This file was contributed to by Edgardo Gonzalez of PRSL
Introduction – SharePoint System Development Policy
End users may require the integration of external applications with SharePoint Services in order to access vital information to support their informational and collaboration activities. The integrity of the information as well as security and reliability must be assured via the strict application of methods and best practices to enable interfaces to SharePoint services.
The purpose of the SharePoint System Development Policy is to describe the requirements for developing and/or implementing new software in the [Organization] SharePoint environment.
The [Organization] SharePoint System Development Policy applies equally to all individuals that use any [Organization] SharePoint resource.
SharePoint System Development Policy
[Organization] is responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) for [Organization] SharePoint development projects. All SharePoint software developed in-house which runs on production servers must be developed according to the SDLC. At a minimum, this plan should address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and post-implementation maintenance and review. This methodology ensures that the software will be adequately documented and tested before it is used for critical [Organization] information.
All production SharePoint servers must have designated owners and server custodians for the critical information they process. [Organization] SharePoint administrators must perform periodic risk assessments of production SharePoint servers to determine whether the controls employed are adequate.
All production SharePoint servers must have an access control system to restrict who can access the system as well as restrict the privileges available to these users. A designated SharePoint administrator (who is not a regular user on the system in question) must be assigned for all production SharePoint servers.
Where resources permit, there should be a separation between the production, development, and test SharePoint environments. This will ensure that security is rigorously maintained for the production SharePoint servers, while the development and test environments can maximize productivity with fewer security restrictions. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. Likewise, all production software testing must utilize sanitized information.
All application-program-based access paths other than the formal user access paths must be deleted or disabled before software is moved into production.
SharePoint System Development Policy Supporting Information
All SharePoint software programs, SharePoint applications, Web Part / Application source code, Web Part / Application object code, documentation and general operational data shall be guarded and protected as if it were [Organization] property.
SharePoint users must engage [Organization] management, or designate, at the onset of any project to acquire SharePoint hardware or to purchase or develop SharePoint software. The costs of acquisitions, development and operation of computer hardware and applications must be authorized by appropriate management. Management and the requesting department must act within their delegated approval limits in accordance with the agency authorization policy. A list of standard software and hardware that may be obtained without specific, individual approval will be published.
The department which requests and authorizes a SharePoint application (the site / application owner) must take the appropriate steps to ensure the integrity and security of all SharePoint Web Parts and application logic, as well as data files created by, or acquired for, SharePoint applications. To ensure a proper segregation of duties, owner responsibilities cannot be delegated to the SharePoint server custodian.
The integrity of [Organization] SharePoint software, utilities, operating systems, networks, and respective data files are the responsibility of the server custodian department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the SharePoint data.
All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
Copyright Act of 1976
Foreign Corrupt Practices Act of 1977
Computer Fraud and Abuse Act of 1986
Computer Security Act of 1987
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)