Check: SHPT-00-000040
MS SharePoint 2010 STIG:
SHPT-00-000040
(in version v1 r9)
Title
SharePoint must allow authorized users to associate security attributes with information. (Cat II impact)
Discussion
Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, FOUO, and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). For SharePoint installations, this capability is natively provided once content types, metadata, and an information management policy is configured as required by SHPT-00-000009 and SHPT-00-000010. Once content types are defined, enabled and configured, users will be prompted to enter these attributes when adding new documents or list items.
Check Content
To verify users are prompted automatically when entering new documents into SharePoint: 1. Using an account with authorized user permissions (not system administrator), attempt to add a document to a document library. 2. Verify the user is prompted to enter metadata and content type information. 3. Mark as a finding if the sample users are not prompted for content type information as required by the site's SSP as designated by the organization (e.g., FOUO, Personally Identifiable Information [PII], or other sensitivity levels requiring access control, retention, or tracking.)
Fix Text
Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, point to Site Settings. 2. Click Site Settings. 3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies. 4. On the Site Collection Policies page, click Create. 5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users. 6. Configure the desired features to associate with the policy. 7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features. 8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.
Additional Identifiers
Rule ID: SV-36067r3_rule
Vulnerability ID: V-27974
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002289 |
The information system supports the association of organization-defined security attributes with organization-defined subjects by authorized individuals (or processes acting on behalf of individuals). |
Controls
Number | Title |
---|---|
AC-16 (4) |
Association Of Attributes By Authorized Individuals |