Check: SHPT-00-000009
MS SharePoint 2010 STIG:
SHPT-00-000009
(in version v1 r9)
Title
SharePoint information management policies must be created, configured, and maintained to support the use of organizationally defined security attributes. (Cat II impact)
Discussion
A SharePoint information management policy is a set of rules governing the availability and behavior of a certain type of content in the application. These policies enable administrators to control and evaluate who can access information, how long to retain information, and how effectively people are complying with the policy. For all systems processing non-publicly releasable information, an information management policy must be applied to content in document libraries and site collections by default. Applying policy to a content type or metadata allows the policy to be applied globally across document libraries, sites, or site collections. These policies must be created and configured to automatically enforce organizationally-defined security policy to a document library, a site, or a specific content type. Information management policy can be used to apply permissions, audit requirements, security labels, or barcodes based on organizationally defined content types, thus leveraging a centralized security policy and security attributes that binds to SharePoint information while in storage and in process. NOTE: Sites should run and review usage reports for the information management policy. This report shows how many policies are in place in a web application and how many documents are affected by each policy. This information can help identify which SharePoint sites are not using the global policies which may indicate a compliance issue. The information on this report can also help organizations determine how effectively the organizationally-defined labeling and other compliance requirements documented in the Site Security Plan (SSP) are being implemented.
Check Content
To verify an information management policy is enabled for use with site content, view the document properties of a sample file. Verify document or list items. 1. Go to a Site Collection within the farm. 2. Open the list or library containing the item or document to view the barcode. 3. Point to the item or document identified by the SA or site representative. 4. Click the arrow that appears, and then click View Item or View Properties. 5. Verify document property listing contains columns for labels at a minimum. Also, verify columns for barcoding, retention, and auditing (if required by the SSP) are present. 6. Mark as a finding if information management policy metadata (labeling, retention, auditing, or barcoding) do not show in the document properties for document and list content (if required by the SSP).
Fix Text
Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, then click Site Settings. 2. On the Site Settings page, in the Site Collection Administration list, click Site collection policies. 3. On the Site Collection Policies page, click Create. 4. Follow the menus and prompts to create a name and description for the policy. 5. Configure the desired features to associate with the policy. 6. When finished selecting the options for the individual policy features to add to this information management policy, click OK to apply the policy features. 7. Once an information management policy has been created for the site collection level, apply it to lists, libraries, or list content type in accordance with organizationally defined security requirements.
Additional Identifiers
Rule ID: SV-40023r2_rule
Vulnerability ID: V-30364
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000287 |
The organization develops and documents a configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. |
Controls
Number | Title |
---|---|
CM-1 |
Configuration Management Policy And Procedures |