UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

SharePoint must maintain and support the use of organizationally defined security attributes to stored information.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27968 SHPT-00-000010 SV-36059r2_rule ECAD-1 ECML-1 Medium
Description
Security attributes are metadata representing the basic properties of an entity with respect to safeguarding information. These attributes are typically associated with internal data structures within the application and are used to enable the implementation of access control and flow control policies, reflect special dissemination, handling or distribution instructions, or support other aspects of the information security policy. Some examples of application security attributes include classified, For Official Use Only (FOUO), Personally Identifiable Information (PII), and sensitive. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structure for that object (e.g., user access privileges, nationality, affiliation as contractor). A SharePoint information management policy or a third party Information Right Management (IRM) solution must be installed to implement this requirement. Although a 3rd party solution is recommended for a more robust solution, SharePoint can natively meet this requirement through combined use of information rights policy and defined content type. Content types must be defined which bind metadata to the content in storage and in process.
STIG Date
SharePoint 2010 Security Technical Implementation Guide (STIG) 2015-10-02

Details

Check Text ( C-36985r3_chk )
To verify that content types are used:
1. On the site home page, click Site Actions, and then click Site Settings.
2. On the Site Settings page, in the Galleries list, click Site content types and verify that content types have been defined.
3. Navigate to each document library and click Document Library Settings.
4. Under Content Types, verify that at least one content type is listed.
5. Mark as a finding if content types are not defined for each document library. Mark as not applicable for SharePoint implementations that process, store, or access only publicly-releasable information (i.e., does not provide access to classified, FOUO, or sensitive information).
Fix Text (F-32249r3_fix)
To define content types and metadata, perform the following for each desired application security attribute, such as PII or FOUO, as defined by organizational requirements.

1. On the site home page, click Site Actions and then click Site Settings.
2. On the Site Settings page, in the Galleries list, click Site content types.
3. Enter a name for the content type and click OK to view the advanced properties.
4. Scroll down this page and add the columns to prompt the user to enter as metadata or properties to collect when documents of this content type are added to SharePoint.