|Introduction – SharePoint Backup/DRP Policy||SharePoint backups are a business requirement to enable the recovery of SharePoint data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, or system operations errors.|
|Purpose||The purpose of the [Organization] SharePoint Backup/DRP Policy is to establish the rules for the backup and storage of electronic [Organization] information.|
|Audience||The [Organization] Backup/DRP Policy Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security.|
|SharePoint Backup/DRP Policy||
1. System name
2. Creation Date
3. Sensitivity Classification [Based on applicable electronic record retention regulations.]
4. [Organization] Contact Information
|SharePoint Backup/DRP Policy Supporting Information||
|Disciplinary Actions||Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.|
|Compliance / Regulation Contributed to by this Policy||
Introduction – SharePoint Security Policy Checklist
|The SharePoint Server Security Policy Checklist provides a concise view of the state of [Organization] security policy development and implementation for an organization.|
|The SharePoint Server Security Policy Checklist indicates which policies are required by default by [Organization] and which policies are optional based on the SharePoint resources used by an organization. For required policies indicate yes in each column where the column heading indicates a true statement and a targeted completion date in each column where the column heading indicates a condition that has not yet been met.|
|This portion of the SharePoint Server Security Policy Checklist is for those policy areas that may be required depending on the SharePoint resources in use for [Organization] . For these policies examine the requirements statement associated with the policy. If the policy is required based on the requirements statement, complete the remaining columns as indicated above. If the policy is not required based on the requirements statement simply mark the Required column no.|
|The Analysis Matrix .is provided as a tool to assist with the completion of the SharePoint Server Security Policy Checklist.
This matrix describes security elements, gives an industry best practice of the intent of the security element, indicates where the policy for a security element is most likely to be documented, and provides locations to document dates and plans.
|Intrusion Detection· Required for networked environments.|
|Portable Computing· Required for organizations supporting laptops, PDA, or other portable devices.|
|Security Monitoring· Required for networked environments.|
|Server Hardening· Required for environments with servers.|
|System Development· Required for environments where software is developed|
|Vendor Access· Required for environments where access to or from entities external to organization is required. Outsourced maintenance, management, and network services must be considered.|
|Analysis MatrixSecurity Element||Industry Best Practice||Location||Last Revision Date||Implementation|
|Policy Development and Evaluation Process||Documented development process for the continual updating and review of security policies and procedures and compliance. Includes process for the continuous review and measurement of policy effectiveness.|
|Ethics Policy||Documented high-level statement of ethics standards.|
|Acceptable Use||Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.||Acceptable Use Policy|
|Account Management||Documentation requiring standards and procedures for the creation, distribution, revocation of user accounts.||Account Management Policy|
|Proprietary Information||Documentation establishing responsibility and appropriate measures for protecting proprietary information from disclosure or modification.|
|E-Mail Access and Use||Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.||Acceptable Use Policy|
|Escalation ProceduresIncident Reporting
|Response plan for handling and resolving security incidents.||Incident Management Policy|
|Internet Access||Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.||Acceptable Use Policy|
|Portable Computing Policy|
|Passwords||Documentation requiring standards and procedures for the composition, creation, distribution, use, and revocation of passwords.||Password Policy|
|Security Training||Awareness and training program in information security and the protection of information resources for personnel who come in contact with sensitive resources.||Security Training Policy|
|Software Licensing||Documentation establishing responsibility and appropriate compliance measures.|
|Voice Mail Access and Use||Acceptable Use PolicySpecial Access Policy|
|Basic Physical Security||Controlled building access, mandatory access controls for information systems; policy for use of controls and penalties for non-compliance.||Physical Security Policy|
|Natural Disasters||Documented plan for the recovery of critical business functions in the case of flood, fire, loss of environmental controls, or power loss.||Backup/Disaster Recovery Policy|
|Data Classification||Documentation policies and procedures for the classification, identification, and handling of sensitive information.|
|Data Retention||Documented policies and procedures for the archival and retention of sensitive data.|
|Disposal of Sensitive Data||Documented policies and procedures for the destruction of media containing sensitive data.|
|Integrity and Confidentiality||Controls for the assurance of data integrity, including those that pertain to confidentiality and privacy compliance policy.||Vendor Access PolicySecurity Monitoring Policy
Virus Protection Policy
|System Security ToolsIntrusion Detection
|The use of audit controls and tools to periodically review security compliance.||Security Monitoring PolicyIntrusion Detection Policy|
|Development Procedures||Documented policies and procedures governing acceptable standards of testing and documentation, as well as those for the lifecycle that places a system into production.||System Development Policy|
|Responsibilities and Roles||Documented policies that define the roles and responsibilities of system administrators and their relation to the computer systems and network infrastructure in their care.|
|Contingency Planning||Documentation establishing responsibility for policies and procedures and mechanisms for the creation, testing, and revision of contingency plans for business critical systems.||Backup/Disaster Recovery Policy|
|Backup||Policies and procedures and mechanisms for the archival, retention, and recovery of data. Periodic testing of recovery schemes.||Backup/Disaster Recovery Policy|
|Off-Site Backup||Copies of backup media and logs are stored off-site in a secured facility on a regular basis. Policies and procedures exist governing the transfer and handling of media.||Backup/Disaster Recovery Policy|
|Equipment||Computer equipment is maintained in accordance with manufacturer’s recommendations. Records of faults or suspected faults are maintained. Critical systems are under maintenance contract in proportion to their significance.||Server Hardening Policy|
|Software||Policies and procedures for the monitoring of patch and vulnerability information sources, their review, remediation, and the creation of new baseline information for updated systems.||Change Management PolicyServer Hardening Policy|
SharePoint Security Policies are management instructions indicating a course of action, a guiding principle, or an appropriate procedure that is expedient, prudent, or advantageous. Policies are high-level statements that provide guidance to workers who must make present and future decisions. It would also be correct to say that these SharePoint policies are generalized requirements that must be written down and communicated to certain groups of people inside, and in some cases, outside, the organization. Although SharePoint security policies vary considerably by organization, they typically include general statements of goals, objectives, beliefs, ethics, controls, and worker responsibilities.
Policies are higher-level requirement statements than standards, although both types of management instructions require compliance. Policies provide general instructions, while standards provide specific technical requirements. SharePoint standards cover details such as systems design concepts, implementation steps, software interface mechanisms, software algorithms, and other specifics. Standards provide a measure for comparison in quantitative or qualitative terms. Standards would, for example, define the number of secret key bits required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive information is sent over public networks such as the Internet from your SharePoint environment.
Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly. This is in contrast to policies, which are intended to last for many years.
Policies are generally aimed at a wider audience than standards. For example, a policy requiring the use of computer virus packages would apply to all personal computer users, but a standard requiring the use of public key digital certificates could be directed only at staff that conducts organizational business over the Internet.
Policies are distinct from, and at a considerably higher-level than procedures, sometimes called SharePoint standard operating procedures (SSOP). Procedures are specific operational steps or methods that workers must employ to achieve a certain goal. A policy statement describes only the general means for addressing a specific problem. Policies should not become detailed or lengthy, otherwise, it becomes a procedure or can become too intermingled with procedures. For instance, in many information technology departments there are specific procedures for performing back-ups of server hard drives. In this example, a policy could describe the need for back-ups, for storage off-site, and for safeguarding the back-up media (using encryption, physical security, etc.). A standard could define the software to be used to perform back-ups and how to configure this software. A procedure could describe how to use the back-up software, the timing for making back-ups, and other ways that humans interact with the back-up system (how to get approvals by management, how to transfer the storage media to a transportation company, etc.).
One of the common problems observed in policy development and review involves the combination of policies, standards, and procedures in a single document. When it comes time to update the document, the process is needlessly time-consuming and confusing. This is because the three different types of documents all have different levels of detail and focus on different things.
The combination of policies, standards, and procedures in a single document is also not recommended because it can make the location of relevant information much more difficult for the reader. This combination approach also is inefficient in terms of distribution because a lot of irrelevant information is sent to people who really don’t need it. To simplify document maintenance, usage, and cross-referencing, be sure to use separate documents for policies, standards, and procedures.
Policies are also different from controls (also known as countermeasures, security measures, and safeguards). A control is a device or a mechanism used to regulate or guide the operation of a machine, apparatus, or system. An example of a control would be encryption of sensitive data stored on floppy disks. In many cases, policies provide broad objectives that are met with controls. For instance, a policy prohibiting actual or apparent conflicts of interest could be partially met via a control requiring employees to sign a statement indicating they have read the code of conduct and agree to comply. Likewise, in many instances, control measures are dictated directly by policy. For example, a requirement to sign a statement of compliance with a code of conduct might itself be a policy.
In general, policies state the areas on which management attention should focus. For example, a policy might dictate that all software be fully tested before being used for production processing. Management, in most instances, will need to make a number of decisions about controls in order to meet the requirements of a policy. For example, the control measures in support of this testing policy could include software change control systems, a standard development process methodology, documentation standards, and a set of standard testing procedures. The policy may be deliberately vague about the control measures to be used so that management retains the latitude to change controls as evolving technology and business conditions dictate.