SharePoint System Development Policy Template

This file was contributed to by Edgardo Gonzalez of PRSL

Introduction – SharePoint System Development Policy End users may require the integration of external applications with SharePoint Services in order to access vital information to support their informational and collaboration activities. The integrity of the information as well as security and reliability must be assured via the strict application of methods and best practices to enable interfaces to SharePoint services.
Purpose The purpose of the SharePoint System Development Policy is to describe the requirements for developing and/or implementing new software in the [Organization] SharePoint environment.
Audience The [Organization] SharePoint System Development Policy applies equally to all individuals that use any [Organization] SharePoint resource.
SharePoint System Development Policy
  • [Organization] is responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) for [Organization] SharePoint development projects. All SharePoint software developed in-house which runs on production servers must be developed according to the SDLC. At a minimum, this plan should address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and post-implementation maintenance and review. This methodology ensures that the software will be adequately documented and tested before it is used for critical [Organization] information.
  • All production SharePoint servers must have designated owners and server custodians for the critical information they process. [Organization] SharePoint administrators must perform periodic risk assessments of production SharePoint servers to determine whether the controls employed are adequate.
  • All production SharePoint servers must have an access control system to restrict who can access the system as well as restrict the privileges available to these users. A designated SharePoint administrator (who is not a regular user on the system in question) must be assigned for all production SharePoint servers.
  • Where resources permit, there should be a separation between the production, development, and test SharePoint environments. This will ensure that security is rigorously maintained for the production SharePoint servers, while the development and test environments can maximize productivity with fewer security restrictions. Where these distinctions have been established, development and test staff must not be permitted to have access to production systems. Likewise, all production software testing must utilize sanitized information.
  • All application-program-based access paths other than the formal user access paths must be deleted or disabled before software is moved into production.
SharePoint System Development Policy Supporting Information
  • All SharePoint software programs, SharePoint applications, Web Part / Application source code, Web Part / Application object code, documentation and general operational data shall be guarded and protected as if it were [Organization] property.
  • SharePoint users must engage [Organization] management, or designate, at the onset of any project to acquire SharePoint hardware or to purchase or develop SharePoint software. The costs of acquisitions, development and operation of computer hardware and applications must be authorized by appropriate management. Management and the requesting department must act within their delegated approval limits in accordance with the agency authorization policy. A list of standard software and hardware that may be obtained without specific, individual approval will be published.
  • The department which requests and authorizes a SharePoint application (the site / application owner) must take the appropriate steps to ensure the integrity and security of all SharePoint Web Parts and application logic, as well as data files created by, or acquired for, SharePoint applications. To ensure a proper segregation of duties, owner responsibilities cannot be delegated to the SharePoint server custodian.
  • The integrity of [Organization] SharePoint software, utilities, operating systems, networks, and respective data files are the responsibility of the server custodian department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the SharePoint data.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Physical Access Policy Template

Introduction – SharePoint Server Physical Access Policy SharePoint support staff, security administrators, SharePoint administrators, and others may have physical SharePoint server access requirements as part of their job function. The granting, controlling, and monitoring of the physical access to [Organization] SharePoint servers is extremely important to an overall Communications and Collaborations security program.
Purpose The purpose of the [Organization] SharePoint Physical Access Policy is to establish the rules for the granting, control, monitoring, and removal of physical SharePoint server access to [Organization] facilities where SharePoint servers might reside.
Audience The [Organization] Server Hardening Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security, as well as data owners.
SharePoint Server Physical Access Policy Policy
  • All physical security systems where SharePoint is going to reside must comply with applicable all applicable regulations such as, but not limited to, building codes and fire prevention codes.
  • Physical access to all [Organization] SharePoint resources facilities must be documented and managed.
  • All [Organization] facilities must be physically protected in proportion to the criticality or importance of their function at [SharePoint Portal Owning Organization].
  • Access to SharePoint server facilities must be granted only to [Organization] support personnel, and contractors, whose job responsibilities require access to that facility.
  • The process for granting card and/or key access to SharePoint server facilities must include the approval of the person responsible for the facility.
  • Each individual that is granted access rights to a SharePoint server facility must receive emergency procedures training for the facility and must sign the appropriate access and non-disclosure agreements.
  • Requests for access must come from the applicable [SharePoint Portal Owning Organization]. data/system owner.
  • Access cards and/or keys must not be shared or loaned to others.
  • Access cards and/or keys that are no longer required must be returned to the person responsible for the SharePoint server facility. Cards must not be reallocated to another individual bypassing the return process.
  • Lost or stolen access cards and/or keys must be reported to the person responsible for the SharePoint server facility.
  • All SharePoint server facilities that allow access to visitors will track visitor access with a sign in/out log.
  • Visitors must be escorted in card access controlled areas SharePoint server facilities.
  • The person responsible for the SharePoint server facility must review access records and visitor logs for the facility on a periodic basis and investigate any unusual access.
  • The person responsible for the SharePoint server facility must review card and/or key access rights for the facility on a periodic basis and remove access for individuals that no longer require access.
  • Signage for restricted access rooms and locations must be practical, yet minimal discernible evidence of the importance of the location should be displayed.
  • Card access records and visitor logs for areas SharePoint server facilities must be kept for routine review based upon the criticality of the SharePoint and other Information Technology resources being protected.
  • The person responsible for the SharePoint server facility must remove the card and/or key access rights of individuals that change roles within [SharePoint Portal Owning Organization]. or are separated from their relationship with [SharePoint Portal Owning Organization].
SharePoint Server Physical Access Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
  • Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • All SharePoint software programs, SharePoint applications, Web Part / Application source code, Web Part / Application object code, documentation and general operational data shall be guarded and protected as if it were [Organization] property.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • [Organization] SharePoint implementation(s) and/or associated equipment used for [Organization] SharePoint implementations that are conducted and managed outside of [Organization] control must meet contractual requirements and be subject to monitoring by appropriate SharePoint administrators as well as other parties.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Server Hardening Policy Template

Introduction – SharePoint Server Hardening Policy SharePoint servers are depended upon to deliver business data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the SharePoint servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.
Purpose The purpose of the [Organization] SharePoint Server Hardening Policy is to describe the requirements for installing a new SharePoint server (whether front-end web, job, index, or database) in a secure fashion and maintaining the security integrity of the existing SharePoint servers and application software, both standard as well as purchased components.
Audience The [Organization] Server Hardening Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security.
SharePoint Server Hardening Policy
  • A server must not be connected to the [Organization] network until it is in a [Organization] accredited secure state and the network connection is approved by [Organization].
  • The SharePoint Server Hardening Procedure provides the detailed information required to harden a SharePoint server and must be implemented for [Organization] accreditation. Some of the general steps included in the SharePoint Server Hardening Procedure include:Installing the Windows server operating system from an [Organization] approved source
    Applying Microsoft SharePoint and other relevant supplied patches, service packs, and hotfixes.
    Removing unnecessary software, system services, and drivers
    Setting security parameters, file protections and enabling audit logging
    Disabling or changing the password of default accounts
  • [Organization] will monitor security issues, both internal to [Organization] and externally, and will manage the release of security patches on behalf of [Organization].
  • [Organization] SharePoint administrators will test security patches against [Organization] core resources before release where practical.
  • [Organization] may make hardware resources available for testing security patches in the case of special SharePoint applications and update.
  • Security patches must be implemented within the specified timeframe of notification from [Organization].
SharePoint Server Hardening Policy Supporting Information
  • All SharePoint software programs, SharePoint applications, Web Part / Application source code, Web Part / Application object code, documentation and general operational data shall be guarded and protected as if it were [Organization] property.
  • The department which requests and authorizes a SharePoint application (the site / application owner) must take the appropriate steps to ensure the integrity and security of all SharePoint Web Parts and application logic, as well as data files created by, or acquired for, SharePoint applications. To ensure a proper segregation of duties, owner responsibilities cannot be delegated to the SharePoint server custodian.
  • The [Organization] SharePoint network is owned and controlled by [Organization]. Approval must be obtained from [Organization] before connecting a device that does not comply with published guidelines to the network. [Organization] reserves the right to remove any network device that does not comply with standards or is not considered to be adequately secure.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share