UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SharePoint must allow authorized users to associate security attributes with information.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27974 SHPT-00-000040 SV-36067r3_rule Medium
Description
Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, FOUO, and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). For SharePoint installations, this capability is natively provided once content types, metadata, and an information management policy is configured as required by SHPT-00-000009 and SHPT-00-000010. Once content types are defined, enabled and configured, users will be prompted to enter these attributes when adding new documents or list items.
STIG Date
MS SharePoint 2010 Security Technical Implementation Guide 2019-01-02

Details

Check Text ( C-36974r3_chk )
To verify users are prompted automatically when entering new documents into SharePoint:

1. Using an account with authorized user permissions (not system administrator), attempt to add a document to a document library.
2. Verify the user is prompted to enter metadata and content type information.
3. Mark as a finding if the sample users are not prompted for content type information as required by the site's SSP as designated by the organization (e.g., FOUO, Personally Identifiable Information [PII], or other sensitivity levels requiring access control, retention, or tracking.)
Fix Text (F-32238r5_fix)
Create an information management policy and apply to lists, libraries, and list content.
1. On the site collection home page, click Site Actions, point to Site Settings.
2. Click Site Settings.
3. On the Site Settings page, in the Site Collection Administration list, click Site Collection Policies.
4. On the Site Collection Policies page, click Create.
5. Follow the menus and prompts to create a name and description for the policy, and then write a brief policy statement that explains the policy to the users.
6. Configure the desired features to associate with the policy.
7. When you finish selecting the options for the individual policy features that you want to add to this information management policy, click OK to apply the policy features.
8. Once an information management policy has been created for the site collection level, it can be applied to lists, libraries, or list content type.