SharePoint must maintain and support the use of organizationally defined security attributes to stored information.

From MS SharePoint 2010 Security Technical Implementation Guide

Part of SRG-APP-000006-COL-000006

Associated with: CCI-002272

SV-36059r2_rule SharePoint must maintain and support the use of organizationally defined security attributes to stored information.

Vulnerability discussion

Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, For Official Use Only (FOUO), Personally Identifiable Information (PII), and sensitive.The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). A SharePoint information management policy or a third party Information Right Management (IRM) solution must be installed to implement this requirement. Although a 3rd party solution is recommended for a more robust solution, SharePoint can natively meet this requirement through combined use of information rights policy and defined content type. Content types must be defined which bind metadata to the content in storage and in process.

Check content

To verify that content types are used: 1. On the site home page, click Site Actions, and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types and verify that content types have been defined. 3. Navigate to each document library and click Document Library Settings. 4. Under Content Types, verify that at least one content type is listed. 5. Mark as a finding if content types are not defined for each document library. Mark as not applicable for SharePoint implementations that process, store, or access only publicly-releasable information (i.e., does not provide access to classified, FOUO, or sensitive information).

Fix text

To define content types and metadata, perform the following for each desired application security attribute, such as PII or FOUO, as defined by organizational requirements. 1. On the site home page, click Site Actions and then click Site Settings. 2. On the Site Settings page, in the Galleries list, click Site content types. 3. Enter a name for the content type and click OK to view the advanced properties. 4. Scroll down this page and add the columns to prompt the user to enter as metadata or properties to collect when documents of this content type are added to SharePoint.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer