Website Security

Secure Development and Hosting

Websites must be available, reliable and secure. It is therefore very important that Bayer takes all necessary steps in order to ensure the security and integrity of information being distributed on websites. This means that:

  • the website cannot be “hacked” and its content or data compromised by third parties.
  • visitors to a website are not at risk simply by visiting it.
  • business interests are not compromised by unreliable hosting.

 

As detailed in the procedure "Web Hosting" (Bayer intranet only), websites must be developed by Certified Development Agencies. Websites must either be hosted on Bayer's own infrastructure or with one of the approved hosting providers. Any exceptions to these requirements must be agreed as per exception request described in the aforementioned “procedure."

 

When working with an external partner either for developing or hosting a website then you must ensure that the agency or provider agrees at least to the following:

  • Hosting complies with the directive "IT Security for Bayer-managed IT" (Bayer intranet only) and related regulations.
  • Implement service level and a maintenance agreements corresponding to business needs.
  • Carry out a risk analysis and provide a plan for risk minimization.
  • Comply with Bayer’s data protection policy.
  • Bayer retains all rights to the information hosted by the company.
  • Allow website security scans to be performed by Bayer.

 

Every Bayer website must have a named technical contact, the “webmaster,” who is responsible for ensuring development and can coordinate with the security officers to facilitate security scans or in the event of a threat. The administrative details for all Bayer websites must be managed using MIRA (Bayer intranet only).


Approved Hosting Providers

The Procurement Department maintains a list of approved hosting providers. All such providers have signed general contracts ensuring that the services they provide meet Bayer's requirements for secure hosting. Using an approved hosting provider is generally quicker and cheaper than with a non-approved provider because the necessary checks have already taken place. However, any website that is not hosted on Bayer’s own infrastructure will require an exception as detailed above.

 

Approved Hosting Providers (Bayer intranet only)

 
Content Delivery Network

A content delivery network (CDN) consists of many external web servers around the world, which cache web site content. The CDN adds several layers of security to our websites, in that: 

  1. The network itself shields Bayer websites from DDoS (denial of service) attacks.
  2. Websites hosted on a standard content management system have an additional layer of protection called "Site Shield." This ensures that only Akamai servers talk to Bayer’s servers and vice versa. Direct attacks on the Bayer servers themselves are thus not possible.
  3. A managed service team runs a Web Application Firewall (WAF) in close collaboration with the Bayer security teams (CCDC). The firewall offers additional defense against web application attacks like:
  • Malicious file execution, where hackers exploit an application vulnerability to remote file inclusion in order to enter hostile data and code.
  • SQL injection, where web applications and databases are overwhelmed or infiltrated by bogus database queries.
  • Cross site scripting (XSS), where attackers use vulnerabilities to execute scripts with the user’s credentials.
  • Non-HTTP/HTTPS attacks

 

Security Scans

WebsiteSecurity is an initiative by which Bayer attempts to objectively assess the vulnerabilities of its internet websites. Given the ever increasing importance of the internet, the possible risks associated with such vulnerabilities are ongoing and increasing.

 

To be effective WebsiteSecurity must actively scan for known vulnerabilities. Hosting companies must therefore understand the nature of the scans and agree for them to be carried out. Website owners must make sure that their providers are aware of this requirement and agree to allow scans to be carried out by signing a Penetration Test Agreement with Bayer.

 

Procedure

WebsiteSecurity scans are carried out on a regular basis and hosting companies are informed in advance when a scan is scheduled. They are also required to assign a contact person who can liaise with the Corporate Cyber Defense Center (CCDC) in the case of problems.

 

Website owners and webmastets are subsequently informed by the CCDC of any possible issues including the root cause, possible consequences and necessary changes. It is expected that any changes that must be made as a result of the scans will be made without charge. A prompt reaction to any findings by WebsiteSecurity is important for the security of the relevant website.

 

The results of all tests and subsequent actions are collated and maintained within a database and reported to the CIO Office and the relevant security officer.

 

SSL Certificates

This form is for applying for certificates for internet sites only. If you require an SSL certificate for the intranet then please use the IT Service Portal.

 

In our privacy statement, Bayer works to guarantee the security of user data on Bayer websites against accidental or deliberate manipulation, loss, destruction or access by unauthorized persons. This applies to transaction sites or websites with, for example, login pages, contact forms, registration pages for newsletters or order pages.

 

SSL (Secure Socket Layer) certificate should and, in the case of passwords and login details, must be used to ensure safe communication of personal details. The use of SSL is indicated by an “https” in the address bar and a closed padlock icon in the status bar of the browser.

 

Please verify your certificate using the online checker and use the form below to order or renew or ask questions about SSL certificates.

 

Order or renew SSL certificates

 


You May Also Be Interested In:

 

Technical Standards for Websites

Managing Domains