Office 365 (SharePoint Online) - Security Recommendations
The purpose of this document is to help individuals, teams, departments, etc, use SharePoint in a secure manner.
Security for Accessing SharePoint:
Secure the workstation or device you are using to access SharePoint:
- Install virus/malware detection software with the latest definitions
- Run a firewall that blocks in-bound traffic
- Do not log into your workstation or device as an administrator (unless absolutely necessary)
- Keep your operating system and software up-to-date
- Password-protect your workstation or device and use idle-time screen saver passwords where possible
- Talk to your departmental IT support for help securing your computers and other devices
Use only secure network connections:
- Use the UWM wired network or UWM WiFi when on campus.
- Try to avoid using public WiFi, but if you need to use it, follow FTC's best practices.
- Secure your home wireless network using the FTC's guide.
De-identify confidential or sensitive data before uploading to SharePoint:
- Use a random identifier and store both the identifiable data and its encrypted identifier on an internal network drive.
Encrypt confidential or sensitive data that cannot be de-identified:
- Use the UWM Information Security Office's recommended tools (scroll down to "Encryption" section).
- Ensure the party you are sharing these files with has met the requirements associated with the type of data being shared (e.g., signing a confidentiality agreement or signing a BAA for HIPAA data).
- Encryption key or password should be exchanged over the phone.
If you can't remove, store in a local file server, delete, mask, DE identify, or encrypt confidential or sensitive data used in SharePoint please set the following to ensure its security.
Create or use if supplied, a document library called, Security
Note: The document library may be called anything you think is appropriate. Security is a name that shows the intent of the documents stored in that library. You may not want to mix documents with different security levels in the same document library, it is difficult to manage security at the document level.
Enable Information Rights Management, which can be found in the Library Settings, if not already enabled
IRM allows you to control how files are downloaded and what permissions individuals have once they download them.
- Check - Restrict permissions on this library on download
- Create a permission Policy Title such as, Secure File Sharing for HR
- Add a permission policy description: This is optional
- Set additional IRM library settings
- Check (Optional) - Do not allow users to upload documents that do not support IRM. Warning: if you check this only Office Documents will be allowed to be uploaded, but it will ensure that IRM is applied to all documents in the library otherwise you may upload a document thinking it is protected when in fact it isn't.
- Leave the rest of the options unchecked unless needed.
Configure document access rights
- Check - After download, document access rights will expire after these number of days (1-365) and set the number of days to 5
- Leave all the rest unchecked unless necessary
Set group protection and credentials interval
- Check - Users must verify their credentials using this interval (days) and set the number of days to 1
- Leave the rest unchecked unless necessary
- Click OK to save settings for library
Enable logging at your site
Logging is essential for auditing what is happening on your site and will help you verify users' actions are what they are supposed to be and may help reduce any fines or penalties in case of a security incident. Logging can only be enabled by your Site Collection Administrator, so please work with them to enable the following.
Site Collection Audit Settings
- Check - Auto Trim
- Check - If you'd like to keep audit data for longer than this, please specify a document library. Create or use if supplied, a document library called, Audit Logs. Enter, /sites/name of site/Audit Logs into the field. Note: Make sure versioning is turned on for that document library.
Specify the events to audit
- Check all
Specify the events to audit
- Check all
Alerts are not a requirement, but are highly recommended. The can be set at the document level, folder level, or library level depending on your need. We recommend setting them at the Security library level. Here are the recommended alert settings:
- Only send me alerts when: Check, All changes
- Send me an alert when: Check, Anything changes
- Check, Send notification immediately
Reports can't be automated or scheduled to run, they are ad hoc and can be used when needed. The reports need to be run by Site Collection Admins so you will need to work with them to create reports you may need. You can also look at your Audit Logs library to view the same information in bulk. The security office will be looking into what reports may be the most helpful and will be added to this document in the future.
Giving Access to Sites and Libraries
If possible, only use groups to manage access, individual access is to difficult to manage in the long run. You can set permissions to groups and add or remove users when needed.