Security Management and Risk Management in SharePoint

Security Management and Risk Management in SharePoint

Security management or Security Governance is a practice that is tailored to protect a companies assets. The practice of security management is built upon the basis of the CIA triad, which is discussed more exhaustibly in other sections. One of the largest practices that occurs during the defining of security governance within a SharePoint environment is performing risk management. The concept of risk management simply identifies an organizational set of assets, defining and discovery the risks that may afflict those assets, and producing an estimate of operational cost that may occur if damage or loss occurs. Once the risk policies are defined for the SharePoint environment, it is possible to then generate relevant security policies that will in turn protect the organizational SharePoint assets.

Three Controls That Build SharePoint Security Management

There are five major concepts that will build up the practice of security management that will help to protect an arbitrary company. Controls, in general, are simply meant to manage organizational security management. There are 5 major control measures (also known as types) that build up the concept of a security environment , administrative controls / type 1, preventive controls/ type 2, detective controls / type 3, corrective controls / type 4, and recovery controls / type 5. Preventive controls are further broken down into 3 sub-control measures, and can be defined as administrative controls, technical controls, and physical controls. 

Administrative Controls Type 2 Preventive Sub-control

Administrative controls provide the basis for executive and managerial directives. Administrative controls define the publication of such things as security policies, procedures, standards, system activity monitoring, change control, and security awareness training. In administrative controls, there is also the activity of screening employees and other parties that may be involved with the organization, as well as monitor implementing the administrative systems that will proactively monitor the SharePoint environment.

There are several examples of SharePoint security policies that are provided throughout the site. However, a security policy is simply a control that is implemented in order to procure a plan for how SharePoint security should be implemented throughout an organization. The security policy provides a high level overview for actions that should be taken, what actions are considered acceptable, and what level of risks that an organization is willing to take in their SharePoint environment.

In administrative controls, there also exists the concept of personnel controls that will define how employees should interact with relevant security systems. The largest two concepts in personnel controls are separating duties, as well as the rotation of duties within an arbitrary SharePoint environment. Separating duties simply means that no one person is responsible for the critical tasks that may affect a SharePoint environment. Rotating of duties simply ensures that more than one organizational employee can execute critical tasks that may afflict SharePoint.

In relation to the concept of personnel, there is also the notion of training. Security training is an administrative control that ensures that personnel are aware of threats to collaborative technology and the appropriate actions that should be taken in order to properly mitigate those threats. Ensuring that users are trained leads to the concept of supervisory structure, whereby supervisors should always take an interest in the security awareness of users, therefore instigating a vested interest in heightening security awareness. Supervisors should also be responsible for ensuring that all security mechanisms and users are security trained. Users, at all times, should be trained in order to support the organizational global security policy, security goals, and overall security objectives set in order to procure the most secure collaboration environment.

Technical Controls Type 2 Preventive Sub-control

Technical controls within a SharePoint environment include a variety of mechanisms:

  • Security Devices
  • Authentication Controls
  • Configuration of SharePoint and related Network Devices
  • Identification Controls
  • Password Management
  • Resources Management
  • Access Control Mechanisms

Security devices and network architecture are the backbone of protection within a networked computing environment. The network architecture can be something as simple as a wall promoting segregation between two segments and the location of network devices. It doesn’t have to be physical as well, and can involve separation through VLAN’s and different filtering devices. The network access mechanisms can in turn provide control over what network systems can be accessed, as well as what actions that an individual can take on a particular network segment. Security devices can also procure the concept of encryption in order to protect the relevant information as it is sent across a pipe (un-trusted medium). For the tracking of such activity (as information is sent across the medium), there is the notion of audit controls that are meant to target and record traffic activity as it occurs through a segment.

Physical Controls Type 2 Preventive Sub-control

Physical controls are a relatively broad concept, and encompass such things as controlling

  • Access to a building or facility
  • Locking systems on physical devices
  • Removing and wiping unused electronic mediums

Physical controls are mainly targeted ad controlling the overall environment of where you are housing SharePoint, but also will promote control of the perimeter, and monitor for physical intrusion that might also compromise a SharePoint environment. 

The largest portion of physical security is the concept of perimeter security, meaning that it encompasses securing the actual outside of the building. This can be pretty much anything, like badges, surveillance through cameras, parking lot walking guards, motion detectors, alarms, etc.

In physical security is also the concept of physical securing both the network, and personal computing architecture. Personal computer controls are simply devices that exist in order to protect the actual computer from improper access. This can be a lock that exists on a laptop, or the removal of unused drives. Network physical security means that your SharePoint servers have the necessary security precautions such that only the authorized personnel are enabled access to relevant devices. This can also involve securing the physical transmissions medium, such as the cabling architecture, since it is feasible for one to implement a tap into the physical line to enable a cross talk, or sniff into various conversations that may occur.

Share

SharePoint Virus Detection Policy Template

This file was edited for correctness by Edgardo Gonzalez of PRSL.

Introduction – SharePoint Virus Policy Template The number of SharePoint security incidents and the resulting cost of business disruption and service restoration continues to escalate. Implementing solid SharePoint security policies, blocking unnecessary access to networks and computers, improving user security awareness, and early detection and mitigation of security incidents are some of the actions that can be taken to reduce the risk and drive down the cost of SharePoint security incidents.
Purpose The purpose of the [Organization] SharePoint Virus Policy is to to describe the requirements for dealing with computer virus, worm and Trojan Horse prevention, detection and cleanup.
Audience The [Organization] SharePoint Virus Policy applies equally to all individuals who use any [Organization] SharePoint resource.
SharePoint Virus Policy Definitions
  • Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.
  • Trojan Horse: Destructive programs-usually viruses or worms-that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program. Victims may receive a Trojan horse program by e-mail or on a diskette, often from another unknowing victim, or may be urged to download a file from a Web site or bulletin board.
  • Worm: A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is imilar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all.
SharePoint Virus Policy
  • All workstations whether connected to the [Organization] SharePoint network, or standalone, must use the [Organization] approved virus protection software and configuration.
  • The virus protection software must not be disabled or bypassed.
  • The settings for the virus protection software must not be altered in a manner that will reduce the effectiveness of the software.
  • The automatic update frequency of the virus protection software must not be altered to reduce the frequency of updates.
  • Each file server attached to the [Organization] network must utilize [Organization] approved virus protection software and setup to detect and clean viruses that may infect file shares. It must be appropriately audited to ensure that viruses have no means to channel into SharePoint.
  • Each Exchange gateway must utilize [Organization] approved e-mail virus protection software and must adhere to the IS rules for the setup and use of this software.
  • Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to the [Organization] Help Desk.
SharePoint Portal Password Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All commercial SharePoint software used in [Organization]’s SharePoint environment (i.e. Web Parts) must be supported by a software license agreement that specifically describes the usage rights and restrictions of the product. SharePoint users must abide by all license agreements and must not illegally copy licensed software. [Organization] reserves the right to remove any unlicensed software from the SharePoint environment.
  • [Organization] reserves the right to remove any non-business related SharePoint software or files from the SharePoint environment.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Incident Management Policy Template

Introduction – SharePoint Incident Management Policy The number of SharePoint security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid SharePoint security policies, blocking unnecessary access to networks and computers, improving [Organization] user security awareness, and early detection and mitigation of security incidents are some the actions that can be taken to reduce the risk and drive down the cost of security incidents.
Purpose This [Organization] SharePoint Incident Management Policy describes the requirements for dealing with SharePoint security incidents. SharePoint security incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and SharePoint systems, as well as complaints of improper use of SharePoint resources.
Audience The [Organization] SharePoint Incident Management Policy applies equally to all individuals that use any [Organization] SharePoint resources.
SharePoint Incident Management Policy
  • [Organization] [every organization should have a committee to handle security incidents, enter that name here] members have pre-defined roles and responsibilities which can take priority over normal duties.
  • Whenever a SharePoint security incident occurs, such as a virus, worm, hoax email, discovery of hacking tools, altered data, etc. is suspected or confirmed, the appropriate, documented SharePoint incident management procedures must be followed.
  • The [Organization] SharePoint administratior and user community is responsible for notifying the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] whom initiates the appropriate incident management action including restoration as defined by [SharePoint Portal Owning Organization / Incident Handling Unit labeled above].
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] is responsible for determining the physical and electronic evidence to be gathered as part of the Incident Investigation. This can involve the investigation of several servers, including the ISA or other machines in between the client and afflicted system.
  • The appropriate SharePoint and Systems Technical Resources from the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] are responsible for monitoring that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized where possible.
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will determine if a widespread [Organization] communication is required, the content of the communication, and how best to distribute the communication.
  • The appropriate technical resources from the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] are responsible for communicating new issues or vulnerabilities to Microsoft (SharePoint vendor) and working with the vendor to eliminate or mitigate the vulnerability.
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] is responsible for initiating, completing, and documenting the incident investigation.
  • The ISO is responsible for coordinating communications with outside organizations and law enforcement.
  • In the case where law enforcement is not involved, the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will recommend disciplinary actions.
  • In the case where law enforcement is involved, the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will act as the liaison between law enforcement and [Organization].
SharePoint Incident Management Policy Supporting Information
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All commercial SharePoint software used in [Organization]’s SharePoint environment (i.e. Web Parts) must be supported by a software license agreement that specifically describes the usage rights and restrictions of the product. SharePoint users must abide by all license agreements and must not illegally copy licensed software. [Organization] reserves the right to remove any unlicensed software from the SharePoint environment.
  • [Organization] reserves the right to remove any non-business related SharePoint software or files from the SharePoint environment.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share