Q1

Category Security policy

Q2 Q3

Permissions management Hardening

Assessment Question: Answer: Has the organization created specific SharePoint governance and security policies, and have users and administrators been made aware of them? Have IT security staff been involved in the development of security policies for this site, and for SharePoint generally in the organization? Please describe the permissions structure used in creation of this SharePoint site/sub-sites. Do system hardening standards exist for SharePoint sites, and are they implemented for this SharePoint site? If so, please identify the hardening practices that have been used in creation of this SharePoint ifrastructure. Include here any antimalware solutions deployed on IIS or SharePoint servers. Please describe the network security controls deployed that help secure the SharePoint sites/servers. Include such things as external/internal firewalls, intrusion prevention systems, web application firewalls, and the like. Is audit enabled for all SharePoint system components, are the audit logs captured in such a way so as to be immutable, and is there a regular audit review process in place? Please also note whether SharePoint administrators can easily enable/disable audit collection, and whether such configuration changes are recorded. Please identify all native SharePoint security controls which are enabled for this SharePoint site, along with all 3rd party security controls which have been implemented for this site. Include any SharePoint permissions products, audit products, anti-malware products, encryption products, and rights management products in use. Have IT security staff been involved in the selection, deployment, and test of security controls for this site, and for SharePoint generally in the organization? Please fully describe the SharePoint topology, including all IIS, SharePoint, database/RBS, backup/archive, index, search and other servers used in delivery of the SharePoint site, all internal/external interfaces, and how they relate to the rest of the internal/external networks with access. Does this site store compliance-regulated content of any of the following types: healthcare information (HIPAA/ePHI), credit card data (PCI DSS regulated cardholder data), personally identifiable information (PII, state data breach laws), export controlled information (EAR/ITAR regulated information), customer financial information (GLBA regulated customer account information), FDA/pharmaceutical regulated information (21 CFR Part 11), other? If so, please identify the content type/regulation, and describe the security controls employed to achieve compliance, and the content file type, quantity, and location in site. Please describe the various use cases, user communities, and the content stored by them in these SharePoint sites. Please specifically identify any sensitive content that is known to be stored in these sites, including, for example, intellectual property, human resources information, customer information, prospect databases, customer lists, or other sensitive/secret information. Please also identify if regular content scanning is performed on this site. Please think through and identify internal and external threats to the data and content residing in these SharePoint sites. These can include privileged employees, administrators, disgruntled IT staff, external hackers, competitors, employee errors, threats to backup data, theft of servers, and any other threat that you perceive to be relevant for these sites. It is helpful to rank order the threats according to your perception of liklihood of occurence. Please identify all disaster recovery and business continuity plans and procedures that are put in place for this SharePoint site, including backups/offsite storage. Please describe the identity and access management in use on this SharePoint site. Note whether identities and group privileges are administered via AD groups, local SharePoint groups, or claims/federation. Do any existing security controls enforce separation of duties, least privilege, and need to know, specifically relating to permissions, identity, and access to sensitive content for administrators on this SharePoint site? If yes, please identify and describe these controls, and how they are managed and administered.

Q4 Q5

Network Audit

Q6

Controls

Q7

Topology

Q8

Compliance

Q9

Content

Q10

Threats

Q11 Q12 Q13

DR/BCP Identity

Q14

Separation of duties, least privilege, need to know enforcement Impact Describe the impact to the business/department that would be realized if this SharePoint site was unavailable, or if SharePoint content was lost, stolen, altered, or unavailable. Include some thought on the impact of a security breach of this site/content- what would the impact to the business be, including breach notification costs and impacts.

Q15

Patch management Describe the patch management approach used on SharePoint servers.

Caveats and Usage notes: This simple SharePoint risk assessment should be used to gain a preliminary understanding of risks to SharePoint sites and information. Because SharePoint deployments vary widely in terms of whether they are internal, external, or internet-facing, and what sort of users and content are involved, etc., the assessment should be individually used for each different deployment scenario. Because this is a high-level risk assessment, and because the relevance of many of the questions and answers will vary considerably depending on the use case, user base, content types, and topology, no attempt has been made to make the results measurable into Low-Medium-High, or a more quantitative risk measurement. Our suggestion is that SharePoint administrators might want to work with your information security or risk management teams to tailor the assessment, and to discuss the meaning of the findings. CipherPoint Software (www.cipherpoint.com) is happy to make this high-level SharePoint risk assessment freely available to the SharePoint community. You are free to use or modify it as you see fit. If you develop other new assessment questions, we'd ask that you consider contributing them to the SharePoint community via the community security site (www.sharepointdefenseindepth.com) so that we may add them to a future version of this template. Disclaimer, use of this risk assessment template provides no assurance of security.