SharePoint Security Policy Inventory

SharePoint Security Policies are management instructions indicating a course of action, a guiding principle, or an appropriate procedure that is expedient, prudent, or advantageous. Policies are high-level statements that provide guidance to workers who must make present and future decisions. It would also be correct to say that these SharePoint policies are generalized requirements that must be written down and communicated to certain groups of people inside, and in some cases, outside, the organization. Although SharePoint security policies vary considerably by organization, they typically include general statements of goals, objectives, beliefs, ethics, controls, and worker responsibilities.

Policies are higher-level requirement statements than standards, although both types of management instructions require compliance. Policies provide general instructions, while standards provide specific technical requirements. SharePoint standards cover details such as systems design concepts, implementation steps, software interface mechanisms, software algorithms, and other specifics. Standards provide a measure for comparison in quantitative or qualitative terms. Standards would, for example, define the number of secret key bits required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive information is sent over public networks such as the Internet from your SharePoint environment.

Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly. This is in contrast to policies, which are intended to last for many years.

Policies are generally aimed at a wider audience than standards. For example, a policy requiring the use of computer virus packages would apply to all personal computer users, but a standard requiring the use of public key digital certificates could be directed only at staff that conducts organizational business over the Internet.

Policies are distinct from, and at a considerably higher-level than procedures, sometimes called SharePoint standard operating procedures (SSOP). Procedures are specific operational steps or methods that workers must employ to achieve a certain goal. A policy statement describes only the general means for addressing a specific problem. Policies should not become detailed or lengthy, otherwise, it becomes a procedure or can become too intermingled with procedures. For instance, in many information technology departments there are specific procedures for performing back-ups of server hard drives. In this example, a policy could describe the need for back-ups, for storage off-site, and for safeguarding the back-up media (using encryption, physical security, etc.). A standard could define the software to be used to perform back-ups and how to configure this software. A procedure could describe how to use the back-up software, the timing for making back-ups, and other ways that humans interact with the back-up system (how to get approvals by management, how to transfer the storage media to a transportation company, etc.).

One of the common problems observed in policy development and review involves the combination of policies, standards, and procedures in a single document. When it comes time to update the document, the process is needlessly time-consuming and confusing. This is because the three different types of documents all have different levels of detail and focus on different things.

The combination of policies, standards, and procedures in a single document is also not recommended because it can make the location of relevant information much more difficult for the reader. This combination approach also is inefficient in terms of distribution because a lot of irrelevant information is sent to people who really don’t need it. To simplify document maintenance, usage, and cross-referencing, be sure to use separate documents for policies, standards, and procedures.

Policies are also different from controls (also known as countermeasures, security measures, and safeguards). A control is a device or a mechanism used to regulate or guide the operation of a machine, apparatus, or system. An example of a control would be encryption of sensitive data stored on floppy disks. In many cases, policies provide broad objectives that are met with controls. For instance, a policy prohibiting actual or apparent conflicts of interest could be partially met via a control requiring employees to sign a statement indicating they have read the code of conduct and agree to comply. Likewise, in many instances, control measures are dictated directly by policy. For example, a requirement to sign a statement of compliance with a code of conduct might itself be a policy.

In general, policies state the areas on which management attention should focus. For example, a policy might dictate that all software be fully tested before being used for production processing. Management, in most instances, will need to make a number of decisions about controls in order to meet the requirements of a policy. For example, the control measures in support of this testing policy could include software change control systems, a standard development process methodology, documentation standards, and a set of standard testing procedures. The policy may be deliberately vague about the control measures to be used so that management retains the latitude to change controls as evolving technology and business conditions dictate.

Share

SharePoint Server Hardening Policy Template

Introduction – SharePoint Server Hardening Policy SharePoint servers are depended upon to deliver business data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the SharePoint servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.
Purpose The purpose of the [Organization] SharePoint Server Hardening Policy is to describe the requirements for installing a new SharePoint server (whether front-end web, job, index, or database) in a secure fashion and maintaining the security integrity of the existing SharePoint servers and application software, both standard as well as purchased components.
Audience The [Organization] Server Hardening Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security.
SharePoint Server Hardening Policy
  • A server must not be connected to the [Organization] network until it is in a [Organization] accredited secure state and the network connection is approved by [Organization].
  • The SharePoint Server Hardening Procedure provides the detailed information required to harden a SharePoint server and must be implemented for [Organization] accreditation. Some of the general steps included in the SharePoint Server Hardening Procedure include:Installing the Windows server operating system from an [Organization] approved source
    Applying Microsoft SharePoint and other relevant supplied patches, service packs, and hotfixes.
    Removing unnecessary software, system services, and drivers
    Setting security parameters, file protections and enabling audit logging
    Disabling or changing the password of default accounts
  • [Organization] will monitor security issues, both internal to [Organization] and externally, and will manage the release of security patches on behalf of [Organization].
  • [Organization] SharePoint administrators will test security patches against [Organization] core resources before release where practical.
  • [Organization] may make hardware resources available for testing security patches in the case of special SharePoint applications and update.
  • Security patches must be implemented within the specified timeframe of notification from [Organization].
SharePoint Server Hardening Policy Supporting Information
  • All SharePoint software programs, SharePoint applications, Web Part / Application source code, Web Part / Application object code, documentation and general operational data shall be guarded and protected as if it were [Organization] property.
  • The department which requests and authorizes a SharePoint application (the site / application owner) must take the appropriate steps to ensure the integrity and security of all SharePoint Web Parts and application logic, as well as data files created by, or acquired for, SharePoint applications. To ensure a proper segregation of duties, owner responsibilities cannot be delegated to the SharePoint server custodian.
  • The [Organization] SharePoint network is owned and controlled by [Organization]. Approval must be obtained from [Organization] before connecting a device that does not comply with published guidelines to the network. [Organization] reserves the right to remove any network device that does not comply with standards or is not considered to be adequately secure.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Acceptable Use Policy Template

Introduction – SharePoint Acceptable Use Policy The SharePoint Server implementation is a strategic asset of [Organization] that must be managed as a valuable [Organization] Information Technology resource. Thus, this SharePoint Acceptable Use Policy is established to achieve the following:

  • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of SharePoint property.
  • To establish prudent and acceptable practices regarding the use of SharePoint resources.
  • To educate individuals who may use SharePoint Information Technology resources with respect to their responsibilities associated with such use.
Audience The SharePoint Acceptable Use Policy applies equally to all individuals granted access privileges to any [Organization] SharePoint resources.
Ownership of SharePoint Assets Electronic files created, sent, received, or stored on SharePoint property owned, leased administered, or otherwise under the custody and control of [Organization] are the property of [Organization].
SharePoint Privacy Acts Electronic files created, sent, received, or stored on SharePoint property owned, leased, administered, or otherwise under the custody and control of [Organization] are private and may not be accessed by [Organization] employees at any time without knowledge of the [Organization] user or SharePoint site owner.
SharePoint Acceptable Use Policy
  • SharePoint users must report any weaknesses in [Organization] SharePoint security, any incidents of possible misuse or violation of this agreement to the proper authorities by contacting the appropriate management.
  • Users must not attempt to access any data or programs contained on [Organization] SharePoint property for which they do not have authorization or explicit consent.
  • Users must not purposely engage in activity that may: harass, threaten or abuse others; degrade the performance of SharePoint and related Information Technology property; deprive an authorized [Organization] user access to a [Organization] SharePoint resource; obtain extra resources beyond those allocated; circumvent [Organization] SharePoint security measures.
  • Users must not download, install or run security programs or utilities that reveal or exploit weaknesses in the security of SharePoint and related Information Technology property, unless directly said in job purpose. The exception are system administrators given explicit rights for SharePoint vulnerability and penetration testing.
  • [Organization] SharePoint property must not be used for personal benefit.
  • Users must not intentionally access, create, store or transmit material on the SharePoint implementation which [Organization] may deem to be offensive, indecent or obscene.
  • Users must not otherwise engage in acts against the aims and purposes of [Organization] as specified in its governing documents or in rules, regulations and procedures adopted from time to time.
SharePoint Incidental Use

As a convenience to the [Organization] SharePoint user community, incidental use of SharePoint is permitted. The following restrictions apply:

  • Incidental personal use of electronic mail, internet access, fax machines, printers, copiers, and so on, is restricted to [Organization] approved users; it does not extend to family members or other acquaintances.
  • Incidental SharePoint use must not result in direct costs to [Organization].
  • Incidental SharePoint use must not interfere with the normal performance of an employee’s work duties.
  • No SharePoint based files or documents may be sent or received that may cause legal action against, or embarrassment to, [Organization].
  • Storage of personal email messages, voice messages, files and documents within [Organization]’s SharePoint and related Information Technology property must be nominal.
  • All messages, files and documents including personal messages, files and documents located on [Organization] SharePoint property are owned by [Organization], may be subject to open records requests, and may be accessed in accordance with this policy.
SharePoint Acceptable Use Policy Supporting Information
  • All personnel are responsible for managing their use of SharePoint and related Information Technology property and are accountable for their actions relating to SharePoint security. Personnel are also equally responsible for reporting any suspected or confirmed violations of the SharePoint Acceptable Use Policy to the appropriate management.
  • The use of SharePoint and related Information Technology property must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools within the SharePoint implementation. The use of these electronic communications tools may be monitored to fulfill complaint or investigation requirements. Departments responsible for the custody and operation of the SharePoint system shall be responsible for proper authorization of SharePoint and related Information Technology property utilization, the establishment of effective use, and reporting of performance to management.
  • Any data used in the SharePoint must be kept confidential and secure by the user. The fact that the data may be stored electronically does not change the requirement to keep the information confidential and secure. Rather, the type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • All SharePoint software programs, applications, source code, object code, documentation and data shall be guarded and protected as if it were state property.
  • Custodian departments must provide adequate access controls in order to monitor systems to protect data and programs from misuse in accordance with the needs defined by owner departments. Access to SharePoint equipment must be properly documented, authorized and controlled.
  • All commercial software used on SharePoint systems are supported by a Microsoft software license agreement that specifically describes the usage rights and restrictions of the product. Personnel must abide by all Microsoft license agreements and must not illegally copy licensed software.
  • [Organization] reserves the right to remove any non-business related SharePoint software.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share