Sharepoint FAQs

  1. Does anyone know if information stored on SharePoint (on the secure side, not the public side) conforms per se to the University's information security policies, particularly "sensitive information" as defined in the encryption policy?

 

 

---------------------------------------------------------

 

The simple answer to your question is, yes, information stored on the SharePoint Secure site does conform with the University's information security policies (the public site is not accessed controlled), but security administration of the sites, document libraries, workspaces, etc. falls to the responsibility of the site owner/administrator(s). Since SharePoint is an enterprise system, it is viewed as if you stored the information on the I: drive, but there is more responsibility put on the site owner/administrator.

In the case of 'sensitive information', the SharePoint site security must be managed by the site owner/administrator and should follow 'least privilege' and 'need-to-know' security practices, where the select group of users who have access to the data only have enough access to the data to perform their job duties and have a need to know the information presented. For example, if the users only need to read the data, the site owner/administrator would have to prove the relevance of the users having read/write access to a federal regulations auditor.

The practice of 'least privilege' and 'need-to-know' when it comes to sensitive information pertains to every site, workspace, document library,etc. in SharePoint. For example, just because the user has read/write access (contributor access in SharePoint) to the parent site, it does not mean they need the same access to a child document library containing sensitive information.

To determine if you are logged into the SharePoint Secure site - note the URL will contain the word "secure" - as in https://sharepointsecure.louisville.edu/.../  and, the public site is https://sharepoint/louisville.edu.