SharePoint Vendor Access Policy Template

Introduction – SharePoint Vendor Access Policy From time to time, differing Vendors including Microsoft, will play an important role in the support of hardware and software of the SharePoint implementation, providing vital operations knowledge and consulting. Vendors assigned to work with the SharePoint implementation will be allowed to view, copy and modify data and audit logs, they correct software and operating systems problems, they can monitor and fine tune system performance, they can monitor hardware performance and errors, they can modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to [SharePoint Portal Owning Organization].
Purpose The purpose of the [Organization] SharePoint Vendor Access Policy is to establish the rules for vendor access to [Organization] SharePoint resources and support services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and protection of [Organization] information.
Audience The [Organization] SharePoint Vendor Access Policy applies to all individuals that are responsible for the installation of new SharePoint assets, and the operations and maintenance of existing SharePoint resources and who do or may allow vendor access for maintenance, monitoring and troubleshooting purposes.
SharePoint Server Vendor Access Policy Vendors must comply with all applicable [Organization] policies, practice standards and agreements, including, but not limited to:
Safety Policies
Privacy Policies
Security Policies
Auditing Policies
Software Licensing Policies
Acceptable Use Policies
Vendor agreements and contracts must specify:

  • The [Organization] information the vendor should have access to
  • How [Organization] information is to be protected by the vendor
  • Acceptable methods for the return, destruction or disposal of [Organization] information in the vendor’s possession at the end of the contract
  • The Vendor must only use [Organization] information and SharePoint resources for the purpose of the business agreement
  • Any other [Organization] information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others
  • [Organization] will provide an [SharePoint Portal Owning Division] point of contact for the Vendor. The point of contact will work with the Vendor to make certain the Vendor is in compliance with these policies.
  • Each vendor must provide [Organization] with a list of all employees working on the SharePoint contract. The list must be updated and provided to [Organization] within 24 hours of staff changes.
  • Each on-site vendor employee must acquire a [Organization] identification badge that will be displayed at all times while on [Organization] premises. The badge must be returned to [Organization] when the employee leaves the contract or at the end of the contract.
  • Each vendor employee with access to [Organization] sensitive information must be cleared to handle that information.
  • Vendor personnel must report all security incidents directly to the appropriate [Organization] personnel.
  • If vendor management is involved in [Organization] security incident management the responsibilities and details must be specified in the contract.
  • Vendor must follow all applicable [Organization] change control processes and procedures.
  • Regular work hours and duties will be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate [Organization] management.
SharePoint Server Vendor Access Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
  • Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • The use of SharePoint must be for officially authorized business purposes only. There is no guarantee of personal privacy or access to tools such as, but not limited to; SharePoint areas, WSS team sites, any and all collaboration and communication functionality, and any sister sever integrations (i.e. integrated Microsoft Exchange environments). The use of Sharepoint and SharePoint related tools may be monitored to fulfill complaint or investigation requirements, including forensic an analysis into IDS or other security systems. Departments responsible for custody and operations of the SharePoint servers (custodian departments) shall be responsible for proper authorization of SharePoint server utilization, the establishment of effective use, and reporting of performance to management.
  • Any data housed within SharePoint must be kept confidential and secure by the respectful [Organization] SharePoint user. The fact that the business data may be stored electronically (i.e. document library or SharePoint list) does not change the requirement to keep the information confidential and secure. The type of information or the information itself is the basis for determining whether the data must be kept confidential and secure. Furthermore if this data is stored in a paper or electronic format, or if the data is copied, printed, or electronically transmitted the data must still be protected as confidential and secured.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • All [Organization] departments must carefully assess the risk of unauthorized alteration, unauthorized disclosure, or loss of the data within the [Organization] SharePoint environment for which they are responsible and ensure, through the use of monitoring mechanisms such that [Organization] is protected from damage, monetary or otherwise. SharePoint owners and server custodian departments must have appropriate backup and contingency plans for disaster recovery based on risk assessment and business requirements.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share

SharePoint Physical Access Policy Template

Introduction – SharePoint Server Physical Access Policy SharePoint support staff, security administrators, SharePoint administrators, and others may have physical SharePoint server access requirements as part of their job function. The granting, controlling, and monitoring of the physical access to [Organization] SharePoint servers is extremely important to an overall Communications and Collaborations security program.
Purpose The purpose of the [Organization] SharePoint Physical Access Policy is to establish the rules for the granting, control, monitoring, and removal of physical SharePoint server access to [Organization] facilities where SharePoint servers might reside.
Audience The [Organization] Server Hardening Policy applies to all individuals that are responsible for the installation of new SharePoint property, the operations of existing SharePoint property, and individuals charged with SharePoint security, as well as data owners.
SharePoint Server Physical Access Policy Policy
  • All physical security systems where SharePoint is going to reside must comply with applicable all applicable regulations such as, but not limited to, building codes and fire prevention codes.
  • Physical access to all [Organization] SharePoint resources facilities must be documented and managed.
  • All [Organization] facilities must be physically protected in proportion to the criticality or importance of their function at [SharePoint Portal Owning Organization].
  • Access to SharePoint server facilities must be granted only to [Organization] support personnel, and contractors, whose job responsibilities require access to that facility.
  • The process for granting card and/or key access to SharePoint server facilities must include the approval of the person responsible for the facility.
  • Each individual that is granted access rights to a SharePoint server facility must receive emergency procedures training for the facility and must sign the appropriate access and non-disclosure agreements.
  • Requests for access must come from the applicable [SharePoint Portal Owning Organization]. data/system owner.
  • Access cards and/or keys must not be shared or loaned to others.
  • Access cards and/or keys that are no longer required must be returned to the person responsible for the SharePoint server facility. Cards must not be reallocated to another individual bypassing the return process.
  • Lost or stolen access cards and/or keys must be reported to the person responsible for the SharePoint server facility.
  • All SharePoint server facilities that allow access to visitors will track visitor access with a sign in/out log.
  • Visitors must be escorted in card access controlled areas SharePoint server facilities.
  • The person responsible for the SharePoint server facility must review access records and visitor logs for the facility on a periodic basis and investigate any unusual access.
  • The person responsible for the SharePoint server facility must review card and/or key access rights for the facility on a periodic basis and remove access for individuals that no longer require access.
  • Signage for restricted access rooms and locations must be practical, yet minimal discernible evidence of the importance of the location should be displayed.
  • Card access records and visitor logs for areas SharePoint server facilities must be kept for routine review based upon the criticality of the SharePoint and other Information Technology resources being protected.
  • The person responsible for the SharePoint server facility must remove the card and/or key access rights of individuals that change roles within [SharePoint Portal Owning Organization]. or are separated from their relationship with [SharePoint Portal Owning Organization].
SharePoint Server Physical Access Policy Supporting Information
  • Any and all [Organization] SharePoint security controls must not be bypassed or disabled.
  • SharePoint Security awareness by [Organization] personnel must be continually emphasized, reinforced, updated and validated.
  • All [Organization] SharePoint users are responsible for managing their use of SharePoint and are accountable for their actions relating to SharePoint security. Users are also equally responsible for reporting any suspected or confirmed violations of this policy to the appropriate management responsible for SharePoint security incident handling.
  • User SharePoint account passwords shall be protected by the individual user from use by, or disclosure to, any other individual or organization. All security violations shall be reported to respectful SharePoint security incident handling management.
  • Access to, change to, and use of SharePoint Account Managmenet Policy must be strictly secured. SharePoint information access authority for each user must be reviewed on a regular basis, as well as each job status change such as: a transfer, promotion, demotion, or termination of service.
  • All SharePoint software programs, SharePoint applications, Web Part / Application source code, Web Part / Application object code, documentation and general operational data shall be guarded and protected as if it were [Organization] property.
  • On termination of the relationship with the Sharepoint user all security policies for [Organization] apply and remain in force surviving the terminated relationship.
  • [Organization] server custodian departments must provide adequate access controls in order to monitor SharePoint systems to protect business data and associated programs from misuse in accordance with the needs defined by owner departments. All SharePoint access must be properly documented, authorized and controlled, following [Organization] standardized processes.
  • [Organization] SharePoint implementation(s) and/or associated equipment used for [Organization] SharePoint implementations that are conducted and managed outside of [Organization] control must meet contractual requirements and be subject to monitoring by appropriate SharePoint administrators as well as other parties.
Disciplinary Actions Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [Organization] SharePoint access privileges, civil, and criminal prosecution.
Compliance / Regulation Contributed to by this Policy
  • Copyright Act of 1976
  • Foreign Corrupt Practices Act of 1977
  • Computer Fraud and Abuse Act of 1986
  • Computer Security Act of 1987
  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Share