 |
|
 |
| Introduction - SharePoint
Vendor Access Policy |
From time to time, differing Vendors including Microsoft, will play an
important role in the support of hardware and software of the SharePoint
implementation, providing vital operations knowledge and consulting. Vendors
assigned to work with the SharePoint implementation will be allowed to view,
copy and modify data and audit logs, they correct software and operating systems
problems, they can monitor and fine tune system performance, they can monitor
hardware performance and errors, they can modify environmental systems, and
reset alarm thresholds. Setting limits and controls on what can be seen, copied,
modified, and controlled by vendors will eliminate or reduce the risk of loss of
revenue, liability, loss of trust, and embarrassment to [SharePoint Portal
Owning Organization]. |
| Purpose |
The purpose of the [SharePoint Portal Owning Organization] SharePoint Vendor
Access Policy is to establish the rules for vendor access to [SharePoint Portal
Owning Organization] SharePoint resources and support services (A/C, UPS, PDU,
fire suppression, etc.), vendor responsibilities, and protection of [SharePoint
Portal Owning Organization] information. |
| Audience |
The [SharePoint Portal Owning Organization] SharePoint Vendor Access Policy
applies to all individuals that are responsible for the installation of new
SharePoint assets, and the operations and maintenance of existing SharePoint
resources and who do or may allow vendor access for maintenance, monitoring and
troubleshooting purposes. |
| SharePoint Server Vendor
Access Policy |
Vendors must comply with all applicable [SharePoint Portal Owning
Organization] policies, practice standards and agreements, including, but not
limited to:
Safety Policies
Privacy Policies
Security Policies
Auditing Policies
Software Licensing Policies
Acceptable Use Policies
Vendor agreements and contracts must specify:
- The [SharePoint Portal Owning Organization] information the vendor should have
access to
- How [SharePoint Portal Owning Organization] information is to be protected by
the vendor
- Acceptable methods for the return, destruction or disposal of [SharePoint Portal
Owning Organization] information in the vendor’s possession at the end of the
contract
- The Vendor must only use [SharePoint Portal Owning Organization] information and
SharePoint resources for the purpose of the business agreement
- Any other [SharePoint Portal Owning Organization] information acquired by the
vendor in the course of the contract cannot be used for the vendor’s own
purposes or divulged to others
- [SharePoint Portal Owning Organization] will provide an [SharePoint Portal
Owning Division] point of contact for the Vendor. The point of contact will work
with the Vendor to make certain the Vendor is in compliance with these policies.
- Each vendor must provide [SharePoint Portal Owning Organization] with a list of
all employees working on the SharePoint contract. The list must be updated and
provided to [SharePoint Portal Owning Organization] within 24 hours of staff
changes.
- Each on-site vendor employee must acquire a [SharePoint Portal Owning
Organization] identification badge that will be displayed at all times while on
[SharePoint Portal Owning Organization] premises. The badge must be returned to
[SharePoint Portal Owning Organization] when the employee leaves the contract or
at the end of the contract.
- Each vendor employee with access to [SharePoint Portal Owning Organization]
sensitive information must be cleared to handle that information.
- Vendor personnel must report all security incidents directly to the appropriate
[SharePoint Portal Owning Organization] personnel.
- If vendor management is involved in [SharePoint Portal Owning Organization]
security incident management the responsibilities and details must be specified
in the contract.
- Vendor must follow all applicable [SharePoint Portal Owning Organization] change
control processes and procedures.
- Regular work hours and duties will be defined in the contract. Work outside of
defined parameters must be approved in writing by appropriate [SharePoint Portal
Owning Organization] management.
|
| SharePoint Server Vendor
Access
Policy Supporting Information |
- Any and all [SharePoint Portal Owning Organization] SharePoint security
controls must not be bypassed or disabled.
- SharePoint Security awareness by [SharePoint Portal Owning Organization]
personnel must be continually emphasized, reinforced, updated and validated.
- All [SharePoint Portal Owning Organization] SharePoint users are
responsible for managing their use of SharePoint and are accountable for
their actions relating to SharePoint security. Users are also equally
responsible for reporting any suspected or confirmed violations of this
policy to the appropriate management responsible for SharePoint security
incident handling.
- User SharePoint account passwords shall be protected by the individual
user from use by, or disclosure to, any other individual or organization.
All security violations shall be reported to respectful SharePoint security
incident handling management.
- Access to, change to, and use of SharePoint Account Managmenet Policy
must be strictly secured. SharePoint information access authority for each
user must be reviewed on a regular basis, as well as each job status change
such as: a transfer, promotion, demotion, or termination of service.
- The use of SharePoint must be for officially authorized business
purposes only. There is no guarantee of personal privacy or access to tools
such as, but not limited to; SharePoint areas, WSS team sites, any and all
collaboration and communication functionality, and any sister sever
integrations (i.e. integrated Microsoft Exchange environments). The use of
Sharepoint and SharePoint related tools may be monitored to fulfill
complaint or investigation requirements, including forensic an analysis into
IDS or other security systems. Departments responsible for custody and
operations of the SharePoint servers (custodian departments) shall be
responsible for proper authorization of SharePoint server utilization, the
establishment of effective use, and reporting of performance to management.
- Any data housed within SharePoint must be kept confidential and secure
by the respectful [SharePoint Portal Owning Organization] SharePoint user.
The fact that the business data may be stored electronically (i.e. document
library or SharePoint list) does not change the requirement to keep the
information confidential and secure. The type of information or the
information itself is the basis for determining whether the data must be
kept confidential and secure. Furthermore if this data is stored in a paper
or electronic format, or if the data is copied, printed, or electronically
transmitted the data must still be protected as confidential and secured.
- On termination of the relationship with the Sharepoint user all security
policies for [SharePoint Portal Owning Organization] apply and remain in
force surviving the terminated relationship.
- [SharePoint Portal Owning Organization] server custodian departments
must provide adequate access controls in order to monitor SharePoint systems
to protect business data and associated programs from misuse in accordance
with the needs defined by owner departments. All SharePoint access must be
properly documented, authorized and controlled, following [SharePoint Portal
Owning Organization] standardized processes.
- All [SharePoint Portal Owning Organization] departments must carefully
assess the risk of unauthorized alteration, unauthorized disclosure, or loss
of the data within the [SharePoint Portal Owning Organization] SharePoint
environment for which they are responsible and ensure, through the use of
monitoring mechanisms such that [SharePoint Portal Owning Organization] is
protected from damage, monetary or otherwise. SharePoint owners and server
custodian departments must have appropriate backup and contingency plans for
disaster recovery based on risk assessment and business requirements.
|
| Disciplinary Actions |
Violation of this policy may result in disciplinary action which may
include termination for employees and temporaries; a termination of
employment relations in the case of contractors or consultants;
dismissal for interns and volunteers; or suspension or expulsion in the
case of a student. Additionally, individuals are subject to loss of [SharePoint
Portal Owning Organization] SharePoint access privileges, civil, and
criminal prosecution. |
| Compliance / Regulation
Contributed to by this Policy |
- Copyright Act of 1976
- Foreign Corrupt Practices Act of 1977
- Computer Fraud and Abuse Act of 1986
- Computer Security Act of 1987
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
|
|
|
|
Any Templates Provided On This Site Are Provided Without Warranty Or Implication. To Brand The Template(s) Replace The [SharePoint Portal Server Owning Organization] With Your Company Name
|
|
|
| |
|
 |
Site 
Home 
About ARB
Blog 
SharePoint Dev Center 
Security Labs 
Contact
