SharePoint must allow authorized users to associate security attributes with information.

From SharePoint 2010 Security Technical Implementation Guide (STIG)

Part of SRG-APP-000012-COL-000012

Associated with IA controls: ECAD-1

Associated with: CCI-001427

SV-36067r3_rule SharePoint must allow authorized users to associate security attributes with information.

Vulnerability discussion

Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, FOUO, and sensitive.The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). For SharePoint installations, this capability is natively provided once content types, metadata, and an information management policy is configured as required by SHPT-00-000009 and SHPT-00-000010. Once content types are defined, enabled and configured, users will be prompted to enter these attributes when adding new documents or list items.

Check content

To verify users are prompted automatically when entering new documents into SharePoint: 1. Using an account with authorized user permissions (not system administrator), attempt to add a document to a document library. 2. Verify the user is prompted to enter metadata and content type information. 3. Mark as a finding if the sample users are not prompted for content type information as required by the site's SSP as designated by the organization (e.g., FOUO, Personally Identifiable Information [PII], or other sensitivity levels requiring access control, retention, or tracking.)

Fix text

Create an information management policy and apply to lists, libraries, and list content. 1. On the site collection home page, click Site Actions, point to Site Settings. 2. Click Site Settings. 3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies. 4. On the Site Collection Policies page, click Create. 5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users. 6. Configure the desired features to associate with the policy. 7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features. 8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer