SharePoint security concerns
I used SharePoint a couple of years ago when I co-authored a book with three other people, each of whom was located in different places around the world. We collaborated to write the entire book by accessing SharePoint through an Internet portal. I now have a vendor who wants to work with me on various privacy projects through SharePoint. Is this ironic? Possibly.
In a May 2009 survey of more than 150 business leaders by Courion Corp., 90% said they were concerned that SharePoint would be used for data theft, and more than 60% said they had no tools in place to monitor SharePoint access, use or compliance. These findings are understandable. When working with vendors, I'm constantly pointing out the security and privacy compliance issues they must address to make projects successful and secure.
SharePoint compliance requirements
Business leaders are rightly concerned about compliance and security issues associated with SharePoint. Not only are there multiple issues they must address internally, but organizations must also ensure that business partners and customers are using SharePoint in compliance with applicable laws, regulations, industry standards and corporate policies.
The laws and regulations that typically cover SharePoint activities include:
- New and emerging encryption laws: For example, Nevada law requires personally identifiable information (PII) to be encrypted when in transit through an external network. Massachusetts law goes a step further and requires personal information to be encrypted not only in transit, but also when it is stored on mobile storage devices (including laptops and USB drives).
- Health Insurance Portability and Accountability Act (HIPAA): Safeguards must be in place for protected health information (PHI) related to medical treatment, payment and operations activities.
- HITECH Act: This act has generally broadened the HIPAA requirements to also apply to business associates, many of whom use SharePoint for collaborative projects. Vendors of electronic health-record vaulting services that use SharePoint to process and store PHI must know when breaches occur and respond appropriately.
- North American Electric Reliability Corporation (NERC) Cyber Security Standards: There are requirements for critical cyber assets, such as network topologies, operational procedures and other information that organizations are starting to put into SharePoint.
- Gramm Leach Bliley Act (GLBA): This regulation requires organizations to properly safeguard financial information often found in customer databases and spreadsheets. A growing number of financial organizations are putting such documents containing sensitive financial information into SharePoint to allow business partners and contractors to have shared access.
- Sarbanes-Oxley Act (SOX): As more organizations move significant accounting and customer information to SharePoint environments, they must remember that SOX covers these types of files.
- Breach notice laws: There are at least 47 U.S. local-level breach notice laws and requirements within the U.S. federal HITECH Act that apply to healthcare entities and their business associates. There is also a federal breach notice policy that applies to all U.S. government agencies. Compliance with these laws requires knowing where PII is stored and who has access to that information.
- Payment Card Industry Data Security Standard (PCI DSS): This standard applies if organizations store, process or access credit card data in any way through the SharePoint system. Yes, some organizations do this!
Becoming familiar with these laws and regulations will ensure that your clients are protected from future security concerns and compliance issues.
About the author
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, "The Privacy Professor," has provided information security, privacy and compliance leadership, advice, services, tools and products to organizations in a wide range of industries throughout the world for over two decades. Rebecca was named one of the "Best Privacy Advisers" in two of three categories by Computerworld magazine in 2007 and 2008. She creates the quarterly Protecting Information multimedia information security and privacy awareness news journal and offers information security and privacy tools and online training courses. She also serves as an adjunct professor for the Norwich University Master of Science in Information Assurance program. You can reach her at firstname.lastname@example.org or http://theprivacyprofessor.com/.
This was first published in June 2009