SharePoint Backup/DRP Policy Template

Introduction – SharePoint Backup/DRP Policy SharePoint backups are a business requirement to enable the recovery of SharePoint data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, or system operations errors.
Purpose The purpose of the [Organization] SharePoint Backup/DRP Policy is to establish the rules for the backup and storage of electronic [Organization] information.
Audience The [Organization] Backup/DRP Policy Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security.
SharePoint Backup/DRP Policy
  • The frequency and extent of SharePoint backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
  • The [Organization] SharePoint backup and recovery process for SharePoint must be documented and periodically reviewed.
  • The vendor(s) providing offsite SharePoint backup storage for [Organization] must be cleared to handle the highest level of information stored.
  • Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally backup media must be protected in accordance with the highest [Organization] sensitivity level of information stored.
  • A process must be implemented to verify the success of the [Organization] SharePoint backup.
  • Backups must be periodically tested to ensure that they are recoverable.
  • Signature cards held by the offsite backup storage vendor(s) for access to [Organization] backup media must be reviewed annually or when an authorized individual leaves [Organization].
  • Procedures between [Organization] and the offsite SharePoint backup storage vendor(s) must be reviewed at least annually.
  • Backup tapes must have at a minimum the following identifying criteria that can be readily identified by labels and/or a bar-coding system:

1. System name

2. Creation Date

3. Sensitivity Classification [Based on applicable electronic record retention regulations.]

4. [Organization] Contact Information

SharePoint Backup/DRP Policy Supporting Information
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • The department which requests and authorizes a SharePoint application (the site / application owner) must take the appropriate steps to ensure the integrity and security of all SharePoint Web Parts and application logic, as well as data files created by, or acquired for, SharePoint applications. To ensure a proper segregation of duties, owner responsibilities cannot be delegated to the SharePoint server custodian.
  • The integrity of [Organization] SharePoint software, utilities, operating systems, networks, and respective data files are the responsibility of the server custodian department. Data for test and research purposes must be de-personalized prior to release to testers unless each individual involved in the testing has authorized access to the SharePoint data.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
  • All SharePoint contracts, leases, licenses, consulting arrangements or other agreements must be authorized and signed by an authorized [Organization] officer and must contain terms approved as to form by the Legal Department, advising vendors of [Organization] ‘s retained proprietary rights and acquired rights with respect to its information systems, programs, and data requirements for SharePoint security, including SQL data maintenance and return.
  • [Organization] SharePoint implementation(s) and/or associated equipment used for [Organization] SharePoint implementations that are conducted and managed outside of [Organization] control must meet contractual requirements and be subject to monitoring by appropriate SharePoint administrators as well as other parties.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

SharePoint Security Policy Checklist

Introduction – SharePoint Security Policy Checklist

The SharePoint Server Security Policy Checklist provides a concise view of the state of [Organization]  security policy development and implementation for an organization.

Required Policies

The SharePoint Server Security Policy Checklist indicates which policies are required by default by [Organization]  and which policies are optional based on the SharePoint resources used by an organization. For required policies indicate yes in each column where the column heading indicates a true statement and a targeted completion date in each column where the column heading indicates a condition that has not yet been met.

Optional Policies

This portion of the SharePoint Server Security Policy Checklist is for those policy areas that may be required depending on the SharePoint resources in use for [Organization] . For these policies examine the requirements statement associated with the policy. If the policy is required based on the requirements statement, complete the remaining columns as indicated above. If the policy is not required based on the requirements statement simply mark the Required column no.

Analysis Matrix

The Analysis Matrix .is provided as a tool to assist with the completion of the SharePoint Server Security Policy Checklist.
This matrix describes security elements, gives an industry best practice of the intent of the security element, indicates where the policy for a security element is most likely to be documented, and provides locations to document dates and plans.


Policy Checklist Required Published Approved Adopted Communicated Revised
Acceptable Use Yes          
Account Management Yes          
Admin/Special Access Yes          
Change Management Yes          
Disaster Recovery Yes          
Incident Management Yes          
Password Yes          
Physical Security Yes          
Privacy Yes          
Security Training Yes          
Software Licensing Yes          
Virus Protection Yes          
Intrusion Detection· Required for networked environments.            
Portable Computing· Required for organizations supporting laptops, PDA, or other portable devices.            
Security Monitoring· Required for networked environments.            
Server Hardening· Required for environments with servers.            
System Development· Required for environments where software is developed            
Vendor Access· Required for environments where access to or from entities external to organization is required. Outsourced maintenance, management, and network services must be considered.            


Analysis MatrixSecurity Element Industry Best Practice Location Last Revision Date Implementation
Policy Development and Evaluation Process Documented development process for the continual updating and review of security policies and procedures and compliance. Includes process for the continuous review and measurement of policy effectiveness.      
Ethics Policy Documented high-level statement of ethics standards.      
Security Policies        
Acceptable Use Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Acceptable Use Policy    
Account Management Documentation requiring standards and procedures for the creation, distribution, revocation of user accounts. Account Management Policy    
Proprietary Information Documentation establishing responsibility and appropriate measures for protecting proprietary information from disclosure or modification.      
E-Mail Access and Use Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Acceptable Use Policy    
Escalation ProceduresIncident Reporting

Incident Handling

Incident Investigation

Response plan for handling and resolving security incidents. Incident Management Policy    
Internet Access Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Acceptable Use Policy    
Portable Computing Policy Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users.      
Passwords Documentation requiring standards and procedures for the composition, creation, distribution, use, and revocation of passwords. Password Policy    
Privacy Documentation establishing responsibility and appropriate measures for protecting private and personally identifying information. Minimum efforts may be required by legislation. Privacy Policy    
Security Training Awareness and training program in information security and the protection of information resources for personnel who come in contact with sensitive resources. Security Training Policy    
Software Licensing Documentation establishing responsibility and appropriate compliance measures.      
Voice Mail Access and Use Documentation presenting general guidelines defining scope, behavior, and practices for uses; monitoring of compliance; and polices pertaining to special access users. Acceptable Use PolicySpecial Access Policy    
Physical Security        
Basic Physical Security Controlled building access, mandatory access controls for information systems; policy for use of controls and penalties for non-compliance. Physical Security Policy    
Natural Disasters Documented plan for the recovery of critical business functions in the case of flood, fire, loss of environmental controls, or power loss. Backup/Disaster Recovery Policy    
Data Access        
Data Classification Documentation policies and procedures for the classification, identification, and handling of sensitive information.      
Data Retention Documented policies and procedures for the archival and retention of sensitive data.      
Disposal of Sensitive Data Documented policies and procedures for the destruction of media containing sensitive data.      
Integrity and Confidentiality Controls for the assurance of data integrity, including those that pertain to confidentiality and privacy compliance policy. Vendor Access PolicySecurity Monitoring Policy

Virus Protection Policy

System Security ToolsIntrusion Detection

Security Monitoring

Virus Detection

The use of audit controls and tools to periodically review security compliance. Security Monitoring PolicyIntrusion Detection Policy    
Systems Development        
Development Procedures Documented policies and procedures governing acceptable standards of testing and documentation, as well as those for the lifecycle that places a system into production. System Development Policy    
Systems Administration        
Responsibilities and Roles Documented policies that define the roles and responsibilities of system administrators and their relation to the computer systems and network infrastructure in their care.      
Contingency Planning        
Contingency Planning Documentation establishing responsibility for policies and procedures and mechanisms for the creation, testing, and revision of contingency plans for business critical systems. Backup/Disaster Recovery Policy    
Backup Policies and procedures and mechanisms for the archival, retention, and recovery of data. Periodic testing of recovery schemes. Backup/Disaster Recovery Policy    
Off-Site Backup Copies of backup media and logs are stored off-site in a secured facility on a regular basis. Policies and procedures exist governing the transfer and handling of media. Backup/Disaster Recovery Policy    
Equipment Computer equipment is maintained in accordance with manufacturer’s recommendations. Records of faults or suspected faults are maintained. Critical systems are under maintenance contract in proportion to their significance. Server Hardening Policy    
Software Policies and procedures for the monitoring of patch and vulnerability information sources, their review, remediation, and the creation of new baseline information for updated systems. Change Management PolicyServer Hardening Policy    

SharePoint Security Policy Inventory

SharePoint Security Policies are management instructions indicating a course of action, a guiding principle, or an appropriate procedure that is expedient, prudent, or advantageous. Policies are high-level statements that provide guidance to workers who must make present and future decisions. It would also be correct to say that these SharePoint policies are generalized requirements that must be written down and communicated to certain groups of people inside, and in some cases, outside, the organization. Although SharePoint security policies vary considerably by organization, they typically include general statements of goals, objectives, beliefs, ethics, controls, and worker responsibilities.

Policies are higher-level requirement statements than standards, although both types of management instructions require compliance. Policies provide general instructions, while standards provide specific technical requirements. SharePoint standards cover details such as systems design concepts, implementation steps, software interface mechanisms, software algorithms, and other specifics. Standards provide a measure for comparison in quantitative or qualitative terms. Standards would, for example, define the number of secret key bits required in an encryption algorithm. Policies, on the other hand, would simply define the need to use an approved encryption process when sensitive information is sent over public networks such as the Internet from your SharePoint environment.

Standards will need to be changed considerably more often than policies because the manual procedures, organizational structures, business processes, and information systems technologies mentioned in standards change so rapidly. This is in contrast to policies, which are intended to last for many years.

Policies are generally aimed at a wider audience than standards. For example, a policy requiring the use of computer virus packages would apply to all personal computer users, but a standard requiring the use of public key digital certificates could be directed only at staff that conducts organizational business over the Internet.

Policies are distinct from, and at a considerably higher-level than procedures, sometimes called SharePoint standard operating procedures (SSOP). Procedures are specific operational steps or methods that workers must employ to achieve a certain goal. A policy statement describes only the general means for addressing a specific problem. Policies should not become detailed or lengthy, otherwise, it becomes a procedure or can become too intermingled with procedures. For instance, in many information technology departments there are specific procedures for performing back-ups of server hard drives. In this example, a policy could describe the need for back-ups, for storage off-site, and for safeguarding the back-up media (using encryption, physical security, etc.). A standard could define the software to be used to perform back-ups and how to configure this software. A procedure could describe how to use the back-up software, the timing for making back-ups, and other ways that humans interact with the back-up system (how to get approvals by management, how to transfer the storage media to a transportation company, etc.).

One of the common problems observed in policy development and review involves the combination of policies, standards, and procedures in a single document. When it comes time to update the document, the process is needlessly time-consuming and confusing. This is because the three different types of documents all have different levels of detail and focus on different things.

The combination of policies, standards, and procedures in a single document is also not recommended because it can make the location of relevant information much more difficult for the reader. This combination approach also is inefficient in terms of distribution because a lot of irrelevant information is sent to people who really don’t need it. To simplify document maintenance, usage, and cross-referencing, be sure to use separate documents for policies, standards, and procedures.

Policies are also different from controls (also known as countermeasures, security measures, and safeguards). A control is a device or a mechanism used to regulate or guide the operation of a machine, apparatus, or system. An example of a control would be encryption of sensitive data stored on floppy disks. In many cases, policies provide broad objectives that are met with controls. For instance, a policy prohibiting actual or apparent conflicts of interest could be partially met via a control requiring employees to sign a statement indicating they have read the code of conduct and agree to comply. Likewise, in many instances, control measures are dictated directly by policy. For example, a requirement to sign a statement of compliance with a code of conduct might itself be a policy.

In general, policies state the areas on which management attention should focus. For example, a policy might dictate that all software be fully tested before being used for production processing. Management, in most instances, will need to make a number of decisions about controls in order to meet the requirements of a policy. For example, the control measures in support of this testing policy could include software change control systems, a standard development process methodology, documentation standards, and a set of standard testing procedures. The policy may be deliberately vague about the control measures to be used so that management retains the latitude to change controls as evolving technology and business conditions dictate.