanitization. The document owner is accountable and responsible for that information and/or artifact and how it may be used by the general public.