A key aspect of implementing SharePoint in an organisation is relevant to security of content. The success of SharePoint in an organisation is due not only to how comfortable users are with using their current technology with SharePoint, it is also down to ensuring that the users are comfortable knowing the data they manage on their SharePoint sites are secure…
One cannot hope to have any successful buy-ins from the users in relation to the security of their data on content management systems such as SharePoint, unless they understand that there are implications of storing information on SharePoint. In other words, their basic understanding of security, individual responsibilities, and accountability are paramount to achieving organization security goals.
Therefore, there is absolutely no point in simply giving users SharePoint, then saying ‘Go put your stuff on it’ unless they are at least aware of the security implications in the management of that data.
In the past, people would have argued that security of data is not a user issue – IT management have been known to use ‘throw away’ comments – “IT would be responsible for informing the user where they could store their data”. Whilst there may be explicit reasons for doing this (some now defined as ‘old school but valid’) like the production of highly secured data would need to go into a specific SharePoint repository (or even more ‘outlandish’ storing the file on a network share even if the user has access to SharePoint spaces).
Other excuses have also been used. Those working in security would probably be amazed, others may sigh and say – “have heard these before”; ‘the user does not have time to understand it’, and ‘the user does not need to have any security awareness to do their jobs in SharePoint’ to the even more outlandish ones like ‘We do not have the luxury in understanding data security’ (yes, incredible as it may sound, these are defined as valid!).
Crucially, in this day and age of digital storage and the possibility of also storing secure information in a cloud provision, and the fact that users are that much closer to managing their own storage areas in particular, any ideas of ignoring security is definitely not valid.
So what do we need to do
When training your users in basic SharePoint operations one should also include security training. For example, simply instructing a user on how to drop a file into a document library should also include basic knowledge on how that file is secured. That does not mean that you immediately tell the user how to set security on the file. It means that you give instruct security information, describing how the file is secured, and the roles required to manage the file. Doing this will give a philosophy of protection and specific security instructions. The user can then re-enforce that awareness with knowledge on how to secure that file, the document library or even the site (depending on their roles).
You need to ensure this security awareness training is rolled into your SharePoint training model, and that the training that follows awareness is tailored to the role of the user (i.e. SharePoint Contributor versus Owner roles).
Governance surrounds Security – what about policies?
In the companies where I have implemented SharePoint, I have always ensured there is some kind of rules concerning user adoption and security of data in SharePoint. Here are some rules; you could use one or more of them depending on how far you want to take roll out security awareness, management and review. Each of these rules can be measured and can be used to measure the value of the user understanding how to basically use and managed their content (which is a vision that every company will have when wishing to implement SharePoint anyway).
For those who think that this is all ‘airy fairy’ and not ‘real world’, let’s give you a true to life scenario starring Company X (I’ve cut out some details).
Company X has 4000 staff in over 30 locations across the globe. Their users are part mobile, and access their data using supplied laptops. Access to their data is through secure VPN which is monitored. Users automatically get access to SharePoint when they join the company; they get basic training on how to use SharePoint, then left to their own devices. In one event, user copies down secure information from a SharePoint site onto a laptop; that laptop ends up being stolen. The secure data is managed by a partner company. The user is sacked, and through further legal investigations Company X is sued by the partner company; resulting in loss of face, and a massive loss of credibility in managing secure content.
What the above clearly shows is that security is not for Company X a full imperative – little was done to cover SharePoint security. Security for SharePoint must be given very high priority therefore so that the users, both business and technical understand how they fit into its application.
Here are some policy statements that may help you define security training for SharePoint. Think about how these could benefit:
- All new SharePoint users should attend a Security Awareness training class prior to, or at least within 30 days of, being granted access to any secure SharePoint site.
- All SharePoint users should sign an acknowledgement stating they have read and understand requirements regarding SharePoint security policies and procedures (could be part of a larger security statement).
- All SharePoint users (employees, consultants, contractors, temporaries, etc.) should be provided with sufficient training and supporting reference materials to allow them to properly protect SharePoint content.
- Those responsible for managing security should prepare, maintain, and distribute one or more information security manuals that concisely describe security policies and procedures.
- Those responsible for managing security should develop and maintain a communications process to be able to communicate information, security bulletin information, and security items of interest.
Does it all stop there?
No. Security of the platform is a continual event; it needs to be managed, and it needs to remain current and in line with company business process. Therefore, it needs to be emphasised, reinforced, updated and validated. Whoever is responsible for maintaining security needs to have regular update reviews with the SharePoint owners, report and if necessary modify security configurations to maintain the effectiveness of SharePoint security. IT Support needs to be made aware also about how SharePoint security operates!
So who is responsible for SharePoint security?
All users are responsible for managing their use of Sharepoint in terms of submitting and/or managing content that they have access to. All users are are accountable for their actions relating to security of the content they manage. Through this, users are equally responsible for reporting any suspected or confirmed violations.
Summary
SharePoint security is sometimes not addressed in the flurry of SharePoint implementation simply because of a combination of factors:
- Security of data when installing is unusually not seen ‘important’
- Not enough time is spent building a security policy
- Users are not engaged and/or trained in security awareness matters related to content on SharePoint
- IT Support have little knowledge of how security works in SharePoint (e.g. Network Admin says “I am more used to network share security – what does contributor mean”?)
- The implementor of SharePoint does not address security leading to a false belief that ‘the platform will cover it’
Hence, I hope this article has been useful in at least giving you a way of ensuring that security is part of your SharePoint training model!