 |
|
 |
| Introduction - SharePoint
Server Hardening Policy |
SharePoint servers are depended upon to deliver business data in a secure,
reliable fashion. There must be assurance that data integrity, confidentiality
and availability are maintained. One of the required steps to attain this
assurance is to ensure that the SharePoint servers are installed and maintained
in a manner that prevents unauthorized access, unauthorized use, and disruptions
in service.
|
| Purpose |
The purpose of the [SharePoint Portal Owning Organization] SharePoint Server
Hardening Policy is to describe the requirements for installing a new SharePoint
server (whether front-end web, job, index, or database) in a secure fashion and
maintaining the security integrity of the existing SharePoint servers and
application software, both standard as well as purchased components. |
| Audience |
The [SharePoint Portal Owning Organization] Server Hardening Policy applies
to all individuals that are responsible for the installation of new SharePoint
property, the operations of existing SharePoint property, and individuals
charged with SharePoint security. |
| SharePoint Server Hardening
Policy |
- A server must not be connected to the [SharePoint Portal Owning
Organization] network until it is in a [SharePoint Portal Owning
Organization] accredited secure state and the network connection is approved
by [SharePoint Portal Owning Organization].
- The SharePoint Server Hardening Procedure provides the detailed
information required to harden a SharePoint server and must be implemented
for [SharePoint Portal Owning Organization] accreditation. Some of the
general steps included in the SharePoint Server Hardening Procedure include:
Installing the Windows server operating system from an [SharePoint Portal
Owning Organization] approved source
Applying Microsoft SharePoint and other relevant supplied patches, service
packs, and hotfixes.
Removing unnecessary software, system services, and drivers
Setting security parameters, file protections and enabling audit logging
Disabling or changing the password of default accounts
- [SharePoint Portal Owning Organization] will monitor security issues, both
internal to [SharePoint Portal Owning Organization] and externally, and will
manage the release of security patches on behalf of [SharePoint Portal
Owning Organization].
- [SharePoint Portal Owning Organization] SharePoint administrators will test
security patches against [SharePoint Portal Owning Organization] core
resources before release where practical.
- [SharePoint Portal Owning Organization] may make hardware resources
available for testing security patches in the case of special SharePoint
applications and update.
- Security patches must be implemented within the specified timeframe of
notification from [SharePoint Portal Owning Organization].
|
| SharePoint Server Hardening
Policy Supporting Information |
- All SharePoint software programs, SharePoint applications, Web Part /
Application source code, Web Part / Application object code, documentation
and general operational data shall be guarded and protected as if it were [SharePoint
Portal Owning Organization] property.
- The department which requests and authorizes a SharePoint application
(the site / application owner) must take the appropriate steps to ensure the
integrity and security of all SharePoint Web Parts and application logic, as
well as data files created by, or acquired for, SharePoint applications. To
ensure a proper segregation of duties, owner responsibilities cannot be
delegated to the SharePoint server custodian.
- The [SharePoint Portal Owning Organization] SharePoint network is owned
and controlled by [SharePoint Portal Owning Organization]. Approval must be
obtained from [SharePoint Portal Owning Organization] before connecting a
device that does not comply with published guidelines to the network. [SharePoint
Portal Owning Organization] reserves the right to remove any network device
that does not comply with standards or is not considered to be adequately
secure.
- [SharePoint Portal Owning Organization] server custodian departments
must provide adequate access controls in order to monitor SharePoint systems
to protect business data and associated programs from misuse in accordance
with the needs defined by owner departments. All SharePoint access must be
properly documented, authorized and controlled, following [SharePoint Portal
Owning Organization] standardized processes.
- All [SharePoint Portal Owning Organization] departments must carefully
assess the risk of unauthorized alteration, unauthorized disclosure, or loss
of the data within the [SharePoint Portal Owning Organization] SharePoint
environment for which they are responsible and ensure, through the use of
monitoring mechanisms such that [SharePoint Portal Owning Organization] is
protected from damage, monetary or otherwise. SharePoint owners and server
custodian departments must have appropriate backup and contingency plans for
disaster recovery based on risk assessment and business requirements.
|
| Disciplinary Actions |
Violation of this policy may result in disciplinary action which may
include termination for employees and temporaries; a termination of
employment relations in the case of contractors or consultants;
dismissal for interns and volunteers; or suspension or expulsion in the
case of a student. Additionally, individuals are subject to loss of [SharePoint
Portal Owning Organization] SharePoint access privileges, civil, and
criminal prosecution. |
| Compliance / Regulation
Contributed to by this Policy |
- Copyright Act of 1976
- Foreign Corrupt Practices Act of 1977
- Computer Fraud and Abuse Act of 1986
- Computer Security Act of 1987
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
|
|
|
|
Any Templates Provided On This Site Are Provided Without Warranty Or Implication. To Brand The Template(s) Replace The [SharePoint Portal Server Owning Organization] With Your Company Name
|
|
|
| |
|
 |
Site 
Home 
About ARB
Blog 
SharePoint Dev Center 
Security Labs 
Contact
