Security Management and Risk Management in SharePoint

Security Management and Risk Management in SharePoint

Security management or Security Governance is a practice that is tailored to protect a companies assets. The practice of security management is built upon the basis of the CIA triad, which is discussed more exhaustibly in other sections. One of the largest practices that occurs during the defining of security governance within a SharePoint environment is performing risk management. The concept of risk management simply identifies an organizational set of assets, defining and discovery the risks that may afflict those assets, and producing an estimate of operational cost that may occur if damage or loss occurs. Once the risk policies are defined for the SharePoint environment, it is possible to then generate relevant security policies that will in turn protect the organizational SharePoint assets.

Three Controls That Build SharePoint Security Management

There are five major concepts that will build up the practice of security management that will help to protect an arbitrary company. Controls, in general, are simply meant to manage organizational security management. There are 5 major control measures (also known as types) that build up the concept of a security environment , administrative controls / type 1, preventive controls/ type 2, detective controls / type 3, corrective controls / type 4, and recovery controls / type 5. Preventive controls are further broken down into 3 sub-control measures, and can be defined as administrative controls, technical controls, and physical controls. 

Administrative Controls Type 2 Preventive Sub-control

Administrative controls provide the basis for executive and managerial directives. Administrative controls define the publication of such things as security policies, procedures, standards, system activity monitoring, change control, and security awareness training. In administrative controls, there is also the activity of screening employees and other parties that may be involved with the organization, as well as monitor implementing the administrative systems that will proactively monitor the SharePoint environment.

There are several examples of SharePoint security policies that are provided throughout the site. However, a security policy is simply a control that is implemented in order to procure a plan for how SharePoint security should be implemented throughout an organization. The security policy provides a high level overview for actions that should be taken, what actions are considered acceptable, and what level of risks that an organization is willing to take in their SharePoint environment.

In administrative controls, there also exists the concept of personnel controls that will define how employees should interact with relevant security systems. The largest two concepts in personnel controls are separating duties, as well as the rotation of duties within an arbitrary SharePoint environment. Separating duties simply means that no one person is responsible for the critical tasks that may affect a SharePoint environment. Rotating of duties simply ensures that more than one organizational employee can execute critical tasks that may afflict SharePoint.

In relation to the concept of personnel, there is also the notion of training. Security training is an administrative control that ensures that personnel are aware of threats to collaborative technology and the appropriate actions that should be taken in order to properly mitigate those threats. Ensuring that users are trained leads to the concept of supervisory structure, whereby supervisors should always take an interest in the security awareness of users, therefore instigating a vested interest in heightening security awareness. Supervisors should also be responsible for ensuring that all security mechanisms and users are security trained. Users, at all times, should be trained in order to support the organizational global security policy, security goals, and overall security objectives set in order to procure the most secure collaboration environment.

Technical Controls Type 2 Preventive Sub-control

Technical controls within a SharePoint environment include a variety of mechanisms:

  • Security Devices
  • Authentication Controls
  • Configuration of SharePoint and related Network Devices
  • Identification Controls
  • Password Management
  • Resources Management
  • Access Control Mechanisms

Security devices and network architecture are the backbone of protection within a networked computing environment. The network architecture can be something as simple as a wall promoting segregation between two segments and the location of network devices. It doesn’t have to be physical as well, and can involve separation through VLAN’s and different filtering devices. The network access mechanisms can in turn provide control over what network systems can be accessed, as well as what actions that an individual can take on a particular network segment. Security devices can also procure the concept of encryption in order to protect the relevant information as it is sent across a pipe (un-trusted medium). For the tracking of such activity (as information is sent across the medium), there is the notion of audit controls that are meant to target and record traffic activity as it occurs through a segment.

Physical Controls Type 2 Preventive Sub-control

Physical controls are a relatively broad concept, and encompass such things as controlling

  • Access to a building or facility
  • Locking systems on physical devices
  • Removing and wiping unused electronic mediums

Physical controls are mainly targeted ad controlling the overall environment of where you are housing SharePoint, but also will promote control of the perimeter, and monitor for physical intrusion that might also compromise a SharePoint environment. 

The largest portion of physical security is the concept of perimeter security, meaning that it encompasses securing the actual outside of the building. This can be pretty much anything, like badges, surveillance through cameras, parking lot walking guards, motion detectors, alarms, etc.

In physical security is also the concept of physical securing both the network, and personal computing architecture. Personal computer controls are simply devices that exist in order to protect the actual computer from improper access. This can be a lock that exists on a laptop, or the removal of unused drives. Network physical security means that your SharePoint servers have the necessary security precautions such that only the authorized personnel are enabled access to relevant devices. This can also involve securing the physical transmissions medium, such as the cabling architecture, since it is feasible for one to implement a tap into the physical line to enable a cross talk, or sniff into various conversations that may occur.