Meeting compliance requirements in a SharePoint Server environment

Rebecca Herold

Some of the many laws and regulations that cover SharePoint usage include: Sarbanes-Oxley Act – applies to accounting information in spreadsheets. Health Insurance Portability and Accountability Act – applies to protected health information related to treatment, payment and operations activities. North American Electric Reliability Corporation Cyber Security Standards – applies to critical cyber assets, such as network topologies and operational procedures. Gramm Leach Bliley Act – applies to financial information that commonly occurs in customer databases and spreadsheets. The Payment Card Industry Data Security Standard – applies to credit card data stored, processed or accessed in any way through the SharePoint system.

IT managers who are thinking about using SharePoint should also consider how it affects compliance in their organizations.

The first thing to figure out – while keeping compliance requirements in mind – is how SharePoint will be used. Will SharePoint be used to collaborate and update spreadsheets that are used to make business decisions or to process business transactions? Will it be used to create metrics and other information upon which business decisions are made? Will it be used as a data backup repository?

If "yes" is the answer to any of those questions, then there will be some compliance issues to tackle.

Windows IT managers should also ask whether the SharePoint Server will include personally identifiable information – or PII, accounting information, intellectual property or mission-critical information. It's not always a good idea to put PII and sensitive data into such collaboration systems. But, if the need arises, it's imperative that this information is properly secured.

Determining SharePoint Server location

Once IT managers establish how they will set up SharePoint, they must determine where to house SharePoint and who will be using it. Here is what they should ask themselves:

Is SharePoint Server

• inside the organization's network?
• on a server on the Internet?
• with an outsourced vendor host?

If SharePoint is located on a server on the Internet, extra layers of security controls will be needed. Furthermore, if SharePoint is hosted on an outsourced vendor's site, Windows IT managers will need to ensure not only that the vendor has proper controls in place but also that the security controls are detailed in the contract.

Once they establish how SharePoint will be used and where it will be located, Windows IT managers must consider the compliance implications of using a SharePoint Server platform. They should consider how the server is used internally as well as with business partners and customers.

There are common compliance requirements that apply to most laws, regulations, industry standards, contractual requirements and policies that managers need to address within a SharePoint environment. They include:

• Requiring authentication – creates accountability
• Limiting access to PII – helps preserve data confidentiality, integrity and accuracy
• Logging access to PII – supports accountability and provides evidence for any necessary investigations related to the data
• Retention – keeps data as long as required and disposes of it when it is no longer needed

Supporting compliance requirements of SharePoint Server

Here are four ways for Windows administrators to support the wide range of compliance requirements:

1. Establish centralized authentication administration. With SharePoint, Windows administrators can process authentication requests. If SharePoint is used in this capacity, admins must make sure that procedures for establishing and removing authentication to SharePoint resources exist, and they need to centralize the authentication administration.

2. Restrict access to SharePoint resources. Most laws, regulations and industry standards require that access to specific types of information is provided only to individuals or defined roles that have a business need. Many SharePoint sites rely on user-based access and version controls. If admins use a front-end application to access the SharePoint site, prohibit all access by default and confirm that only administrators have permission to directly access the site. Also, strengthen access controls to SharePoint resources using existing firewalls.
3. Log access to SharePoint resources. Log read, write and update access to PII and to financial data at a minimum. In addition, consider logging access to any business-decision-related resource, including network architecture documents, phone logs and email messages that were placed within SharePoint. And definitely log access to the audit log itself.
4. Retain data only as long as necessary for business purposes. Think carefully about what is cached and who has access to the cache. The cache can contain PII and financial data. This type of information has to be secure, so configure the cache profile so that information is kept only until the business need is met.

This is just a short list of what Windows managers need to do to meet compliance requirements within a SharePoint environment. Putting these action items into practice will address 80% to 85% of the requirements for most organizations.

To stay up to date about the full range of compliance requirements for your SharePoint Server environment, Windows IT managers and administrators alike must establish an ongoing dialogue with their information security and compliance teams.

Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of experience in IT, information security, privacy and compliance and is the owner and principal of Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.

Rate this Tip To rate tips, you must be a member of SearchWinIT.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary AutoRun  (SearchWinIT.com) enterprise content management (ECM)  (SearchWinIT.com) incident management (IcM)  (SearchWinIT.com) problem management  (SearchWinIT.com) Windows 7  (SearchWinIT.com) Windows Server Update Services  (SearchWinIT.com) x86  (SearchWinIT.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.