SharePoint Backup/DRP Policy Template

Introduction – SharePoint Backup/DRP Policy SharePoint backups are a business requirement to enable the recovery of SharePoint data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, or system operations errors.
Purpose The purpose of the [Organization] SharePoint Backup/DRP Policy is to establish the rules for the backup and storage of electronic [Organization] information.
Audience The [Organization] Backup/DRP Policy Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security.
SharePoint Backup/DRP Policy
  • The frequency and extent of SharePoint backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
  • The [Organization] SharePoint backup and recovery process for SharePoint must be documented and periodically reviewed.
  • The vendor(s) providing offsite SharePoint backup storage for [Organization] must be cleared to handle the highest level of information stored.
  • Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally backup media must be protected in accordance with the highest [Organization] sensitivity level of information stored.
  • A process must be implemented to verify the success of the [Organization] SharePoint backup.
  • Backups must be periodically tested to ensure that they are recoverable.
  • Signature cards held by the offsite backup storage vendor(s) for access to [Organization] backup media must be reviewed annually or when an authorized individual leaves [Organization].
  • Procedures between [Organization] and the offsite SharePoint backup storage vendor(s) must be reviewed at least annually.
  • Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system:

1. System name

2. Creation Date

3. Sensitivity Classification [Based on applicable electronic record retention regulations.]

4. [Organization] Contact Information

SharePoint Backup/DRP Policy Supporting Information
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • The department which requests and authorizes a SharePoint application (the site / application owner) must take the appropriate steps to ensure the integrity and security of all SharePoint Web Parts and application logic, as well as data files created by, or acquired for, SharePoint applications. To ensure a proper segregation of duties, owner responsibilities cannot be delegated to the SharePoint server custodian.
  • The integrity of [Organization] SharePoint software, utilities, operating systems, networks, and respective data files are the responsibility of the server custodian department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the SharePoint data.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
  • All SharePoint contracts, leases, licenses, consulting arrangements or other agreements must be authorized and signed by an authorized [Organization] officer and must contain terms approved as to form by the Legal Department, advising vendors of [Organization] ‘s retained proprietary rights and acquired rights with respect to its information systems, programs, and data requirements for SharePoint security, including SQL data maintenance and return.
  • [Organization] SharePoint implementation(s) and/or associated equipment used for [Organization] SharePoint implementations that are conducted and managed outside of [Organization] control must meet contractual requirements and be subject to monitoring by appropriate SharePoint administrators as well as other parties.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Privacy Policy Template

Introduction – SharePoint Server Private / Public Privacy Policy SharePoint Privacy Policies are mechanisms used to establish the limits and expectations for the users of [Organization] SharePoint resources. Internal [Organization] SharePoint users should have no expectation of privacy with respect to SharePoint resources. External users should have the expectation of complete privacy, except in the case of suspected wrongdoing, with respect to SharePoint resources.
Purpose The purpose of the [Organization] SharePoint Privacy Policy is to clearly communicate the [Organization] Information Technology Privacy expectations to users.
Audience The [Organization] SharePoint Privacy Policy applies equally to all individuals who use any [Organization] SharePoint resources.
SharePoint Server Private / Public Privacy Policy
  • Electronic files created, sent, received, or stored on SharePoint owned, leased, administered, or otherwise under the custody and control of [Organization] are not private and may be accessed by [Organization] SharePoint and Systems Administrators for various purposes at any time without knowledge of the SharePoint user or content owner.
  • Electronic files created, sent, received, or stored on computers owned, leased administered, or otherwise under the custody and control of [Organization] are the property of [Organization].
  • To manage systems and enforce security, [Organization] may log, review, and otherwise utilize any information stored on or passing through its SharePoint systems in accordance with the provisions and safeguards. For these same purposes, [Organization] may also capture User activity such as telephone numbers dialed and WSS sites visited.
  • A wide variety of third parties may have entrusted their information to [Organization] for business purposes, and all workers at [Organization] must do their best to safeguard the privacy and security of this information. The most important of these third parties is the individual customer; customer account data is accordingly confidential and access will be strictly limited based on business need for access.
  • [Organization] SharePoint users must report any weaknesses in [Organization] SharePoint security, any incidents of possible misuse or violation of this agreement to the proper authorities by contacting the appropriate management.
  • [Organization] SharePoint users must not attempt to access any data or programs contained on [Organization] systems for which they do not have authorization or explicit consent.
SharePoint Privacy Policy Distribution [Organization] SharePoint sites may be available to the general public must contain a Privacy Statement. An example privacy statement must be embedded within this policy.

[Organization] SharePoint Privacy Statement on the Use of Information Gathered from the Public
The following statement applies only to members of the general public and is intended to address concerns about the types of information gathered from the public, if any, and how that information is used.

I. Cookies
A cookie is a small file containing information that is placed on a user’s computer by a web server. Typically, these files are used to enhance the user’s experience of the site, to help users move between pages in a database, or to customize information for a user.
Any information that [Organization] webservers may store in cookies is used for internal purposes only. Cookie data is not used in any way that would disclose personally identifiable information to outside parties unless [Organization] is legally required to do so in connection with law enforcement investigations or other legal proceedings.

II. Logs and Network Monitoring
[Organization] maintains log files of all access to its SharePoint sites and also monitors network traffic for the purposes of site management. This information is used to help diagnose problems with the server and to carry out other administrative tasks. Log analysis tools are also used to create summary statistics to determine which information is of most interest to users, to identify system problem areas, or to help determine technical requirements.

Information such as the following is collected in these files:
Hostname: the hostname and/or IP address of the computer requesting access to the site
User-Agent: the type of browser, its version, and the operating system of the computer requesting access (e.g., Netscape 4 for Windows, IE 4 for Macintosh, etc.)
Referrer: the web page the user came from
System date: the date and time on the server at the time of access
Full request: the exact request the user made
Status: the status code the server returned, e.g., fulfilled request, file not found
Content length: the size, in bytes, of the file sent to the user
Method: the request method used by the browser (e.g., post, get)
Universal Resource Identifier (URI): the location of the particular resource requested. (More commonly known as a URL.)
Query string of the URI: anything after a question mark in a URI. For example, if a keyword search has been requested, the search word will appear in the query string.
Protocol: the technical protocol and version used, i.e., http 1.0, ftp, etc.
The above information is not used in any way that would reveal personally identifying information to outside parties unless [Organization] is legally required to do so in connection with law enforcement investigations or other legal proceedings.

III. Email and Form Information
If a member of the general public sends [Organization] an e-mail message or fills out a web-based form with a question or comment that contains personally identifying information, that information will only be used to respond to the request and analyze trends. The message may be redirected to another government agency or person who is better able to answer your question. Such information is not used in any way that would reveal personally identifying information to outside parties unless System Administration is legally required to do so in connection with law enforcement investigations or other legal proceedings.

IV. Links
This site may contain links to other sites. [Organization] is not responsible for the privacy practices or the content of such websites.

V. Security
This site has security measures in place to protect from loss, misuse and alteration of the information.
Contacting [Organization]
If there are any questions about this privacy statement, the practices of this site, or dealings with this website, contact
xxxxxx@xxxxxxx.xxx

SharePoint Server Private / Public Privacy Policy Supporting Information
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Password Policy Template

Introduction – SharePoint Portal Password Policy SharePoint user authentication is a means to control who has access to the SharePoint environment. SharePoint access gained by a non-authorized entity can cause loss of information confidentiality, integrity and availability that may result in loss of revenue, liability, loss of trust, or embarrassment to [Organization].
Purpose The purpose of the [Organization] SharePoint Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of the [Organization] user authentication mechanisms.
Audience The [Organization] SharePoint Password Policy applies equally to all individuals who use any [Organization] SharePoint resource.
SharePoint Portal Password Policy All SharePoint user passwords, including initial passwords, must be constructed and implemented according to the following [Organization] rules:

  • it must be routinely changed
  • it must adhere to a minimum length as established by [Organization]
  • it must be a combination of alpha and numeric characters it must not be anything that can easily tied back to the account owner such as: user name, social security number, nickname, relative’s names, birth date, etc.
  • it must not be dictionary words or acronyms password history must be kept to prevent the reuse of a password Stored passwords must be encrypted, including maintaining encryption standards on the SharePoint SSO database.
  • SharePoint user account passwords must not be divulged to anyone.
  • SharePoint Portal Owning Organization] contractors will not ask for user account passwords.

Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with [Organization].

If the security of a password is in doubt, the password must be changed immediately.

Administrators must not circumvent the Password Policy for the sake of ease of use.

Users cannot circumvent SharePoint password entry with auto logon, application remembering, embedded scripts or hardcoded passwords in client software. Exceptions may be made for specific SharePoint applications (like automated backup or SSO) with the approval of the [Organization]. In order for an exception to be approved there must be a procedure to change the passwords.

SharePoint aware devices must not be left unattended without enabling a password protected screensaver or logging off of the device.

SharePoint password change procedures:

  • authenticate the user to the [Organization] helpdesk before changing password
  • change to a strong password
  • the user must change password at first login

In the event SharePoint passwords are found or discovered, the following steps must be taken:

  • Report the discovery to the [Organization] Help Desk
  • Take control of the passwords and protect them
  • Transfer the passwords to an authorized person as directed by the [Organization]
SharePoint Portal Password Policy
  • Passwords must be changed at least every 60 days.
  • Passwords must have a minimum length of 8 alphanumeric characters.
  • Passwords must contain a mix of upper and lower case characters and have at least 2 numeric characters.The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits. The special characters are (!@#$%^&*_+=?/~`;:,<>|).
  • Passwords must not be easy to guess
  • Passwords must not be your employee number
  • Passwords must not be your name
  • Passwords must not be family member names
  • Passwords must not be your nickname
  • Passwords must not be your social security number
  • Passwords must not be your birthday
  • Passwords must not be your license plate number
  • Passwords must not be your pet’s name
  • Passwords must not be your address
  • Passwords must not be your phone number
  • Passwords must not be the name of your town or city
  • Passwords must not be the name of your department
  • Passwords must not be street names
  • Passwords must not be makes or models of vehicles
  • Passwords must not be slang words
  • Passwords must not be obscenities
  • Passwords must not be technical terms
  • Passwords must not be school names, school mascote, or school slogans
  • Passwords must not be any information about you that is known or is easy to learn
  • Passwords must not be any popular acronyms
  • Passwords must not be words that appear in a dictionary
  • Passwords must not be reused for a period of one year
  • Passwords must not be shared with anyone
  • Passwords must be treated as confidential information
SharePoint Portal Password Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
  • Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share