Change Management For SharePoint Security Policies

Introduction – SharePoint Security Policy Checklist

The [Organization]  SharePoint Security Polices provide the operational detail required for the successful implementation of the SharePoint Security program. These security policies were developed based on, and cross referenced to, the Security Policy Standards. In addition these policies have been developed by interpreting HIPAA, and other legislation and legal requirements, understanding business needs, evaluating existing technical implementations, and by considering the cultural environment.

Changing Environment

The business, technical, cultural, and legal environment of [Organization]  , as it relates to information technology use and security, is constantly changing. The SharePoint Security Policies will be revised as needed to comply with changes in law or administrative rules or to enhance its effectiveness.

Technology Neutral

These policies are technology neutral and apply to all aspects of information technology. Emerging technologies or new legislation however, will impact these practice standards over time.

Ownership and Approval

The SharePoint Security Polices are owned by [Organization] .

Change Drivers

A number of factors could result in the need or desire to change the SharePoint Security Polices. These factors include, but are not limited to:

  • Review schedule
  • New legislation
  • Newly discovered security vulnerability
  • New technology
  • Audit report
  • Business requirements
  • Cost/benefit analysis
  • Cultural change

Change Process

Updates to the [Organization]   SharePoint Security Policies, which include establishing new policies, modifying existing policies, or removing policies, can result from three different processes:

  • At least annually, the [Organization]  SharePoint administrator, or designate, will review the SharePoint Security Policies for possible addition, revision, or deletion. An addition, revision, or deletion is created if it is deemed appropriate.
  • Every time new SharePoint technology (WebPart, site definition) is introduced into [Organization]   a security assessment must be completed. The result of the security assessment could necessitate changes to the SharePoint Security Policies before the new technology is permitted for use at [Organization]  .
  • Any user may propose the establishment, revision, or deletion of any practice standard at any time. These proposals should be directed to the [Organization]  SharePoint administrator who will evaluate the proposal and make recommendations to the [Organization]  management.

Change Distribution and Notification

Once a change to the SharePoint Security Policies has been approved by [Organization] , or designate, the following steps will be taken as appropriate to properly document and communicate the change:

  • The appropriate [Organization]  SharePoint administrator Security web pages will be updated with the change
  • Training and compliance materials will be updated to reflect the change
  • The changes will be communicated using standard [Organization]   communications methods (internal cable TV system, announcements web part, newsletters, and communications meetings)