This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
3,300professionals
Over 20 countriesin the Americas, Europe, the
Middle East and Asia-Pacific
70+offices
Our revenue:
More than
$743 million in 2015
Protiviti (www.protiviti.com) is a global consulting firm that helps
companies solve problems in finance, technology, operations,
governance, risk and internal audit, and has served more than 40
percent of FORTUNE 1000® and FORTUNE Global 500®
companies.
Protiviti serve clients through a network of more than 70
locations in over 20 countries. Protiviti is a wholly owned
subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
WHY SECURE SHAREPOINT?
• Represents our intranet, collaboration portal, extranet, public facing web site,
line of business, process automation, business analytics…
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SHAREPOINT ON PREMISE VS OFFICE 365
SharePoint On PremiseHosted within corporate network (data center, Azure, AWS).
Office 365 - SharePoint OnlineSharePoint infrastructure hosted in Microsoft Data Centers.
• All data and systems is fully within corporate control
• Corporate IT is responsible for:
• All servers/infrastructure – security hardening,
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SECURITY STARTS WITH DEPLOYMENT
• Before deploying, plan and document your service accounts• SQL Server Service Account
• Setup Account
• Farm Service Account
• SharePoint Web Application Pool Account
• SharePoint Service Account (Service App Pool Identity)
• Search Crawl Account
• User Profile Synchronization Account
• Cache Accounts (superreader, superuser)
• SQL Service Analytics & Excel Services Accounts
• Using a Least Privileged Model
• Determine which account farm admin use to login to Central Admin
• Determine which users will have Shell Access (PowerShell)
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
WEB APPLICATION AND SITE COLLECTION
Farm & Web Application Configuration• Authentication
• Web Application Policies (user & permission policies)
• TLS/SSL Communication
• Anonymous Access
• File Types Permitted
• Web Part Security
• Anti-Virus Configuration
• Thresholds (unique security scopes, list view threshold)
• Establish a strategy for patching and security updates
Site Collection Configuration• Site Collection Administrators
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
SECURITY HARDENING
• System Updates
• Web Server and Application Server Roles
• Services
• Ports and Protocols
• Database Server Role
• Blocking standard ports; Listening on non-standard ports
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
ROLES & RESPONSIBILITIES
Establish and document key administrative roles & responsibilities
• Document each role related to SharePoint and owners
• Each role has a primary and secondary owner
• Define/educate each role on responsibilities & access
requirements
• Include administrative, development and management
roles
• Keep documentation up to date and centrally located
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
GoalsGoal…
DATA OWNERSHIP
Establish data owners for each site collection, subsite or collection of subsites
• Typically business users; can be different from site
owners
• Define data owner responsibilities
• Understand sensitivity & regulatory compliance
requirements for the data in areas they own
• Approve/Deny requests for access to data
• Responsible for permission remediation and
certification for their area
• Define & document data owners – ensure they accept
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
PERMISSION MANAGEMENT
Establish a standard permission management policy
• Determine who manages permissions on sites:
• Delegate to business OR centralize in IT
• IT must support data owners & site owners
• Site Collection Admins are different from Site Owners
• Consider if Full Control is right, even to site owners
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
PERMISSION REMEDIATION PROCESS
Establish standard process requiring data owners to review
and certify permissions are correct
• Establish regular cadence
• Perform every 6 months or 12 months
• More frequently in areas with sensitive data
• Automate reminders & reports
• Scripts, reports or third party tools
• Provide data owners with reports of current permissions
• Allow data owners to remediate and IT provides support
• Require data owners to provide written certification
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
PRIVILEGED ACCESS REVIEWS
Establish standard process for access reviews of privileged accounts
• Include IT administrators, Site Collection Admins,
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
REQUESTING ACCESS TO INFORMATION
Establish standard process for end users to request access
to information
• Create a standard form with fields that must be
provided for all site requests:
• name, purpose, if access must expire?
• Include approvals by IT, data owners and/or
requestor's manager
• Make use of workflows for notifications & approval
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
REQUESTING & CREATING SITES
Establish standard process for end users to request new sites
• Create a standard form with fields that must be
provided for all site requests
• name, purpose, primary & secondary data owners, site
owners (if different), will contain sensitive data?
• Consider centralize site creation process with IT
• Include approval process by IT, data owners, and/or
requestor's manager
• Make use of workflows for notifications & approval
requests
• Log all requests - don't rely on SharePoint logs
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
SITE LIFECYCLE & DECOMMISSIONING
Establish standard processes for site review, archiving & deletion
• Consider:• Scenario 1: site is requested - site is created - site
never gets used
• Scenario 2: site is requested & created - site is used -
all employees having access leave company - site is
forgotten
• Scenario 3: over time number of sites grows to point of
making other governance processes unmanageable
• Process can occur at site collection or subsite level
• Make use of built in attributes: ContentLastModified,
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
TAXONOMY & CLASSIFICATION
Establish standard global & departmental taxonomy with
sensitivity metadata
• Keep global taxonomy small - applies to all content
• Include metadata fields for sensitivity classification -
ex. Sensitive, Restricted, Internal Only, Public
• Make use of managed metadata for centralized
management
• Provide end user training (videos, online)
• End user responsibilities, how to classify, what
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
SECURITY & GOVERNANCE TRAINING
Establish standard periodic training for employees (annual) & new hires which
educates on security & information governance policies, practices, responsibilities
• Use videos, online training, other low impact tools
• Make it very fast for employees to find out how to do
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
Goals
ACTIVITY AUDITING & MONITORING
Make use of Activity Monitoring capabilities for data breach/leak investigation &
automatic alerts
• Build up administrative expertise on using built in
Activity Monitoring capabilities (Office 365)
• Implement automatic alerts for specific key activities:
• Administrative modification of external sharing,
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.
FINAL THOUGHTS & RECOMMENDATIONS
• Overcoming threats and vulnerabilities requires both
good security & strong information governance
• Understand the security capabilities available
• Know what data is sensitive & where it lives
• Know who is responsible for sensitive data
• Establish information governance policies/procedures
CONFIDENTIAL: An Equal Opportunity Employer M/F/D/V. This document is for your company's internal use only and may not be copied nor distributed to another third party.