SharePoint Incident Management Policy Template

Introduction – SharePoint Incident Management Policy The number of SharePoint security incidents and the resulting cost of business disruption and service restoration continue to escalate. Implementing solid SharePoint security policies, blocking unnecessary access to networks and computers, improving [Organization] user security awareness, and early detection and mitigation of security incidents are some the actions that can be taken to reduce the risk and drive down the cost of security incidents.
Purpose This [Organization] SharePoint Incident Management Policy describes the requirements for dealing with SharePoint security incidents. SharePoint security incidents include, but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and SharePoint systems, as well as complaints of improper use of SharePoint resources.
Audience The [Organization] SharePoint Incident Management Policy applies equally to all individuals that use any [Organization] SharePoint resources.
SharePoint Incident Management Policy
  • [Organization] [every organization should have a committee to handle security incidents, enter that name here] members have pre-defined roles and responsibilities which can take priority over normal duties.
  • Whenever a SharePoint security incident occurs, such as a virus, worm, hoax email, discovery of hacking tools, altered data, etc. is suspected or confirmed, the appropriate, documented SharePoint incident management procedures must be followed.
  • The [Organization] SharePoint administratior and user community is responsible for notifying the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] whom initiates the appropriate incident management action including restoration as defined by [SharePoint Portal Owning Organization / Incident Handling Unit labeled above].
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] is responsible for determining the physical and electronic evidence to be gathered as part of the Incident Investigation. This can involve the investigation of several servers, including the ISA or other machines in between the client and afflicted system.
  • The appropriate SharePoint and Systems Technical Resources from the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] are responsible for monitoring that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized where possible.
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will determine if a widespread [Organization] communication is required, the content of the communication, and how best to distribute the communication.
  • The appropriate technical resources from the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] are responsible for communicating new issues or vulnerabilities to Microsoft (SharePoint vendor) and working with the vendor to eliminate or mitigate the vulnerability.
  • The [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] is responsible for initiating, completing, and documenting the incident investigation.
  • The ISO is responsible for coordinating communications with outside organizations and law enforcement.
  • In the case where law enforcement is not involved, the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will recommend disciplinary actions.
  • In the case where law enforcement is involved, the [SharePoint Portal Owning Organization / Incident Handling Unit labeled above] will act as the liaison between law enforcement and [Organization].
SharePoint Incident Management Policy Supporting Information
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All commercial SharePoint software used in [Organization]’s SharePoint environment (i.e. Web Parts) must be supported by a software license agreement that specifically describes the usage rights and restrictions of the product. SharePoint users must abide by all license agreements and must not illegally copy licensed software. [Organization] reserves the right to remove any unlicensed software from the SharePoint environment.
  • [Organization] reserves the right to remove any non-business related SharePoint software or files from the SharePoint environment.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Password Policy Template

Introduction – SharePoint Portal Password Policy SharePoint user authentication is a means to control who has access to the SharePoint environment. SharePoint access gained by a non-authorized entity can cause loss of information confidentiality, integrity and availability that may result in loss of revenue, liability, loss of trust, or embarrassment to [Organization].
Purpose The purpose of the [Organization] SharePoint Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of the [Organization] user authentication mechanisms.
Audience The [Organization] SharePoint Password Policy applies equally to all individuals who use any [Organization] SharePoint resource.
SharePoint Portal Password Policy All SharePoint user passwords, including initial passwords, must be constructed and implemented according to the following [Organization] rules:

  • it must be routinely changed
  • it must adhere to a minimum length as established by [Organization]
  • it must be a combination of alpha and numeric characters it must not be anything that can easily tied back to the account owner such as: user name, social security number, nickname, relative’s names, birth date, etc.
  • it must not be dictionary words or acronyms password history must be kept to prevent the reuse of a password Stored passwords must be encrypted, including maintaining encryption standards on the SharePoint SSO database.
  • SharePoint user account passwords must not be divulged to anyone.
  • SharePoint Portal Owning Organization] contractors will not ask for user account passwords.

Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with [Organization].

If the security of a password is in doubt, the password must be changed immediately.

Administrators must not circumvent the Password Policy for the sake of ease of use.

Users cannot circumvent SharePoint password entry with auto logon, application remembering, embedded scripts or hardcoded passwords in client software. Exceptions may be made for specific SharePoint applications (like automated backup or SSO) with the approval of the [Organization]. In order for an exception to be approved there must be a procedure to change the passwords.

SharePoint aware devices must not be left unattended without enabling a password protected screensaver or logging off of the device.

SharePoint password change procedures:

  • authenticate the user to the [Organization] helpdesk before changing password
  • change to a strong password
  • the user must change password at first login

In the event SharePoint passwords are found or discovered, the following steps must be taken:

  • Report the discovery to the [Organization] Help Desk
  • Take control of the passwords and protect them
  • Transfer the passwords to an authorized person as directed by the [Organization]
SharePoint Portal Password Policy
  • Passwords must be changed at least every 60 days.
  • Passwords must have a minimum length of 8 alphanumeric characters.
  • Passwords must contain a mix of upper and lower case characters and have at least 2 numeric characters.The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits. The special characters are (!@#$%^&*_+=?/~`;:,<>|).
  • Passwords must not be easy to guess
  • Passwords must not be your employee number
  • Passwords must not be your name
  • Passwords must not be family member names
  • Passwords must not be your nickname
  • Passwords must not be your social security number
  • Passwords must not be your birthday
  • Passwords must not be your license plate number
  • Passwords must not be your pet’s name
  • Passwords must not be your address
  • Passwords must not be your phone number
  • Passwords must not be the name of your town or city
  • Passwords must not be the name of your department
  • Passwords must not be street names
  • Passwords must not be makes or models of vehicles
  • Passwords must not be slang words
  • Passwords must not be obscenities
  • Passwords must not be technical terms
  • Passwords must not be school names, school mascote, or school slogans
  • Passwords must not be any information about you that is known or is easy to learn
  • Passwords must not be any popular acronyms
  • Passwords must not be words that appear in a dictionary
  • Passwords must not be reused for a period of one year
  • Passwords must not be shared with anyone
  • Passwords must be treated as confidential information
SharePoint Portal Password Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
  • Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Account Management Policy Template

Introduction – SharePoint Account Management Security Policy SharePoint accounts are the means used to grant access to [Organization]’s SharePoint Portal. These accounts provide a means of providing accountability, a key to security, for SharePoint property usage. This means that creating, controlling, and monitoring all SharePoint account is extremely important to the overall [Organization] security program.
Purpose The purpose of the [Organization] SharePoint Account Management Security Policy is to establish the rules for the creation, monitoring, control and removal of SharePoint user accounts.
Audience The [Organization] Account Management Security Policy applies equally to all individuals with authorized access to any [Organization] SharePoint and associated Information Technology property.
SharePoint Account Management Security Policy
  • All SharePoint user accounts created must have an associated request and approval that is appropriate for the [Organization] SharePoint system.
  • All SharePoint users must sign the [Organization] SharePoint Security Acknowledgement and Nondisclosure Agreement before access to the SharePoint implementation.
  • All SharePoint accounts must be uniquely identifiable using the assigned user name.
  • All default SharePoint user passwords for accounts must be constructed in accordance with the [Organization] Password Policy.
  • All SharePoint user accounts must have a password expiration that complies with the [Organization] Password Policy.
  • SharePoint accounts of individuals on extended leave (more than 30 days) will be disabled.
  • All new user SharePoint accounts that have not been accessed within 30 days of creation will be disabled.

SharePoint Administrators or other designated SharePoint staff:

1. are responsible for removing SharePoint accounts of individuals that change roles within [Organization] or are separated from their relationship with [Organization]

2. must have a documented process to modify a SharePoint user account to accommodate situations such as name changes, accounting changes and permission changes

3. must have a documented process for periodically reviewing existing SharePoint accounts for validity

4. are subject to independent audit review without disclouse

5. must provide a list of SharePoint accounts for the portals / sites they administer when requested by authorized [Organization] management

6. must cooperate with authorized [Organization] management investigating SharePoint security incidents

SharePoint Account Management Security Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
  • Access to, change to, and use of SharePoint Account Management Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of SharePoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • On termination of the relationship with the SharePoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Introduction – SharePoint Account Management Security Policy SharePoint accounts are the means used to grant access to [Organization]’s SharePoint instance. These accounts provide a means of providing accountability, a key to security, for SharePoint property usage. This means that creating, controlling, and monitoring all SharePoint accounts is extremely important to the overall [Organization] security program.
Purpose The purpose of the [Organization] SharePoint Account Management Security Policy is to establish the rules for the creation, monitoring, control and removal of SharePoint user accounts.
Audience The [Organization] Account Management Security Policy applies equally to all individuals with authorized access to any [Organization] SharePoint and associated Information Technology property.
SharePoint Account Management Security Policy
  • All SharePoint user accounts created must have an associated request and approval that is appropriate for the [Organization] SharePoint system.
  • All SharePoint users must sign the [Organization]SharePoint Security Acknowledgement and Nondisclosure Agreement before access to the SharePoint implementation.
  • All SharePoint accounts must be uniquely identifiable using the assigned user name.
  • All default SharePoint user passwords for accounts must be constructed in accordance with the [Organization] Password Policy.
  • All SharePoint user accounts must have a password expiration that complies with the [Organization] Password Policy.
  • SharePoint accounts of individuals on extended leave (more than 30 days) will be disabled.
  • All new user SharePoint accounts that have not been accessed within 30 days of creation will be disabled.

SharePoint Administrators or other designated SharePoint staff:

1. are responsible for removing SharePoint accounts of individuals that change roles within [Organization] or are separated from their relationship with [SharePoint Portal Owning Organization]

2. must have a documented process to modify a SharePoint user account to accommodate situations such as name changes, accounting changes and permission changes

3. must have a documented process for periodically reviewing existing SharePoint accounts for validity

4. are subject to independent audit review without disclouse

5. must provide a list of SharePoint accounts for the portals / sites they administer when requested by authorized [Organization] management

6. must cooperate with authorized [Organization] management investigating SharePoint security incidents

SharePoint Account Management Security Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
  • Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share