Check: SHPT-00-000010
MS SharePoint 2010 STIG:
SHPT-00-000010
(in version v1 r9)
Title
SharePoint must maintain and support the use of organizationally defined security attributes to stored information. (Cat II impact)
Discussion
Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, For Official Use Only (FOUO), Personally Identifiable Information (PII), and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). A SharePoint information management policy or a third party Information Right Management (IRM) solution must be installed to implement this requirement. Although a 3rd party solution is recommended for a more robust solution, SharePoint can natively meet this requirement through combined use of information rights policy and defined content type. Content types must be defined which bind metadata to the content in storage and in process.
Check Content
To verify that content types are used: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types and verify that content types have been defined. 3. Navigate to each document library and click Document Library Settings. 4. Under Content Types, verify that at least one content type is listed. 5. Mark as a finding if content types are not defined for each document library. Mark as not applicable for SharePoint implementations that process, store, or access only publicly-releasable information (i.e., does not provide access to classified, FOUO, or sensitive information).
Fix Text
To define content types and metadata, perform the following for each desired application security attribute, such as PII or FOUO, as defined by organizational requirements. 1. On the site home page, click Site Actions and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types. 3. Enter a name for the content type and click OK to view the advanced properties. 4. Scroll down this page and add the columns to prompt the user to enter as metadata or properties to collect when documents of this content type are added to SharePoint.
Additional Identifiers
Rule ID: SV-36059r2_rule
Vulnerability ID: V-27968
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002272 |
The information system dynamically associates security attributes with organization-defined objects in accordance with organization-defined security policies as information is created and combined. |
Controls
Number | Title |
---|---|
AC-16 (1) |
Dynamic Attribute Association |