SharePoint Compliance and Security Go Hand in Hand
Organizations using SharePoint have tremendous collaboration benefits. But this collaborative environment also requires organizations and individuals to be trusted with a vast amount of sensitive data: customers' personally identifiable information (PII), protected health information (PHI) and confidential company content including intellectual property (IP), human resource files, M&A, board documents, customer lists or product strategies, just to name a few.
There can be risks to storing confidential data on a platform built for collaboration. In fact, the Identity Theft Resource Center (ITRC), which tracks disclosed data breaches, reported 212 breaches so far in 2013 alone. These breaches have exposed more than 4.5 million personal records related to medical information, social security numbers, credit cards and other information.
Given the number of publicized breaches, organizations are often daunted at how to best use SharePoint for collaboration given the confidential information that goes into it and how to collaborate within the parameters set by regulations. Organizations need to be confident in the ability to put any type of document into SharePoint to leverage the investment for a greater ROI.
Sure... most organizations have governance and compliance strategies in place that dictate proper usage, but compliance policies only get you so far. Just like the song "Love and Marriage" reminds us, you can't have one without the other, and so too it goes with SharePoint compliance and security.
Why SharePoint Needs Security
With global regulations governing privacy, financial or healthcare information, and often varying from country to country, it is incredibly difficult to know if you are in full compliance. Sensitive content needs to be collaborated and most organizations are anxiously trying to put paper policies in place around it.
However, compliance in itself is not sticky. A policy can be put in place and automated checks can even monitor for compliance violations, but it needs to be combined with security. You need to be able to secure sensitive content to control who can access it and how it can be distributed to provide true risk mitigation, and protect the organization from damaging breaches. The ability to track from a forensic perspective who accessed, copied, printed or emailed content is also important in the event of a breach. You need an end-to-end security process to achieve sticky compliance.
Balancing compliance and security with collaboration is the key to SharePoint success. This six-step process that utilizes automation can safeguard against compliance violations and properly secure content without impacting collaboration:
1. Identify red flag risks. Bring together stakeholders such as senior management, heads of communications, human resources and business units to provide assessment of risks and suggest policies required for the organization. This should cover both general, country- and industry-specific regulations to secure PII and PHI amongst others, and keep corporate confidential information (IP, M&A or trade secrets) safe.
2. Establish the compliance strategy. Determine what areas of risk to address and align this with the business strategy. Use stakeholder knowledge to define the compliance strategy for the organization against the business strategy.
3. Design policies and deploy. Based on the compliance strategy, use an automated solution to define and automate policies. Assign policy officers and use appropriate actions for non-compliant content, establish access restriction rules and workflows to support notifications. Scan content at rest or in motion and tag content based on these policies to automatically detect, correct, prevent and mitigate risk.
4. Automate content compliance. Integrate content compliance into user activities to automatically review content as it is created. Actions should be taken to not only flag violations found, but also automatically classify content based on the type of sensitive content found in accordance with pre-defined policy rules. Notifications should also be sent to the appropriate stakeholder(s) to assess violations, and suggest additional policies or actions.
5. Secure content. Have the ability to secure sensitive content. SharePoint out-of-the-box folder-level security is not as effective as item-level classification which goes with a document as it moves around SharePoint. Look to secure content based on the presence of customer or confidential company information and automatically restrict access to, encrypt and track documents, as well as prevent distribution by unauthorized users.
6. Report, remediate and refine. One of the most important aspects of managing compliance and security risk is the ability to audit and report on the organizations' compliance and security status. You should also track and monitor the movement of confidential and sensitive documents, including who views, prints and emails documents. This will help to measure progress against goals over time and provide an audit trail for regulators if required.
At the end of the day, collaboration of sensitive data between appropriate parties is necessary. Detailed reporting also allows policy managers to modify policy and rules based on user interaction and compliance trends. This will help balance the need to collaborate with security.
To complicate compliance matters, with bring your own device (BYOD) business trends and mobile technology becoming the de facto choice for traveling employees, it is inevitable that SharePoint content will appear on iPads and other mobile devices. No matter the access point for enterprise content, it must remain secure and accessible only to authorized personnel. To effectively mitigate mobile risk, organizations should employ the same content security capabilities, and ideally leverage the same policies and rules from SharePoint, in mobile environments.
The bottom line is you need to protect your organization, while still allowing for open collaboration between the right audiences to get the most from your SharePoint investment. Consider an end-to-end automated compliance and security program for traditional and mobile environments to remove some of the vulnerabilities and human diligence required to maintain SharePoint content security. Just as love and marriage go hand in hand, your compliance and security strategy should as well.
To download "Infographic on Managing Compliance and Security Risk in SharePoint" visit: www.hisoftware.com/KMWorld
As a Microsoft Gold Certified Application Development Partner and 2012 Windows IT Pro Editors' Choice Gold Medal Winner for SharePoint product of the year, HiSoftware allows companies to easily manage compliance and security with an integrated suite of solutions that audit and secure sensitive content in SharePoint.