Intrusion detection plays an important role in implementing and enforcing a SharePoint organizational security policy. As SharePoint grows in complexity, effective security measures must evolve.
SharePoint-aware intrusion detection provides two important functions in protecting the SharePoint environment:
Feedback: Information as to the effectiveness of the IDS and associated components. If a robust and effective IDS is in place, the lack of detected intrusions is an indication that other defenses are working.
Trigger: a mechanism that determines when to activate planned responses to an intrusion incident.
The [Organization] SharePoint Intrusion Detection Policy applies to all individuals that are responsible for the installation of new SharePoint resources, the operations of existing SharePoint resources, and individuals charged with SharePoint resources security.
SharePoint Intrusion Detection Policy
Operating system, user accounting, and application software audit logging processes should be enabled on all host and server systems for internal customers.
Alarm and IDS alert functions of backbone firewalls and other network perimeter access control systems must be enabled, and monitored by the SharePoint administrator.
Audit logging of any firewalls and other network perimeter access control that may lead or display business data from the SharePoint environment must be enabled.
Audit logs from the perimeter access control systems must be monitored/reviewed daily by the SharePoint administrator.
System integrity checks of the firewalls and other network perimeter access control systems must be performed on a routine basis.
Audit logs for servers and hosts on the internal, protected, network must be reviewed on a weekly basis. The SharePoint administrator will furnish any audit logs as requested by [Organization] management.
Host based intrusion tools will be checked on a routine.
All trouble reports should be reviewed for symptoms that might indicate intrusive activity.
All suspected and/or confirmed instances of successful and/or attempted intrusions into the SharePoint environment must be immediately reported according to the Incident Management Policy.
Users shall be trained to report any anomalies in system performance and signs of wrongdoing to the [Organization] Help Desk.
SharePoint Intrusion Detection Policy Supporting Information
Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
The integrity of [Organization] SharePoint software, utilities, operating systems, networks, and respective data files are the responsibility of the server custodian department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the SharePoint data.
[Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
Copyright Act of 1976
Foreign Corrupt Practices Act of 1977
Computer Fraud and Abuse Act of 1986
Computer Security Act of 1987
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)