SharePoint Security Monitoring Policy Template

This file was edited for correctness by Edgardo Gonzalez of PSLR.

Introduction – SharePoint Server Monitoring Policy Security Monitoring is a method used to confirm that the SharePoint security practices and controls in place are being adhered to and are effective for the SharePoint environment.

Monitoring consists of activities such as the review of:

  • Automated intrusion detection system logs
  • Firewall logs
  • SharePoint User account logs
  • Network scanning logs
  • SharePoint Application logs
  • SQL Data backup recovery logs
  • Help desk logs
  • Other log and error files
Purpose The purpose of the SharePoint Security Monitoring Policy is to ensure that SharePoint security controls are in place, are effective, and are not being bypassed. One of the benefits of SharePoint security monitoring is the early identification of wrongdoing or entrance of new security vulnerabilities. This early identification can help to block the wrongdoing or vulnerability before harm can be done, or at least to minimize the potential impact. Other benefits include Audit Compliance, Service Level Monitoring, Performance Measuring, Limiting Liability, and Capacity Planning.
Audience The [Organization] Server Monitoring Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security.
SharePoint Server Monitoring Policy Automated SharePoint security tools will provide real time notification of detected wrongdoing and vulnerability exploitation. Where possible a security baseline will be developed and the tools will report exceptions. These tools will be deployed to monitor:

  • LAN traffic, protocols, and device inventory
  • Electronic mail traffic
  • Operating system security parameters

The following files will be checked for signs of wrongdoing and SharePoint vulnerability exploitation at a frequency determined by risk:

  • Automated intrusion detection system logs
  • Firewall logs
  • SharePoint User account logs
    Network scanning logs
  • System error logs
  • Application logs
  • Data backup and recovery logs
  • Help desk trouble tickets
  • Telephone activity – Call Detail Reports
  • Network printer and fax logs

The following checks will be performed at least annually by [Organization] assigned individuals:

  • Password strength
  • Unauthorized network devices
  • Unauthorized personal web servers
  • Unsecured sharing of devices
  • Unauthorized modem use
  • Windows Operating System and Software Licenses

Any security issues discovered will be reported to the [Organization] appropriate management for follow-up investigation.

SharePoint Server Monitoring Policy Supporting Information
  • Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)