SHPT-00-000040 - SharePoint must allow authorized users to associate security attributes with information.

Information

Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, FOUO, and sensitive.

The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor).

For SharePoint installations, this capability is natively provided once content types, metadata, and an information management policy is configured as required by SHPT-00-000009 and SHPT-00-000010. Once content types are defined, enabled and configured, users will be prompted to enter these attributes when adding new documents or list items.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Create an information management policy and apply to lists, libraries, and list content.
1. On the site collection home page, click Site Actions, point to Site Settings.
2. Click Site Settings.
3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies.
4. On the Site Collection Policies page, click Create.
5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users.
6. Configure the desired features to associate with the policy.
7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features.
8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.

See Also

https://iasecontent.disa.mil/stigs/zip/U_MS_SharePoint_2010_V1R9_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-16(4), CAT|II, CCI|CCI-002289, Rule-ID|SV-36067r3_rule, STIG-ID|SHPT-00-000040, Vuln-ID|V-27974

Plugin: Windows

Control ID: 00ed4c952919c1c9bf59d7b71817ed07742e49261ea20eb8352dbd8e7bcf29e7