Microsoft’s SharePoint enterprise content management platform is everywhere. An estimated 80 percent of the Fortune 500 use it in one form or another. Yet, in our experience, only about one-third of companies have a SharePoint security plan in place.
A secure SharePoint environment is certainly possible and not too difficult to achieve. This was the focus of Protiviti’s May 27th webinar, Conducting a SharePoint Audit and Resolving Challenges. Hundreds of executives and practitioners participated in the free live presentation, which is available in archive at the link above.
The best way to manage SharePoint security is by establishing some good governance up front and understanding how the business intends to use the environment. However, this doesn’t mean security issue won’t arise over time as the platform grows organically within the organization. After a couple of years of SharePoint use, an IT manager realizes one day, “Wow, we have ten terabytes of information in SharePoint, but we don’t really know how everybody’s using it, and we don’t have security policies around it.”
Many organizations turn to us at this point.
Restoring security to the SharePoint environment starts with a SharePoint assessment. This reivew helps provide an understanding of how users are utilizing the system, and allows companies to understand the risks involved so they can manage them accordingly.
Often, IT departments are tempted to delegate ownership of SharePoint sites to the individual business units. Without a governance or security plan in place, those business units will tend to use the sites in whatever way makes sense to them. This could lead to a number of risk factors and security issues. Some of the most common are as follows:
- A lack of roles and responsibilities over SharePoint sites and information.
- Poor information architecture. Without rules for metadata – labels that allow companies to classify information for security and retrieval – sensitive information can be lost or exposed.
- Site proliferation. Business units will create sites, use them for a while and abandon them. Or they might create a site that doesn’t get used at all. These sites may contain sensitive information, and it’s easy to lose track of it when the sites are forgotten.
- Poor permissions management. In SharePoint, access to information is given by granting permissions. When that’s delegated down to business units without defined security and controls, it is hard to keep track of who has access to information and who has access to sensitive information.
It is important, therefore, to conduct an assessment both at the business units that are using SharePoint, to help evaluate the risks and controls within these units, and on an enterprise level, since, in many cases, SharePoint is centrally managed. Conducting an assessment on both of these levels will bring to the surface both systemic and subsidiary issues and risks.
There are a various monitoring solutions that will check to see who has access to what information and what sites exist out there, and report back up the chain of command. Data Loss Prevention (DLP) tools can scan for things like credit card numbers, Social Security numbers, and other specifically defined “sensitive” information. Finally, encryption tools can ensure that data – both inside and outside SharePoint – is readable only by the people who have been approved for access. What tools to implement and in what capacity is the kind of information organizations can attain following a SharePoint assessment.
Once an organization has conducted an assessment and identified risks, it should develop security policies and controls and then train employees rigorously to ensure that the rules will be adhered to, and enforced, over time.
For more information and specific recommendations about SharePoint security, watch the webinar, and/or download our free white paper, Maximizing Opportunities in the SharePoint Environment: Conducting Assessments and Resolving Challenges.