SharePoint site permissions can be a burden for site owners and SharePoint admins to manage especially when you introduce large number of sites, compliance requirements and unique permissions. Though SharePoint provides you with the basics out of the box, untrained site owners will create some interesting and risky permissions configurations especially if you introduce sub sites and unique permissions. In regulated industries such as Pharma, Banks, Medical and Energy Auditors are picky about site permissions as it related to data privacy. In short auditors don’t like SharePoint security model because its distributed, places the power of security in site owners and there’s no out of the box way to monitor, enforce and correct. As a result? Failed audits, privacy breaches, panic…a nightmare.
So how do you approach this? The following are training, technical, policy and process related actions that must be carried out to address this problem:
- Site owners must be trained on an ongoing basis – mandatory training must be performed yearly to enforce and ensure owners know their responsibilities and sign off on their compliance.
- Provisioning systems must know the difference between open and closed sites – When an open site is requested additional approvals must be obtained via approval workflows and the site provisioned accordingly. When closed sites are provisioned, this must trigger enforcement tool configuration to add the site to daily scanning to ensure that Everyone cannot be added.
- Sites must have visual markers – whether an open or closed site there must be visual markers that communicate the site type (open or closed). This is another tool for ensuring data and security compliance.
- Enforcement tools must scan sites daily to remove Everyone from closed sites – to enforce and protect enforcer scanners must be run ensure site permissions compliance. When Everyone is found in a closed site, it must be logged and the site owner notified.
In addition, make sure this is documented in your control plan and can be reported on when auditors request information regarding your SharePoint environment and your compliance enforcement efforts.
Have feedback? Contact me at firstname.lastname@example.org