Microsoft’s SharePoint enterprise content management platform is everywhere. An estimated 80% of the Fortune 500 use it in one form or another. Yet, in our experience, only about one-third of companies have a SharePoint security plan in place.

A secure SharePoint environment is certainly possible and not too difficult to achieve. The best way to manage SharePoint security is by establishing some good governance up front and understanding how the business intends to use the environment. However, this doesn’t mean security issues won’t arise over time as the platform grows organically within the organization. After a couple of years of SharePoint use, an information technology (IT) manager realizes one day, “Wow, we have 10 terabytes of information in SharePoint, but we don’t really know how everybody’s using it, and we don’t have security policies around it.”

Many organizations turn to us at this point.

Restoring security to the SharePoint environment starts with a SharePoint assessment. This review helps provide an understanding of how users are utilizing the system and allows companies to understand the risks involved so they can manage them accordingly.

Often, IT departments are tempted to delegate ownership of SharePoint sites to the individual business units. Without a governance or security plan in place, those business units will tend to use the sites in whatever way makes sense to them. This could lead to a number of risk factors and security issues. Some of the most common are as follows:
  • A lack of roles and responsibilities over SharePoint sites and information.

  • Poor information architecture. Without rules for metadata—labels that allow companies to classify information for security and retrieval—sensitive information can be lost or exposed.

  • Site proliferation. Business units will create sites, use them for a while and abandon them or create a site that doesn’t get used at all. These sites may contain sensitive information, and it’s easy to lose track of it when the sites are forgotten.

  • Poor permissions management. In SharePoint, access to information is given by granting permissions. When that’s delegated down to business units without defined security and controls, it is hard to keep track of who has access to information and who has access to sensitive information.
It is important, therefore, to conduct an assessment both at the level of business units that are using SharePoint, to help evaluate the risks and controls within these units, and on an enterprise-level, since, in many cases, SharePoint is centrally managed. Conducting an assessment on both of these levels will bring to the surface both systemic and subsidiary issues and risks.

There are various monitoring solutions that will check to see who has access to what information, what sites exist out there and report back up the chain of command. Data loss prevention (DLP) tools can scan for things like credit card numbers, Social Security numbers and other specifically defined “sensitive” information. Finally, encryption tools can ensure that data—both inside and outside SharePoint—is readable only by the people who have been approved for access. What tools to implement and in what capacity is the kind of information organizations can attain following a SharePoint assessment.

Once an organization has conducted an assessment and identified risks, it should develop security policies and controls and then train employees rigorously to ensure that the rules will be adhered to, and enforced, over time.

This post was published originally on The Protiviti View by Protiviti Inc. Copyright 2015. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit (

James Ensminger and Antonio Maio serve in Protiviti’s SharePoint practice.

Most Read  

This section does not contain Content.