SharePoint site permissions can be a burden for site owners and SharePoint admins to manage especially when you introduce large number of sites, compliance requirements and classification. Though SharePoint provides you with the basics out of the box, untrained site owners will create some interesting and risky permissions configurations especially if you introduce sub sites and unique permissions.
In regulated industries such as Pharma, Banks, Medical and Energy Auditors are picky about site permissions and classification (and enforcement controls) as it related to data privacy. In short auditors don’t like SharePoint security model because its distributed, places the power of security in site owners and there’s no out of the box way to monitor, enforce and correct. As a result? Failed audits, privacy breaches, panic…a nightmare.
So how do you approach this? The following are training, technical, policy and process related actions that must be carried out to address this problem:
- Site owners must be trained on an ongoing basis – mandatory training must be performed yearly to enforce and ensure owners know their responsibilities and sign off on their compliance.
- Provisioning systems must know the difference between site classifications – When an open site (Everyone has access)is requested additional approvals must be obtained via approval workflows and the site provisioned accordingly. When a closed site (Confidential, Sensitive data etc) is provisioned, this must trigger enforcement tool configuration to add the site to daily scanning to ensure proper security configuration.
- Sites must have visual markers – whether an open or closed site there must be visual markers that communicate the site type (open or closed). This is another tool for ensuring data and security compliance. For example:
- Open Sites would have a icon that depicts the site as being open to the public. Combined with training people know not to place confidential/sensitive data there.
- Confidential closed sites would have an icon that depicts the as containing sensitive data such as profits, planning for downsizing as examples.
- Enforcement tools must scan sites daily to remove Everyone from closed sites – to enforce and protect scanners must be run to ensure site permissions compliance. For example, when Everyone access is found in a closed site, it must be logged, removed and the site owner notified. When classified data resides in a location where it should not its logged, flagged and locked from sharing and the site owner notified.
In addition, make sure this is documented in your control plan and can be reported on when auditors request information regarding your SharePoint environment and your compliance enforcement efforts.
Have feedback? Contact me at firstname.lastname@example.org