SharePoint Server is one of many collaboration tools that allows organizations to share documents, share knowledge, create metrics and help diverse and scattered team members work more effectively.
IT managers who are thinking about using SharePoint should also consider how it affects compliance in their organizations.
The first thing to figure out – while keeping compliance requirements in mind – is how SharePoint will be used. Will SharePoint be used to collaborate and update spreadsheets that are used to make business decisions or to process business transactions? Will it be used to create metrics and other information upon which business decisions are made? Will it be used as a data backup repository?
If "yes" is the answer to any of those questions, then there will be some compliance issues to tackle.
Windows IT managers should also ask whether the SharePoint Server will include personally identifiable information – or PII, accounting information, intellectual property or mission-critical information. It's not always a good idea to put PII and sensitive data into such collaboration systems. But, if the need arises, it's imperative that this information is properly secured.
Determining SharePoint Server location
Once IT managers establish how they will set up SharePoint, they must determine where to house SharePoint and who will be using it. Here is what they should ask themselves:
Is SharePoint Server
- inside the organization's network?
- on a server on the Internet?
- with an outsourced vendor host?
If SharePoint is located on a server on the Internet, extra layers of security controls will be needed. Furthermore, if SharePoint is hosted on an outsourced vendor's site, Windows IT managers will need to ensure not only that the vendor has proper controls in place but also that the security controls are detailed in the contract.
Once they establish how SharePoint will be used and where it will be located, Windows IT managers must consider the compliance implications of using a SharePoint Server platform. They should consider how the server is used internally as well as with business partners and customers.
There are common compliance requirements that apply to most laws, regulations, industry standards, contractual requirements and policies that managers need to address within a SharePoint environment. They include:
- Requiring authentication – creates accountability
- Limiting access to PII – helps preserve data confidentiality, integrity and accuracy
- Logging access to PII – supports accountability and provides evidence for any necessary investigations related to the data
- Retention – keeps data as long as required and disposes of it when it is no longer needed
Supporting compliance requirements of SharePoint Server
Here are four ways for Windows administrators to support the wide range of compliance requirements:
Establish centralized authentication administration. With SharePoint, Windows administrators can process authentication requests. If SharePoint is used in this capacity, admins must make sure that procedures for establishing and removing authentication to SharePoint resources exist, and they need to centralize the authentication administration.
Restrict access to SharePoint resources. Most laws, regulations and industry standards require that access to specific types of information is provided only to individuals or defined roles that have a business need. Many SharePoint sites rely on user-based access and version controls. If admins use a front-end application to access the SharePoint site, prohibit all access by default and confirm that only administrators have permission to directly access the site. Also, strengthen access controls to SharePoint resources using existing firewalls.
Log access to SharePoint resources. Log read, write and update access to PII and to financial data at a minimum. In addition, consider logging access to any business-decision-related resource, including network architecture documents, phone logs and email messages that were placed within SharePoint. And definitely log access to the audit log itself.
Retain data only as long as necessary for business purposes. Think carefully about what is cached and who has access to the cache. The cache can contain PII and financial data. This type of information has to be secure, so configure the cache profile so that information is kept only until the business need is met.
This is just a short list of what Windows managers need to do to meet compliance requirements within a SharePoint environment. Putting these action items into practice will address 80% to 85% of the requirements for most organizations.
To stay up to date about the full range of compliance requirements for your SharePoint Server environment, Windows IT managers and administrators alike must establish an ongoing dialogue with their information security and compliance teams.
Rebecca Herold, CISSP, CISA, CISM, CIPP, FLMI, has more than 17 years of
experience in IT, information security, privacy and compliance and is the owner and principal of
Rebecca Herold LLC. She is an adjunct professor for the Norwich University Master of Science in
Information Assurance program and is writing her 11th book. Her articles can be found at www.privacyguidance.com and www.realtime-itcompliance.com.
This was first published in June 2008