The purpose of this document is to help individuals, teams, departments, etc, use SharePoint in a secure manner.
- Use the UWM Information Security Office's recommended tools (scroll down to "Encryption" section).
- Ensure the party you are sharing these files with has met the requirements associated with the type of data being shared (e.g., signing a confidentiality agreement or signing a BAA for HIPAA data).
- Encryption key or password should be exchanged over the phone.
If you can't remove, store in a local file server, delete, mask, DE identify, or encrypt confidential or sensitive data used in SharePoint please set the following to ensure its security.
Create or use if supplied, a document library called, Security
Note: The document library may be called anything you think is appropriate. Security is a name that shows the intent of the documents stored in that library. You may not want to mix documents with different security levels in the same document library, it is difficult to manage security at the document level.
Enable Information Rights Management, which can be found in the Library Settings, if not already enabled
IRM allows you to control how files are downloaded and what permissions individuals have once they download them.
- Check - Restrict permissions on this library on download
- Create a permission Policy Title such as, Secure File Sharing for HR
- Add a permission policy description: This is optional
- Set additional IRM library settings
- Check (Optional) - Do not allow users to upload documents that do not support IRM. Warning: if you check this only Office Documents will be allowed to be uploaded, but it will ensure that IRM is applied to all documents in the library otherwise you may upload a document thinking it is protected when in fact it isn't.
- Leave the rest of the options unchecked unless needed.
Configure document access rights
- Check - Auto Trim
- Check - If you'd like to keep audit data for longer than this, please specify a document library. Create or use if supplied, a document library called, Audit Logs. Enter, /sites/name of site/Audit Logs into the field. Note: Make sure versioning is turned on for that document library.
Specify the events to audit
Specify the events to audit
Alerts are not a requirement, but are highly recommended. The can be set at the document level, folder level, or library level depending on your need. We recommend setting them at the Security library level. Here are the recommended alert settings:
- Only send me alerts when: Check, All changes
- Send me an alert when: Check, Anything changes
- Check, Send notification immediately
Reports can't be automated or scheduled to run, they are ad hoc and can be used when needed. The reports need to be run by Site Collection Admins so you will need to work with them to create reports you may need. You can also look at your Audit Logs library to view the same information in bulk. The security office will be looking into what reports may be the most helpful and will be added to this document in the future.
Giving Access to Sites and Libraries
If possible, only use groups to manage access, individual access is to difficult to manage in the long run. You can set permissions to groups and add or remove users when needed.