 |
|
 |
| Introduction - SharePoint
Backup/DRP Policy |
SharePoint backups are a business requirement to enable the recovery of
SharePoint data and applications in the case of events such as natural
disasters, system disk drive failures, espionage, data entry errors, or system
operations errors. |
| Purpose |
The purpose of the [SharePoint Portal Owning Organization] SharePoint
Backup/DRP Policy is to establish the rules for the backup and storage of
electronic [SharePoint Portal Owning Organization] information. |
| Audience |
The [SharePoint Portal Owning Organization] Backup/DRP Policy Policy applies
to all individuals that are responsible for the installation of new SharePoint
property, the operations of existing SharePoint property, and individuals
charged with SharePoint security. |
| SharePoint Backup/DRP Policy |
- The frequency and extent of SharePoint backups must be in accordance
with the importance of the information and the acceptable risk as determined
by the data owner.
- The [SharePoint Portal Owning Organization] SharePoint backup and
recovery process for SharePoint must be documented and periodically
reviewed.
- The vendor(s) providing offsite SharePoint backup storage for [SharePoint
Portal Owning Organization] must be cleared to handle the highest level of
information stored.
- Physical access controls implemented at offsite backup storage locations
must meet or exceed the physical access controls of the source systems.
Additionally backup media must be protected in accordance with the highest [SharePoint
Portal Owning Organization] sensitivity level of information stored.
- A process must be implemented to verify the success of the [SharePoint
Portal Owning Organization] SharePoint backup.
- Backups must be periodically tested to ensure that they are recoverable.
- Signature cards held by the offsite backup storage vendor(s) for access
to [SharePoint Portal Owning Organization] backup media must be reviewed
annually or when an authorized individual leaves [SharePoint Portal Owning
Organization].
- Procedures between [SharePoint Portal Owning Organization] and the
offsite SharePoint backup storage vendor(s) must be reviewed at least
annually.
- Backup tapes must have at a minimum the following identifying criteria
that can be readily identified by labels and/or a bar-coding system:
- System name
- Creation Date
- Sensitivity Classification [Based on applicable electronic record retention
regulations.]
- [SharePoint Portal Owning Organization] Contact Information
|
| SharePoint Backup/DRP Policy Supporting Information |
- Any data housed within SharePoint must be kept confidential and secure
by the respectful [SharePoint Portal Owning Organization] SharePoint user.
The fact that the business data may be stored electronically (i.e. document
library or SharePoint list) does not change the requirement to keep the
information confidential and secure. The type of information or the
information itself is the basis for determining whether the data must be
kept confidential and secure. Furthermore if this data is stored in a paper
or electronic format, or if the data is copied, printed, or electronically
transmitted the data must still be protected as confidential and secured.
- On termination of the relationship with the Sharepoint user all security
policies for [SharePoint Portal Owning Organization] apply and remain in
force surviving the terminated relationship.
- The department which requests and authorizes a SharePoint application
(the site / application owner) must take the appropriate steps to ensure the
integrity and security of all SharePoint Web Parts and application logic, as
well as data files created by, or acquired for, SharePoint applications. To
ensure a proper segregation of duties, owner responsibilities cannot be
delegated to the SharePoint server custodian.
- The integrity of [SharePoint Portal Owning Organization] SharePoint
software, utilities, operating systems, networks, and respective data files
are the responsibility of the server custodian department. Data for test and
research purposes must be de-personalized prior to release to testers unless
each individual involved in the testing has authorized access to the
SharePoint data.
- [SharePoint Portal Owning Organization] server custodian departments
must provide adequate access controls in order to monitor SharePoint systems
to protect business data and associated programs from misuse in accordance
with the needs defined by owner departments. All SharePoint access must be
properly documented, authorized and controlled, following [SharePoint Portal
Owning Organization] standardized processes.
- All [SharePoint Portal Owning Organization] departments must carefully
assess the risk of unauthorized alteration, unauthorized disclosure, or loss
of the data within the [SharePoint Portal Owning Organization] SharePoint
environment for which they are responsible and ensure, through the use of
monitoring mechanisms such that [SharePoint Portal Owning Organization] is
protected from damage, monetary or otherwise. SharePoint owners and server
custodian departments must have appropriate backup and contingency plans for
disaster recovery based on risk assessment and business requirements.
- All SharePoint contracts, leases, licenses, consulting arrangements or
other agreements must be authorized and signed by an authorized [SharePoint
Portal Owning Organization] officer and must contain terms approved as to
form by the Legal Department, advising vendors of [SharePoint Portal Owning
Organization] ’s retained proprietary rights and acquired rights with
respect to its information systems, programs, and data requirements for
SharePoint security, including SQL data maintenance and return.
- [SharePoint Portal Owning Organization] SharePoint implementation(s)
and/or associated equipment used for [SharePoint Portal Owning Organization]
SharePoint implementations that are conducted and managed outside of [SharePoint
Portal Owning Organization] control must meet contractual requirements and
be subject to monitoring by appropriate SharePoint administrators as well as
other parties.
|
| Disciplinary Actions |
Violation of this policy may result in disciplinary action which may
include termination for employees and temporaries; a termination of
employment relations in the case of contractors or consultants;
dismissal for interns and volunteers; or suspension or expulsion in the
case of a student. Additionally, individuals are subject to loss of [SharePoint
Portal Owning Organization] SharePoint access privileges, civil, and
criminal prosecution. |
| Compliance / Regulation
Contributed to by this Policy |
- Copyright Act of 1976
- Foreign Corrupt Practices Act of 1977
- Computer Fraud and Abuse Act of 1986
- Computer Security Act of 1987
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
|
|
|
|
Any Templates Provided On This Site Are Provided Without Warranty Or Implication. To Brand The Template(s) Replace The [SharePoint Portal Server Owning Organization] With Your Company Name
|
|
|
| |
|
 |
Site 
Home 
About ARB
Blog 
SharePoint Dev Center 
Security Labs 
Contact
