• All SharePoint user accounts created must have an associated request and approval that is appropriate for the [Organization] SharePoint system.
• All SharePoint users must sign the [Organization] SharePoint Security Acknowledgement and Nondisclosure Agreement before access to the SharePoint implementation.
• All SharePoint accounts must be uniquely identifiable using the assigned user name.
• All default SharePoint user passwords for accounts must be constructed in accordance with the [Organization] Password Policy.
• All SharePoint user accounts must have a password expiration that complies with the [Organization] Password Policy.
• SharePoint accounts of individuals on extended leave (more than 30 days) will be disabled.
• All new user SharePoint accounts that have not been accessed within 30 days of creation will be disabled.

SharePoint Administrators or other designated SharePoint staff:

1. are responsible for removing SharePoint accounts of individuals that change roles within [Organization] or are separated from their relationship with [Organization]

2. must have a documented process to modify a SharePoint user account to accommodate situations such as name changes, accounting changes and permission changes

3. must have a documented process for periodically reviewing existing SharePoint accounts for validity

4. are subject to independent audit review without disclouse

5. must provide a list of SharePoint accounts for the portals / sites they administer when requested by authorized [Organization] management

6. must cooperate with authorized [Organization] management investigating SharePoint security incidents

• Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
• SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
• All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
• User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
• Access to, change to, and use of SharePoint Account Management Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
• The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of SharePoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
• Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
• On termination of the relationship with the SharePoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
• [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
• All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.

• Copyright Act of 1976
• Foreign Corrupt Practices Act of 1977
• Computer Fraud and Abuse Act of 1986
• Computer Security Act of 1987
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• All SharePoint user accounts created must have an associated request and approval that is appropriate for the [Organization] SharePoint system.
• All SharePoint users must sign the [Organization]SharePoint Security Acknowledgement and Nondisclosure Agreement before access to the SharePoint implementation.
• All SharePoint accounts must be uniquely identifiable using the assigned user name.
• All default SharePoint user passwords for accounts must be constructed in accordance with the [Organization] Password Policy.
• All SharePoint user accounts must have a password expiration that complies with the [Organization] Password Policy.
• SharePoint accounts of individuals on extended leave (more than 30 days) will be disabled.
• All new user SharePoint accounts that have not been accessed within 30 days of creation will be disabled.

SharePoint Administrators or other designated SharePoint staff:

1. are responsible for removing SharePoint accounts of individuals that change roles within [Organization] or are separated from their relationship with [SharePoint Portal Owning Organization]

2. must have a documented process to modify a SharePoint user account to accommodate situations such as name changes, accounting changes and permission changes

3. must have a documented process for periodically reviewing existing SharePoint accounts for validity

4. are subject to independent audit review without disclouse

5. must provide a list of SharePoint accounts for the portals / sites they administer when requested by authorized [Organization] management

6. must cooperate with authorized [Organization] management investigating SharePoint security incidents

• Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
• SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
• All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
• User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
• Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
• The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
• Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
• On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
• [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
• All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.

• Copyright Act of 1976
• Foreign Corrupt Practices Act of 1977
• Computer Fraud and Abuse Act of 1986
• Computer Security Act of 1987
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA)