There are many common compliance actions solutions providers can take to address most of the laws, regulations, industry standards, contractual requirements and policies that apply to a client's SharePoint environment. Be sure to address each of these following items when deploying SharePoint for clients:
- Encrypt PII sent outside the corporate network.
More Microsoft Office SharePoint resources: Microsoft Office SharePoint compliance and security concerns
64-bit SharePoint 2010 driven by demand
- Establish centralized authentication administration.
Centralized authentication administration creates accountability. SharePoint handles authentication in different ways, including Windows, forms, Web single sign-on and Web applications. Make sure procedures exist for establishing and removing authentication for SharePoint resources, and centralize this authentication administration. Do not allow anonymous access to PII, financial data and other items within SharePoint that are covered by laws, regulations, contracts and industry standards.
- Restrict access to SharePoint resources.
Access controls help preserve data confidentiality, integrity and accuracy. For compliance with laws, regulations and industry standards, give access only to the necessary individuals. Many SharePoint sites rely on user-based access and version controls. If you use a front-end application to access the SharePoint site, then disallow all access by default. Be sure the configurations allow for only the site administrators to directly access the site without going through the front-end application. Also, use your firewall to strengthen access controls and add an additional layer of security. Many regulations require firewalls to be in place to protect PII.
- Log access to SharePoint resources.
Logging access creates accountability and provides evidence for any necessary investigations related to data breaches. Be sure to at least log, read, write and update access to PII and financial data. Also, consider logging access to any network architecture documents, phone logs and email messages in SharePoint that are related to business decisions. And definitely log access to the audit log itself.
- Retain data only as long as necessary for business purposes.
Get rid of data when it is no longer needed. You can only retain some types of information for a specific amount of time under various laws, regulations and contractual agreements. You must retain other types of data for at least a specific amount of time. For retention purposes, think carefully about what you cache and who has access to the cache. The cache can contain a huge amount of PII and financial data. Configure your cache profile to keep things only as long as necessary.
For most companies, these five actions should address 80% to 90% of compliance requirements in a SharePoint environment. But it is important to take into consideration the unique circumstances and activities of your organization.
About the author
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, "The Privacy Professor," has provided information security, privacy and compliance leadership, advice, services, tools and products to organizations in a wide range of industries throughout the world for over two decades. Rebecca was named one of the "Best Privacy Advisers" in two of three categories by Computerworld magazine in 2007 and 2008. She creates the quarterly Protecting Information multimedia information security and privacy awareness news journal and offers information security and privacy tools and online training courses. She also serves as an adjunct professor for the Norwich University Master of Science in Information Assurance program. You can reach her at firstname.lastname@example.org or http://theprivacyprofessor.com/.