Category Archives: SharePoint Security Templates

SharePoint Virus Detection Policy Template

This file was edited for correctness by Edgardo Gonzalez of PRSL.

Introduction – SharePoint Virus Policy Template The number of SharePoint security incidents and the resulting cost of business disruption and service restoration continues to escalate. Implementing solid SharePoint security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce the risk and drive down the cost of SharePoint security incidents.
Purpose The purpose of the [Organization] SharePoint Virus Policy is to to describe the requirements for dealing with computer virus, worm and Trojan Horse prevention, detection and cleanup.
Audience The [Organization] SharePoint Virus Policy applies equally to all individuals who use any [Organization] SharePoint resource.
SharePoint Virus Policy Definitions
  • Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.
  • Trojan Horse: Destructive programs-usually viruses or worms-that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by e-mail or on a diskette, often from another unknowing victim, or may be urged to download a file from a Web site or bulletin board.
  • Worm: A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is imilar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all.
SharePoint Virus Policy
  • All workstations whether connected to the [Organization] SharePoint network, or standalone, must use the [Organization] approved virus protection software and configuration.
  • The virus protection software must not be disabled or bypassed.
  • The settings for the virus protection software must not be altered in a manner that will reduce the effectiveness of the software.
  • The automatic update frequency of the virus protection software must not be altered to reduce the frequency of updates.
  • Each file server attached to the [Organization] network must utilize [Organization] approved virus protection software and setup to detect and clean viruses that may infect file shares. It must be appropriately audited to ensure that viruses have no means to channel into SharePoint.
  • Each Exchange gateway must utilize [Organization] approved e-mail virus protection software and must adhere to the IS rules for the setup and use of this software.
  • Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to the [Organization] Help Desk.
SharePoint Portal Password Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All commercial SharePoint software used in [Organization]’s SharePoint environment (i.e. Web Parts) must be supported by a software license agreement that specifically describes the usage rights and restrictions of the product. SharePoint users must abide by all license agreements and must not illegally copy licensed software. [Organization] reserves the right to remove any unlicensed software from the SharePoint environment.
  • [Organization] reserves the right to remove any non-business related SharePoint software or files from the SharePoint environment.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Incident Management Policy Template

Introduction – SharePoint Incident Management Policy The number of SharePoint security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid SharePoint security policies, blocking unnecessary access to networks and computers, improving [Organization] user security awareness, and early detection and mitigation of security incidents are some the actions that can be taken to reduce the risk and drive down the cost of security incidents.
Purpose This [Organization] SharePoint Incident Management Policy describes the requirements for dealing with SharePoint security incidents. SharePoint security incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and SharePoint systems, as well as complaints of improper use of SharePoint resources.
Audience The [Organization] SharePoint Incident Management Policy applies equally to all individuals that use any [Organization] SharePoint resources.
SharePoint Incident Management Policy
  • [Organization] [every organization should have a committee to handle security incidents, enter that name here] members have pre-defined roles and responsibilities which can take priority over normal duties.
  • Whenever a SharePoint security incident occurs, such as a virus, worm, hoax email, discovery of hacking tools, altered data, etc. is suspected or confirmed, the appropriate, documented SharePoint incident management procedures must be followed.
  • The [Organization] SharePoint administratior and user community is responsible for notifying the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] whom initiates the appropriate incident management action including restoration as defined by [SharePoint Portal Owning Organization / Incident Handling Unit labeled above].
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] is responsible for determining the physical and electronic evidence to be gathered as part of the Incident Investigation. This can involve the investigation of several servers, including the ISA or other machines in between the client and afflicted system.
  • The appropriate SharePoint and Systems Technical Resources from the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] are responsible for monitoring that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized where possible.
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will determine if a widespread [Organization] communication is required, the content of the communication, and how best to distribute the communication.
  • The appropriate technical resources from the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] are responsible for communicating new issues or vulnerabilities to Microsoft (SharePoint vendor) and working with the vendor to eliminate or mitigate the vulnerability.
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] is responsible for initiating, completing, and documenting the incident investigation.
  • The ISO is responsible for coordinating communications with outside organizations and law enforcement.
  • In the case where law enforcement is not involved, the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will recommend disciplinary actions.
  • In the case where law enforcement is involved, the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will act as the liaison between law enforcement and [Organization].
SharePoint Incident Management Policy Supporting Information
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All commercial SharePoint software used in [Organization]’s SharePoint environment (i.e. Web Parts) must be supported by a software license agreement that specifically describes the usage rights and restrictions of the product. SharePoint users must abide by all license agreements and must not illegally copy licensed software. [Organization] reserves the right to remove any unlicensed software from the SharePoint environment.
  • [Organization] reserves the right to remove any non-business related SharePoint software or files from the SharePoint environment.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Intrusion Detection Policy Template

Introduction – SharePoint Intrusion Detection Policy Intrusion detection plays an important role in implementing and enforcing a SharePoint organizational security policy. As SharePoint grows in complexity, effective security measures must evolve.
Purpose SharePoint-aware intrusion detection provides two important functions in protecting the SharePoint environment:

  • Feedback: Information as to the effectiveness of the IDS and associated components. If a robust and effective IDS is in place, the lack of detected intrusions is an indication that other defenses are working.
  • Trigger: a mechanism that determines when to activate planned responses to an intrusion incident.
Audience The [Organization] SharePoint Intrusion Detection Policy applies to all individuals that are responsible for the installation of new SharePoint resources, the operations of existing SharePoint resources, and individuals charged with SharePoint resources security.
SharePoint Intrusion Detection Policy
  • Operating system, user accounting, and application software audit logging processes should be enabled on all host and server systems for internal customers.
  • Alarm and IDS alert functions of backbone firewalls and other network perimeter access control systems must be enabled, and monitored by the SharePoint administrator.
  • Audit logging of any firewalls and other network perimeter access control that may lead or display business data from the SharePoint environment must be enabled.
  • Audit logs from the perimeter access control systems must be monitored/reviewed daily by the SharePoint administrator.
  • System integrity checks of the firewalls and other network perimeter access control systems must be performed on a routine basis.
    Audit logs for servers and hosts on the internal, protected, network must be reviewed on a weekly basis. The SharePoint administrator will furnish any audit logs as requested by [Organization] management.
  • Host based intrusion tools will be checked on a routine.
  • All trouble reports should be reviewed for symptoms that might indicate intrusive activity.
  • All suspected and/or confirmed instances of successful and/or attempted intrusions into the SharePoint environment must be immediately reported according to the Incident Management Policy.
  • Users shall be trained to report any anomalies in system performance and signs of wrongdoing to the [Organization] Help Desk.
SharePoint Intrusion Detection Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • The integrity of [Organization] SharePoint software, utilities, operating systems, networks, and respective data files are the responsibility of the server custodian department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the SharePoint data.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share