Windows Active Directory Audit/Assurance Program … · Web viewMicrosoft® SharePoint® 2010 Audit/Assurance Program ISACA® With 95,000 constituents in 160 countries, ISACA () is

Microsoft® SharePoint® 2010 Audit/Assurance Program


ISACA®

With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfil their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business.

DisclaimerISACA has designed and created Microsoft® SharePoint® 2010 Audit/Assurance Program (the “Work”) primarily as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or IT environment.

Reservation of Rights © 2011 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and noncommercial use and consulting/advisory engagements and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected] site: www.isaca.org

ISBN 978-1-60420-189-5 Microsoft® SharePoint® 2010 Audit/Assurance Program

CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.

Microsoft® SharePoint® Audit/Assurance Program is an independent publication and is not affiliated with, nor has it been authorized, sponsored or otherwise approved by, Microsoft Corporation.

© 2011 ISACA. All rights reserved. Page 2

http://www.isaca.org/

http://www.isaca.org/


ISACA wishes to recognize:

AuthorNorm Kelson, CISA, CGEIT, CPA, CPE Interactive, Inc., USA

Expert ReviewersMadhav Chablani, CISA, CISM, TippingEdge Consulting Pvt. Ltd., India Milthon J. Chavez, Ph.D., CISA, CISM, CGEIT, CRISC, ISO27000LA, MCH Consulting, VenezuelaAurelio Jaimes, CISA, CRISC, Mexico Vipin Sehgal, CISA, Sun Life Financial, CanadaTariq Shaikh, CISA, Tim Hortons Inc., Canada

ISACA Board of DirectorsKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, International PresidentChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Vice PresidentGregory T. Grocholski, CISA, The Dow Chemical Co., USA, Vice PresidentTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice PresidentNiraj Kapasi, CISA, Kapasi Bangad Tech Consulting Pvt. Ltd., India, Vice PresidentJeff Spivey, CRISC, CPP, PSP, Security Risk Management, USA, Vice PresidentJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, RSM Bird Cameron, Australia, Vice PresidentEmil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, Past International PresidentLynn C. Lawton, CISA, CRISC, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past

International PresidentAllan Neville Boardman, CISA, CISM, CGEIT, CRISC, CA (SA), CISSP, Morgan Stanley, UK, DirectorMarc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Director

Knowledge BoardMarc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, ChairmanMichael A. Berardi Jr., CISA, CGEIT, Nestle USA, USAJohn Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, SingaporePhil Lageschulte, CGEIT, CPA, KPMG LLP, USAJon Singleton, CISA, FCA, Auditor General of Manitoba (retired), CanadaPatrick Stachtchenko, CISA, CGEIT, Stachtchenko & Associates SAS, France

Guidance and Practices CommitteePhil Lageschulte, CGEIT, CPA, KPMMG LLP, USA, ChairmanRamses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, 6 Sigma, Quest Software, SpainMeenu Gupta, CISA, CISM, CBP, CIPP, CISSP, Mittal Technologies, USAYongdeok Kim, CISA, IBM Korea Inc., KoreaPerry Menezes, CISM, CRISC, Deutsche Bank, USAMario Micallef, CGEIT, CPAA, FIA, Advisory in GRC, MaltaSalomon Rico, CISA, CISM, CGEIT, Deloitte, MexicoNikolaos Zacharopoulos, CISA, CISSP, Geniki Bank, Greece

ISACA and IT Governance Institute® (ITGI®) Affiliates and SponsorsAmerican Institute of Certified Public AccountantsASIS InternationalThe Center for Internet SecurityCommonwealth Association for Corporate Governance Inc.FIDA InformInformation Security Forum



Information Systems Security AssociationInstitute of Management Accountants Inc.ISACA chaptersITGI FranceITGI JapanNorwich UniversitySolvay Brussels School of Economics and ManagementStrategic Technology Management Institute (STMI) of the National University of SingaporeUniversity of Antwerp Management SchoolASI System IntegrationHewlett-PackardIBMSOAProjects Inc.Symantec Corp.TruArx Inc.

Table of Contents

I. Introduction 4II. Using This Document 5III. Assurance and Control Framework 8IV. Executive Summary of Audit/Assurance Focus 8V. Audit/Assurance Program 12

1. Planning and Scoping the Audit 122. Preparatory Steps 133. Governance 144. Server Configuration 205. Network 266. SharePoint Server 277. Contingency Planning 31

VI. Maturity Assessment 32VII. Maturity Assessment vs. Target Assessment 38

I. Introduction

OverviewISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good-practice-setting model. ITAF provides standards that are designed to be mandatory and are the guiding principles under which the IT audit and assurance profession operates. The guidelines provide information and direction for the practice of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide direction in the application of IT audit and assurance processes.

PurposeThe audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF section 4000—IT Assurance Tools and Techniques.

Control Framework



The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT Audit and Assurance Management.

Many organizations have embraced several frameworks at an enterprise level, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries. Enterprises seek to integrate control framework elements used by the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename these columns to align with the enterprise’s control framework.

IT Governance, Risk and ControlIT governance, risk and control are critical in the performance of any assurance management process. Governance of the process under review will be evaluated as part of the policies and management oversight controls. Risk plays an important role in evaluating what to audit and how management approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program. Controls are the primary evaluation point in the process. The audit/assurance program will identify the control objectives and the steps to determine control design and effectiveness.

Responsibilities of IT Audit and Assurance ProfessionalsIT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter expertise to adequately review the work performed.

II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing and executing a review. Details regarding the format and use of the document follow.

Work Program StepsThe first column of the program describes the steps to be performed. The numbering scheme used provides built-in work paper numbering for ease of cross-reference to the specific work paper for that section. The physical document was designed in Microsoft® Word. The IT audit and assurance professional is encouraged to make modifications to this document to reflect the specific environment under review.

Step 1 is part of the fact gathering and prefieldwork preparation. Because the prefieldwork is essential to a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g., 1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the purpose for the substeps.

Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the program, the audit/assurance objective—the reason for performing the steps in the topic area—is described. The specific controls follow. Each review step is listed below the control. These steps may



include assessing the control design by walking through a process, interviewing, observing or otherwise verifying the process and the controls that address that process. In many cases, once the control design has been verified, specific tests need to be performed to provide assurance that the process associated with the control is being followed.

The maturity assessment, which is described in more detail later in this document, makes up the last section of the program.

The audit/assurance plan wrap-up—those processes associated with the completion and review of work papers, preparation of issues and recommendations, report writing, and report clearing—has been excluded from this document since it is standard for the audit/assurance function and should be identified elsewhere in the enterprise’s standards.

COBIT Cross-referenceThe COBIT cross-reference provides the audit and assurance professional with the ability to refer to the specific COBIT control objective that supports the audit/assurance step. The COBIT control objective should be identified for each audit/assurance step in the section. Multiple cross-references are not uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to the development process. COBIT provides in-depth control objectives and suggested control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or the IT Assurance Guide: Using COBIT for good-practice control guidance.

COSO ComponentsAs noted in the introduction, COSO and similar frameworks have become increasingly popular among audit and assurance professionals. This ties the assurance work to the enterprise’s control framework. While the IT audit/assurance function uses COBIT as a framework, operational audit and assurance professionals use the framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has been included in this document and is a bridge to align IT audit/assurance with the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control components within their report and summarize assurance activities to the audit committee of the board of directors.

For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is possible, but generally not necessary, to extend this analysis to the specific audit step level.

The original COSO internal control framework contained five components. In 2004, COSO was revised as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The primary difference between the two frameworks is the additional focus on ERM and integration into the business decision model. ERM is in the process of being adopted by large enterprises. The two frameworks are compared in figure 1.

Figure 1—Comparison of COSO Internal Control and ERM Integrated FrameworksInternal Control Framework ERM Integrated Framework

Control Environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management’s operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.

Internal Environment: The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.



Figure 1—Comparison of COSO Internal Control and ERM Integrated FrameworksInternal Control Framework ERM Integrated Framework

Objective Setting: Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.Event Identification: Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.

Risk Assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives, and, thus, risk assessment is the identification and analysis of relevant risks to achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.

Risk Assessment: Risks are analyzed, considering the likelihood and impact, as a basis for determining how they could be managed. Risk areas are assessed on an inherent and residual basis.

Risk Response: Management selects risk responses—avoiding, accepting, reducing or sharing risk—developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.

Control Activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Control Activities: Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.

Information and Communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders.

Information and Communication: Relevant information is identified, captured and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across and up the entity.

Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.

Monitoring: The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations or both.

Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.

The original COSO internal control framework addresses the needs of the IT audit and assurance professional: control environment, risk assessment, control activities, information and communication, and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/ assurance programs. As more enterprises implement the ERM model, the additional three columns can be added, if relevant. When completing the COSO component columns, consider the definitions of the components as described in figure 1.

Reference/HyperlinkGood practices require the audit and assurance professional to create a work paper for each line item, which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this document provides a ready numbering scheme for the work papers. If desired, a link to the work paper can be pasted into this column.

Issue Cross-referenceThis column can be used to flag a finding/issue that the IT audit and assurance professional wants to


http://www.coso.org/aboutus.htm


further investigate or establish as a potential finding. The potential findings should be documented in a work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).CommentsThe comments column can be used to indicate the waiving of a step or other notations. It is not to be used in place of a work paper describing the work performed.

III. Assurance and Control Framework

ISACA IT Assurance Framework and StandardsThe ITAF section relevant to SharePoint 2010 is 3630 General Controls and 3650 Auditing Applications.

ISACA Controls FrameworkCOBIT is a framework for the governance of IT and supporting tool set that allows managers to bridge the gap among control requirements, technical issues and business risk. COBIT enables clear policy development and good practice for IT control throughout enterprises.

As described in the following Executive Summary section, SharePoint is an architecture that supports and drives business processes.

The primary COBIT processes associated with a SharePoint implementation are as follows: PO2 Define the information architecture—Defined data classification scheme used to establish

content security requirements PO6 Communicate management aims and directions—Once governance and policies are established

communicating same to the users AI1 Identify automated solutions—Business requirements necessary to define and implement

business processes AI3 Acquire and maintain technology infrastructure—Technology architecture required to support

the SharePoint environment and ensure alignment with the enterprise architecture DS5 Ensure systems security—Security configuration and processes required to secure the SharePoint

contents DS9 Manage the configuration—Configuration settings of the various servers which support the

SharePoint infrastructure. DS11 Manage data—Data management classification, storage, and retention ME2 Monitor and evaluate internal control—The decentralized nature of SharePoint installations

requires the monitoring of internal control by as a part of the management structure ME3 Ensure compliance with external requirements—Compliance with regulatory and legal entities

associated with the SharePoint content ME4 Provide IT governance—Decentralized SharePoint environments, managed by users requires

policies and processes to assure adherence to internal controls, effective and efficient data management, and accompanying management oversight

Refer to ISACA’s COBIT Control Practices: Guidance to Achieve Control Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.

IV. Executive Summary of Audit/Assurance Focus

SharePoint 2010SharePoint is a group of Microsoft architectures with a common purpose—to provide sharing and



retention of data in various forms. SharePoint 2010 is the latest version which incorporates web portals, application processes and database processes. SharePoint may be deployed in numerous designs for various purposes: Web site portal design:

Allows decentralized design and implementation of enterprise or departmental portals (web interfaces)Relieves IT resources of processes

Groupware sites:Collaboration using Microsoft Office applications (Word, Excel, Access) and SharePoint Workspace

Content management:Document management—version control, retention controlDocument distributionRecords management

Workflow management:Entering content into a management and review processVerification of content attributesApproval mechanisms

Interfaces with application database systems (e.g., Oracle and SAP) Infrastructure as an intermediary between the user and other applications.

SharePoint implementations may be centralized or more commonly decentralized by business unit or function. The latter provides more challenges to the effective and secure controls over content; requiring a focus on governance practices, policy and guideline communications with the users, and a managerial monitoring activity to assure compliance with governance requirements.

The system architecture includes a front-end web server, to provide user “look and feel;” an application server(s) to perform a business process; and a database server(s) to store and provide access to the data. This architecture is normally a Microsoft Internet Information Services web server, a group of application servers (search, Office Applications, etc.), and a Microsoft SQL server to maintain the database processes.

Content is difficult to monitor because of the inability to use automation to scrutinize content. Therefore, governance, management oversight, and strong content management policies, including policy follow-through via interaction with human resource functions, are the keys to securing content.

Business Impact and RiskThe primary focus of a SharePoint implementation is the data content. The effect on the business is dependent on the content of the SharePoint site. SharePoint sites may contain: Intellectual property (patents, copyrighted material) Enterprise sensitive material (board of directors report distribution and repository, financial data,

marketing and strategic planning data, etc.) Applications (payroll time sheet reporting, personnel reviews, accounts payable and expense

reporting, etc.) Enterprise or department procedures and policies Internal audit work papers Issue monitoring Internal control documentation and testing

Failure to design and manage effective SharePoint controls could result in: Destruction of enterprise data



Disclosure of sensitive information Reputational risk and loss of confidence by stakeholders, business partners and customers due to

disclosure of information or related publicity Fines and penalties Lost productivity due to inefficient security administration Unauthorized changes to data Security breaches

Objective and ScopeSharePoint is a group of technologies that support the content and any workflow processes and, therefore, must be of primary focus. The decentralized nature of some SharePoint implementations requires a focus on the governance, policies and monitoring/oversight functions associated with its implementation.

During the audit planning process, the auditor must determine the scope of the audit. Depending on the implementation, this may include: Evaluation of SharePoint governance, policies and oversight Data classification policies and management SharePoint content definition, business case, development and implementation controls1

Assessments of IT architecture to support the SharePoint (web servers, application servers and database servers)

Baseline configuration of specific hardware/software implementation

Recognizing these issues, this document cannot offer a specific objective and scope. It is the responsibility of the auditor to determine the objectives and scope of the audit, after considering the content or processes managed by the SharePoint environment and the associated risk.

Minimum Audit SkillsSharePoint 2010 is a complex group of architectures requiring technical expertise and understanding as well as the ability to evaluate the vulnerabilities based on the sensitivity of the content. The audit and assurance professional should have the requisite knowledge of SharePoint architecture, risk and controls. The audit and assurance professional should be cautioned not to attempt to conduct an audit/assurance review of SharePoint 2010 utilizing this program as a checklist. Prior to commencing an audit of SharePoint 2010, the auditor should consider reviewing the following resource: Chennault, Dave; Chuck Strain; SharePoint Deployment and Governance Using COBIT 4.1: A

Practical Approach, ISACA, 2010 Jamison, Scott; Susan Hanley; Mauro Cardarellit; Essential SharePoint 2010: Overview, Governance

and Planning, Pearson Education, Addison-Wellesley, USA, 2011

The following resources provide guidance for the technical and configuration of the SharePoint environment: “Account Permissions and Security Settings (SharePoint Server 2010),” Technet.microsoft.com/en-

us/library/cc678863.aspx “Determine Permission Levels and Groups (SharePoint Server 2010),”

Technet.microsoft.com/en-us/library/cc262690.aspx “Least Privilege Service Accounts for SharePoint 2010,” www.sharepointpromag.com

1 It may be necessary to add a systems development/project management review process to the audit/assurance review to focus on the development process.


http://www.sharepointpromag.com/


“Plan Security Hardening (SharePoint Server 2010),” Technet.microsoft.com/en-us/library/cc262849.aspx

“Plan Site Permissions (SharePoint Server 2010),” Technet.microsoft.com/en-us/library/cc262778.aspx

“SharePoint 2010 Architecture Overview,” msdn.microsoft.com/en-us/library/gg552610.aspx “SharePoint Architecture,” msdn.microsoft.com/en-us/library/gg552610.aspx “SharePoint Deployment and Governance,” www.sharepointpromag.com



V. Audit/Assurance Program

Audit/Assurance Program StepCOBIT Cross-

reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1. PLANNING AND SCOPING THE AUDIT1.1 Define the audit/assurance objectives. The audit/assurance objectives are high level and

describe the overall audit goals.1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program.1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan

and charter.1.2 Define audit assignment success. The success factors need to be identified. Communication

among the IT audit/assurance team, other assurance teams and the enterprise is essential.1.2.1 Identify the drivers for a successful review. (This should exist in the assurance function’s

standards and procedures.)1.2.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement.

1.3 Define the boundaries of the review. The review must have a defined scope. Understand the functions and application requirements for the SharePoint sites within the scope.

1.3.1 Obtain a list of SharePoint sites.1.3.2 Determine the content of SharePoint sites to be considered for review.1.3.3 Determine if a data classification analysis has been performed for the SharePoint sites.1.3.4 Identify the criteria for selecting SharePoint sites for inclusion in the audit/review.

1.4 Identify and document audit risk. The risk assessment is necessary to evaluate where audit resources should be focused. In most enterprises, audit resources are not available for all processes. The risk-based approach assures utilization of audit resources in the most effective manner.

1.4.1 Identify the business risk associated with the SharePoint sites under consideration for review.

1.4.2 Based on the risk assessment, evaluate the overall audit risk factor for performing the review.

1.4.3 Based on the risk assessment, identify changes to the scope.1.4.4 Discuss the risk with IT management and stakeholders, and adjust the risk assessment.1.4.5 Based on the risk assessment, revise the scope.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

1.5 Define the audit change process. The initial audit approach is based on the reviewer’s understanding of the operating environment and associated risk. As further research and analysis are performed, changes to the scope and approach may result.

1.5.1 Identify the senior IT audit/assurance resource responsible for the review.1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance

program and the authorizations required.1.6 Define the audit/assurance resources required. The resources required are defined in the

introduction to this audit/assurance program.1.6.1 Determine the audit/assurance skills necessary for the review.1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end dates)

required for the review.1.7 Define deliverables. The deliverable is not limited to the final report. Communication

between the audit/assurance teams and the process owner is essential to assignment success.1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports,

due dates for responses or meetings, and the final report.1.8 Communicate. The audit/assurance process must be clearly communicated to the

customer/client.1.8.1 Conduct an opening conference to discuss:

Objectives with the stakeholders Documents and information security resources required to perform the review Scope, scope limitations (audit boundaries), budgets, due dates, time lines, milestones and

deliverables2. PREPARATORY STEPS

2.1 Obtain and review the current organizational charts relating to SharePoint.2.1.1 Obtain the organization chart for the IT infrastructure.2.1.2 Obtain the organization chart for the SharePoint administration, site management and other

stakeholders.2.2 Determine if audits of SharePoint, IIS and SQL server have been performed.

2.2.1 If these audits have been performed, obtain the work papers for the previous audits.2.2.1.1 Review the security configuration, and determine if identified issues have been

corrected.© 2011 ISACA. All rights reserved. Page 13



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

2.2.1.2 Determine if the specific servers under consideration for inclusion in the scope of this audit have been included in the review.

2.3 Select the SharePoint web farms, collections, and sites to be included in the review.2.3.1 Based on the prioritized list of SharePoint sites, select the farms and supporting servers to be

included in the review. Be sure that there is a representative sample of high-risk SharePoint sites.

3. GOVERNANCE3.1 Business Case

Audit/Assurance Objective: The initial SharePoint infrastructure and SharePoint sites are supported by a documented business case describing the return on investment, and other benefits.3.1.1 SharePoint Infrastructure Business Case

Control: A business case to support the development of a SharePoint infrastructure is fully documented and describes the benefits to be realized from a SharePoint system.

PO1.2PO2.1AI1.3AI3.1

X X X X

3.1.1.1 Obtain the business case for the initial design of the SharePoint infrastructure.3.1.1.2 Determine if the business case describes the benefits to be realized from a SharePoint

infrastructure and is appropriately authorized.3.1.2 SharePoint Site Business Case Requirements

Control: A business case to support the development of a SharePoint site is fully documented and describes the benefits to be realized from a SharePoint site.

PO1.2PO2.1AI1.3AI3.1

DS11.1

X X X

3.1.2.1 Select a sample of SharePoint sites within the audit scope. 3.1.2.1.1 3.1.2.1.2 3.1.2.1.3 3.1.2.1.4 3.1.2.1.5

3.1.2.2 For each selected SharePoint site, determine if the enterprise systems development policy would require a business case; consider investment, cost, content sensitivity, etc.

3.1.2.3 If a business case is required, determine that a business case exists, describes the benefits to be realized from a SharePoint site, and is appropriately authorized.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2 SharePoint Policies3.2.1 Guiding Principles

Audit/Assurance Objective: SharePoint implementations adhere to enterprise objectives or guiding principles.

3.2.1.1 SharePoint Guiding Principles Document Control: A guiding principles document has been established and addresses key SharePoint design and operations issues.

PO1.4PO6

AI1.1AI1.4ME4

X X

3.2.1.1.1 Determine if a guiding principles or similarly named document exists which outlines the specific design objectives.

3.2.1.1.1.1 General3.2.1.1.1.1.1 Determine that the content of the site is based on the

guiding principles.3.2.1.1.1.1.2 Determine that the guiding principles address enterprise

general policies relating to privacy, copyright, records retention, confidentiality and security.

3.2.1.1.1.2 Site Design3.2.1.1.1.2.1 Verify if the guiding principles require site design to:

Use a consistent design Utilize reusable metadata across sites without

duplicating content Approve changes based on demonstrated need Have a designated owner

3.2.1.1.1.3 Content3.2.1.1.1.3.1 Verify if the guiding principles address the following

content issues: Content is posted in one place and cross-referenced

via hyperlinks Always edit in place to preserve versions Site owners are accountable for content management;

everyone is responsible for content management© 2011 ISACA. All rights reserved. Page 15



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

Copyrights are respected and require licensing or explicit approval

3.2.2 Policies and Standards Audit/Assurance Objective: Policies and standards adhere enterprise policies and standards.

3.2.2.1 SharePoint Policies and Standards Control: SharePoint policies are defined, documented and distributed to SharePoint developers, stakeholders and users.

3.2.2.1.1 Determine if a SharePoint policies and standards document exists. PO3.43.2.2.1.2 Obtain the SharePoint policies and standards document, and verify the

following.3.2.2.1.2.1 General

3.2.2.1.2.1.1 SharePoint policies and standards align with corporate policies and standards.

3.2.2.1.2.1.2 Access to data stored on SharePoint sites are on a need-to-know basis.

3.2.2.1.2.1.3 SharePoint policies and standards are reviewed at least annually or when major changes are implemented, and updated as required.

3.2.2.1.2.2 Content3.2.2.1.2.2.1 Content is deleted when no longer needed according to

content retention policies.3.2.2.1.2.2.2 Content in draft form is deleted once published as

final.2

3.2.2.1.2.2.3 Documents are edited within the SharePoint site to retain version control; deleting current versions and replacing them with new versions is not permitted.

3.2.2.1.2.2.4 Naming conventions are established and monitored.3.2.2.1.2.2.5 Home page content is limited.3.2.2.1.2.2.6 Content is subject to review according to enterprise data

classification policies and computer use policies.

2 Some content retention requirements encourage or require deletion of drafts, but in other cases they are maintained.© 2011 ISACA. All rights reserved. Page 16



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.2.1.2.2.7 Data is retained according to enterprise retention policies, with provisions for a more stringent policy based on data classification and data content.

3.2.2.1.2.3 Design Policies3.2.2.1.2.3.1 Page layout and organization is based on an enterprise

standard using approved designs for the various types of sites (e.g. document retention, informational, program repositories, wikis, etc.).

3.2.2.1.2.3.2 Branding is defined, including use of logos, enterprise bylines, colors and fonts.

3.2.2.1.2.3.3 Security requirements are defined according to enterprise security policies, separation of duties,




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

approval policies, etc. based on the data classification of stored content.

3.2.2.1.2.4 Specific Site Policies3.2.2.1.2.4.1 Specific sites may alter policies to require more

stringent security and design guidelines. More relaxed policies not in compliance with data classification standards and guidelines must be approved by Information Security management and the business data owner.

3.2.2.1.2.5 Audit Policies3.2.2.1.2.5.1 Audit policies are aligned with enterprise audit policies

based on data classification.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.2.1.2.5.2 Audit policies include monitoring of access by the following and describe the level of monitoring: Farm administrators Site collection administrators Site administrators Users of data classified as requiring auditing

3.2.2.1.2.6 Workflow 3.2.2.1.2.6.1 Workflow design has an intuitive process.3.2.2.1.2.6.2 Workflow processes require appropriate approvals

based on application, separation of duties and data classification.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.2.1.2.6.3 Workflow processes are subject to the application development design requirements.

3.2.2.1.2.6.4 Workflow security is established and in alignment with enterprise application security standards.

3.2.3 Roles and Responsibilities Audit/Assurance Objective: Policies and standards address the roles and responsibilities for implementing and maintaining SharePoint sites including the technology that supports SharePoint and the content stored.

3.2.3.1 Roles and Responsibilities Description Control: A SharePoint policies and responsibilities document describes the specific responsibilities of key job functions.

PO4.6PO7 X X




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.3.1.1 Determine if a SharePoint roles and responsibilitiesdocument exists.3.2.3.1.2 If the document exists, evaluate the appropriateness of the descriptions for the

following roles: Executive sponsor Governance board or steering committee Stakeholders Technology administrator Technology support team Content manager/metadata steering committee SharePoint enterprise architect SharePoint implementation consultant Power user Site owner Site designer user




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.2.3.1.3 Review the roles against the following responsibilities to assure these responsibilities are assigned to a job function and to individual(s):

Management of the technical environment (infrastructure including server, networks, database management, web management)

Management of the SharePoint farms Management of the site collections Management of individual sites Site setup security and access control Page site design Site content




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.3 Monitoring 3.3.1 Monitoring

Audit/Assurance Objective: SharePoint projects and implementations are subject to regular monitoring and reporting, based on criticality and sensitivity of data, and adherence to management oversight requirements.

3.3.1.1 Management Oversight of SharePoint Implementations and Operations Control: SharePoint implementations follow the enterprise project management system and, where practical, the project management and systems development life cycle.

PO10ME1 X X

3.3.1.1.1 Select a sample of SharePoint implementations. Include high-risk and high-profile SharePoint implementation in the sample.

3.3.1.1.2 Obtain project documentation.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

3.3.1.1.3 Determine if the monitoring of the SharePoint project was/is in alignment with enterprise standards.

3.3.1.1.4 Determine if SharePoint operations are monitored in a manner consistent with other operational processes.

3.3.1.2 Issue Monitoring Control: SharePoint implementation and operations are subject to issue monitoring and escalation to appropriate managers in the IT and business units.

PO10DS8ME1ME2ME4

X X X X

3.3.1.2.1 Obtain issue monitoring reports.3.3.1.2.2 Evaluate the issue monitoring function for effectiveness, completeness, and

appropriate and timely escalations.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4. SERVER CONFIGURATION4.1 Virtualization

Audit/Assurance Objective: SharePoint servers (web, application, and database) running in a virtualized environment have been segregated from other servers.4.1.1 Virtualization Segregation

Control: SharePoint servers are segregated from other servers in the virtualization pool.PO2.1DS5.1DS9

X

4.1.1.1 Obtain the server virtualization specifications and architecture documentation.4.1.1.2 Determine that controls within the virtualization configuration assure segregation of

SharePoint processes, logical access to the server contents, and access rights from other environments and the console.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.1.1.3 If a virtualization audit has been performed, review the findings and issue monitoring for identified control concerns and remediation plans.

4.1.1.4 If no virtualization audit has been performed and the SharePoint servers operate in a virtualized environment, consider postponing the SharePoint audit until a virtualization audit can be performed. Refer to the ISACA VMware Audit/Assurance Program, if appropriate.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.2 Web Server Audit/Assurance Objective: The web server(s) acting as the portal and front end to the SharePoint system is configured for maximum security.4.2.1 IIS Web Services Configured for Security

Control: IIS web servers have been configured for maximum security.PO2.1DS5.1DS9

X

4.2.1.1 Determine if an audit of IIS (Microsoft Internet Information Services) has been performed for the web servers processing SharePoint services.

4.2.1.2 If an audit addressing the SharePoint web servers has not been completed, consider postponing the SharePoint audit until an audit of the SharePoint IIS servers are complete. Consider using the ISACA IIS 7.x Audit/Assurance Program.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.2.2 IIS Web Server Dedication Control: IIS web servers are dedicated to SharePoint web sites only.

PO2.1DS5.1DS9

X

4.2.2.1 Select a sample of web servers dedicated to SharePoint. 4.2.2.2 Determine that no other web sites are configured for these servers.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.3 Application Servers Audit/Assurance Objective: The servers providing intermediate processes including search services (indexing), Office specific services (Excel, Word, PowerPoint and Visio), managed metadata services, etc., are segregated from the web servers, SQL servers, and other applications/functions.4.3.1 Application Servers Configured for Security

Control: Application servers are dedicated to specific processes.PO2.1DS5DS9

X

4.3.1.1 Obtain a list of services operating on Application Servers.4.3.1.2 Determine if nonessential services are operating on the servers.4.3.1.3 Determine if additional audit/assurance procedures are necessary for each

application.3

3 The audit/assurance processes will be dependent on the application and the data classification of the content maintained by the application. The audit/assurance professional will need to use professional judgment in making this determination.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.3.2 Application Server Dedication Control: Application servers are dedicated to SharePoint sites only.

PO2.1DS5DS9

X

4.3.2.1 Select a sample of application servers dedicated to SharePoint. Determine that no other applications other than SharePoint are configured for these servers.

4.4 SQL Server Audit/Assurance Objective: SQL server(s) providing SharePoint database services are segregated from other SharePoint activities and are hardened.4.4.1 SQL Server Dedication

Control: SQL servers are dedicated to SharePoint only.PO2.1DS5DS9

X

4.4.1.1 Select a sample of SQL servers dedicated to SharePoint.

4.4.1.2 Determine that no other database services are configured on these servers.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.4.2 SQL Services Configured for SecurityControl: SQL servers have been configured for maximum security

PO2.1DS5.1DS9

X

4.4.2.1 Determine if an audit of SQL server has been performed for the web servers processing SharePoint services.

4.4.2.2 If an audit had been performed recently, determine if outstanding issues have been corrected.

4.4.2.3 Using the SQL Server Management Studio: Verify that the logins include an SQLSvc account and a SharePoint farm account (spFarm).

4.4.2.4 Verify that the two accounts above are not members of the domain administrators group.

4.4.2.5 Determine if the SQL databases have been further secured by blocking the standard SQL ports (normally 1433 and 1434) and assigning nonstandard ports.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.5 Web and Application Server Hardening Audit/Assurance Objective: Web and application servers utilize only required services and ports.4.5.1 Specific Services Are Enabled

Control: Only required services are enabled.DS9 X

4.5.1.1 Verify that only the following services are enabled: File and Printer Sharing ASP.NET State Service (if using InfoPath Forms Services or Microsoft Project

Server) View State service (if using InfoPath Forms Services) World Wide Web Publishing Service Claims to Windows Token Service SharePoint 2010 Administration SharePoint 2010 Timer SharePoint 2010 Tracing SharePoint 2010 VSS Writer SharePoint 2010 User Code Host 4

SharePoint Foundation Search V4 OR SharePoint Server Search 14 User Profile Service (integration of user profiles from a directory store)5

Forefront Identity Manager Service6

Forefront Identity Manager Synchronization Service7

4If a sandbox testing environment is required.5If user profile synchronization of an LDAP identity system is in use. 6 See footnote 3.7 See footnote 3.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.5.2 Port Restrictions Control: Only required ports are open.

DS5.1DS9 X

4.5.2.1 Verify that the following ports are configured: TCP 80, TCP 443 (SSL) If search crawling is configured, identify and verify custom ports File and Printer Sharing Service, only one of the following are enabled:

Server Message Block (SMB) TCP/UDP 445 (recommended)NetBIOS over TCP/IP (NetBT) TCP/UDP 137-139

Communications between web servers and service applications:HTTP 32843 (default)HTTPS 32844net.tcp 32845 (if implemented by a third-party service application)

Synchronizing profiles between SharePoint 2010 Products and Active Directory when running Forefront Identity Management agent:

TCP 5725TCP/UDP 389 (LDAP Service)TCP/UDP 88 (Kerberos)TCP/UDP 53 (DNS)UDP 464 (Kerberos Change Password)

SharePoint SQL server ports UDP 1434 and TCP 1433 unless configured with other ports

SharePoint User Code Service8

SharePoint User Code Service (for sandbox solutions) - TCP/IP 32846Outbound on all web servers, inbound for web or application servers where the service is enabled.

Central Administration site port is BLOCKED from other clients SMTP integration - TCP 25

8 If sandbox environment is required.© 2011 ISACA. All rights reserved. Page 33



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.5.3 .Net Configuration Control: .Net configuration settings are at a highly secure level.9

DS5.1DS9 X

4.5.3.1 Determine if the audit scope requires evaluation of all SharePoint installations or a sample.

4.5.3.2 If the audit scope utilizes a sample approach, select those SharePoint installations with the higher data classification rating, or if no data classification system is in use, conduct a risk assessment to select the highest risk content servers.

4.5.3.3 The remainder of the steps in this section should be performed on a sample or the total population.

4.5.3.4 For each server, obtain the server web.config located in: windows\Microsoft.NET\Framework\%VersionNumber%10\Config

4.5.3.5 For each SharePoint Central Administration site, obtain the web.config located in; \inetpub\wwwroot\wss\virtualdirectories\{Central Administrator port#}11

4.5.3.6 For each SharePoint site in the sample or population, obtain the web.config located in: \inetpub\wwwroot\wss\virtualdirectories\{port#}12

4.5.3.7 Verify the following settings within each web.config.4.5.3.7.1 The trust element in the web.config is set to WSS_Minimal to limit access to

read for the application folders.13

4.5.3.7.2 Server side scripting is disabled (Compilation or scripting of database pages via the PageParserPaths elements is not permitted.) 14

9 These settings are very complex and may have variations. The settings set forth in this document are suggested for Security Hardening. Consult SharePoint experts before recommending any changes.

10 Version number for SharePoint 2010 is V4.11 Substitute the port number of the Central Administration web site.12 The port number for each web site is assigned within IIS. Normally http=80 and https=443, however, these ports can be customized by the implementer.13 <system.web><securityPolicy><trustLevel name="Full" policyFile="internal" /><trustLevel name="High" policyFile="web_hightrust.config" /><trustLevel name="Medium"

policyFile="web_mediumtrust.config" /><trustLevel name="Low" policyFile="web_lowtrust.config" /><trustLevel name="Minimal" policyFile="web_minimaltrust.config" /></securityPolicy><trust level="Minimal" originUrl="" />

14 <SharePoint> <PageParserPaths> </PageParserPaths>© 2011 ISACA. All rights reserved. Page 34



reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

4.5.3.7.3 Turn off debugging mode.15

4.6 Auditing and Logging Audit/Assurance Objective: Auditing and logging is enabled where appropriate and monitored.4.6.1 Server Auditing

Control: Auditing is enabled and monitored regularly for administrator accounts and users accessing sensitive information according to the data classification standards.

DS5DS11ME1

X X X

4.6.1.1 Determine if Windows auditing policy is enabled.4.6.1.2 If the Windows auditing policy is enabled, determine if the policy addresses the

administrative accounts defined for SharePoint (i.e., spFarm and spAdmin).4.6.1.3 Obtain examples of the auditing records and review documentation.4.6.1.4 Evaluate the adequacy of the auditing and monitoring process.

4.6.2 Site Collection Auditing Control: Site collection auditing is enabled and monitored based on data classification of site content.

PO2.3DS5.5DS11ME1ME2ME3ME4

X X X

4.6.2.1 Determine if an auditing policy has been established.4.6.2.2 If a policy exists, determine if it considers content data classification and risk of

disclosure.4.6.2.3 Determine if auditing has been enabled on high-risk sites.4.6.2.4 Determine if an audit log reporting package has been installed.16 4.6.2.5 Determine if audit logs are routinely reviewed, with a documented sign-off.

15 <SharePoint> <SafeMode MaxControls="200" CallStack="false" DirectFileDependencies="10" TotalFileDependencies="50" AllowPageLevelTrace="false"></SafeMode>16 The audit logs generated by SharePoint are not people-friendly. Investigate alternative reporting systems.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

5. NETWORK5.1 Network Design

Audit/Assurance Objective: The network utilized by the SharePoint environment is protected from unauthorized access and intrusion opportunities are minimized.5.1.1 Web Server Network Location

Control: Web servers containing the front end to SharePoint are located in a demilitarized zone, for external facing implementations; or on dedicated virtual networks for more secure SharePoint implementations.

DS5.10DS9 X

5.1.1.1 Obtain a network schematic for the SharePoint sites within the audit scope.5.1.1.2 Determine if the network segments are adequately secured for the data classification

of the content on the SharePoint site.5.1.1.3 Evaluate the need for VPN-only access to external facing SharePoint web sites.

5.1.2 Application Server Network LocationControl: Application servers are located behind a firewall on a dedicated network for SharePoint back-end servers.

PO3DS5.10

DS9X

5.1.2.1 Obtain a network schematic for the SharePoint sites within the audit scope.5.1.2.2 Determine if the network segments containing Application Services servers are

adequately secured.5.1.2.3 Verify that network design protects Application servers and provides for user access

only through the web server front end.5.1.3 SQL Network Location

Control: SQL servers are located behind a firewall on a dedicated network for SharePoint back-end servers.

DS5.10DS9 X

5.1.3.1 Obtain a network schematic for the SharePoint sites within the audit scope.5.1.3.2 Determine if the network segments containing SQL servers are adequately secured.5.1.3.3 Verify network design protects application servers and provides for user access only

through the web server front end.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

6. SHAREPOINT SERVER6.1 Privileged Accounts

Audit/Assurance Objective: Privileged accounts are appropriately configured and assigned to minimize unauthorized access.6.1.1 SharePoint Administrative Accounts

Control: SharePoint Administrative Accounts are created with Least Privilege ServiceDS5.4 X

6.1.1.1 SQL Server Service Account6.1.1.1.1 Identify the SQL Server Service Account used to set up SQL server. 6.1.1.1.2 Determine if this account is a member of the domain.6.1.1.1.3 Determine if this account has limited privileges as a domain user and NOT a

domain administrator.6.1.1.2 SharePoint Admin

6.1.1.2.1 Identify the SharePoint Administrator Account (e.g., SP_Admin, SPadmin, etc.)

6.1.1.2.2 Verify that this account has the following privileges: Domain user account SQL Server roles securityadmin and dbcreater Local Administration group rights to each SharePoint server.

6.1.1.2.3 Verify that this account does not have ANY administrative rights within the domain.

6.1.1.2.4 Verify that the SharePoint Admin user ID is not a personal user ID.

6.1.1.3 SharePoint Farm6.1.1.3.1 Identify the SharePoint farm account (e.g., SPfarm, SP_Farm).6.1.1.3.2 Verify that this account does not have any administrative privileges.6.1.1.3.3 Verify that this account is a member of the Local Administrations Group of

each server running SharePoint.6.1.1.3.4 Verify that only a limited number of uses have spFarm privileges. 6.1.1.3.5 Evaluate each user with spFarm privilege and the justification for this access

level.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

6.2 Site Collection Accounts Audit/Assurance Objective: Site collection accounts are assigned to responsible site collection administrators, who manage the sites according to policies and standards.6.2.1 Site Collection Administrators

Control: Site collection administrators are assigned to site owners (business or support) and are responsible for their sites.

PO4DS9

ME2.2X X

6.2.1.1 Select a sample of sites.6.2.1.2 Determine the site collection administrator.6.2.1.3 Determine if there is a backup administrator.6.2.1.4 Determine if there are excessive site administrators assigned to the site.

6.3 Site Collection Adherence to Policies and Standards Audit/Assurance Objective: Site collections managers adhere to site policies and procedures.6.3.1 Site Collection Monitoring

Control: Site managers monitor the use and content of their sites.PO4

ME2.2 X X

6.3.1.1 Select a sample of sites.6.3.1.2 Determine if the site manager reviews the content and users of the site on a regular

basis.6.3.1.2.1 Determine if there is evidence of the review.6.3.1.2.2 Determine the adequacy of the frequency and scope of the review.6.3.1.2.3 Determine if the site manager reviews the content against the business case.

6.3.1.3 Evaluate the content of the site to assure it is in alignment with the business case or site objective.

6.3.1.3.1 Determine if the content has increased or the site appears to be unfocused.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

6.4 Site ControlsAudit/Assurance Objective: Site controls are established to protect the integrity of the SharePoint site content.6.4.1 Site Collection Security

Control: Site collection security is established according to a data classification policy.PO4PO6

DS5.1DS11

X

6.4.1.1 Select several site collections within audit scope.6.4.1.2 Determine if a data classification has been assigned to the site.6.4.1.3 Determine if the access and logical security of the site is in compliance with the data

classification policy.6.4.1.4 Determine if the site content requires a VPN for access. If a VPN requirement exists,

determine if the VPN policy has been implemented.6.4.2 Site Access Separation of Duties

Control: A separation of duties policy is in place to prevent the approval or execution of transactions or activities which should not be performed by the same person.

DS5.4DS11.6 x

6.4.2.1 Verify if the content and processes within the site requires a separation of duties.6.4.2.2 If a separation of duties is required, verify that a separation of duties table exists

describing the access permitted by job function.6.4.3 Data Content Controls

Control: Data is subject to content, revision and modification procedures.DS11 X

6.4.3.1 Determine if the site library or collection requires version controls.6.4.3.1.1 If version controls are required, determine that the site library configuration

requires version control.6.4.3.1.2 Through a sampling process, verify that version control is in use. Where minor

version control is in place, verify that the major version control (publishing) is utilized.

6.4.3.2 Verify that the ability to delete content is limited by configuration if appropriate.6.4.3.3 Verify if all editing must be performed in place (on the SharePoint library) to preserve

version control instead of overwriting.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

6.4.4 Data StorageControl: Data storage addressing data retention and destruction adhere to data retention policies for the data classification and data content.

DS11 X

6.4.4.1 Determine if data retention and destruction policies are in compliance with the data classification and enterprise data standards.

6.4.4.2 Review data deletion and destruction processes for the specific libraries.6.4.4.3 Perform tests of the data retention and destruction policies to determine if the

SharePoint configuration adheres to policies.6.5 Workflow Applications

Audit/Assurance Objective: Workflow processes are in alignment with enterprise application policies.6.5.1 Workflow Application Design

Control: Workflow applications involving the processing of financial transactions, significant operational processes, or the maintenance of enterprise assets or intellectual property are subject to the systems development methodology and addresses standard control objectives.

AI2AI7 X

6.5.1.1 Identify workflow applications within the scope of audit sites.6.5.1.2 Determine the objectives of the workflow.6.5.1.3 Identify workflow processes with a financial or significant operational impact.6.5.1.4 Determine if in the development of workflow processes, the appropriate secure

development controls were applied during systems development of these processes.6.5.1.5 Determine if an audit of the design effectiveness and the operating effectiveness of the

controls has been performed.6.5.1.6 Perform a risk assessment of the workflow processes.6.5.1.7 Identify and select high-risk workflow processes for further review. 6.5.1.8 For each selected workflow process perform a control design and operating

effectiveness analysis.




reference

COSO

Reference

Hyper-link

IssueCross-

referenceComments

Con

trol E

nviro

nmen

t

Ris

k A

sses

smen

t

Con

trol A

ctiv

ities

Info

rmat

ion

and

Com

mun

icat

ion

Mon

itorin

g

6.6 Other Applications Audit/Assurance Objective: Other applications (search, Excel, Access, Project, Word, etc.) are appropriately controlled.

Note: The auditor should add steps to address the other applications.

7. CONTINGENCY PLANNING7.1 Contingency Planning

Audit/Assurance Objective: Essential SharePoint services are included in the IT contingency plan.7.1.1 Contingency Business Impact Analysis

Control: SharePoint applications are included in the business unit's business impact analysis (BIA).

PO9.5DS4 X

7.1.1.1 Obtain the BIA for the business units operating a SharePoint site.7.1.1.2 Determine if the BIA considers the SharePoint site in its continuity analysis.

7.1.2 Contingency Plan for SharePoint Applications Control: SharePoint applications are included in the contingency plan based on its risk profile.

PO9.5DS4 X

7.1.2.1 Obtain the BIA.7.1.2.2 Determine if the SharePoint applications are rated as high-priority for restoration.7.1.2.3 For those applications that are rated at high impact, determine that the continuity plan

includes interim processing and restoration plans.

VI. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of the audit/assurance review and the reviewer’s observations, assign a maturity level to each of the following COBIT control objectives.17

17 The COBIT control objectives have been abridged to focus on SharePoint concerns. Extended descriptions were maintained for critical objectives.© 2011 ISACA. All rights reserved. Page 41


COBIT Control Objective Assessed Maturity

Target Maturity

ReferenceHyper-

linkComments

PO1 Define a Strategic IT Plan PO1.1 IT Value Management—Work with the business to ensure that the

enterprise portfolio of IT-enabled investments contains programmes that have solid business cases

PO1.2 Business-IT Alignment—Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration.

PO2 Define the Information Architecture PO2.1 Enterprise Information Architecture Model—Establish and maintain an

enterprise information model to enable applications development and decision-supporting activities, consistent with IT plans.

PO2.3 Data Classification Scheme—Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity of enterprise data. This scheme should include details about data ownership; definition of appropriate security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

PO4 Define the IT Processes, Organisation and Relationships PO4.6 Establishment of Roles and Responsibilities—Establish and communicate

roles and responsibilities for IT personnel and end users that delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organisation’s needs.

PO4.8 Responsibility for Risk, Security and Compliance—Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks, including the specific responsibility for information security, physical security and compliance.

PO4.9 Data and System Ownership—Provide the business with procedures and tools, enabling it to address its responsibilities for ownership of data and information systems. Owners should make decisions about classifying information and systems and protecting them in line with this classification.

AI1 Identify Automated Solutions© 2011 ISACA. All rights reserved. Page 42



Target Maturity

ReferenceHyper-

linkComments

AI1.1 Definition and Maintenance of Business Functional and Technical Requirements—Identify, prioritise, specify and agree on business functional and technical requirements covering the full scope of all initiatives required to achieve the expected outcomes of the IT-enabled investment programme.

AI1.3 Feasibility Study and Formulation of Alternative Courses of Action—Develop a feasibility study that examines the possibility of implementing the requirements. Business management, supported by the IT function, should assess the feasibility and alternative courses of action and make a recommendation to the business sponsor.

AI3 Acquire and Maintain Technology Infrastructure AI3.1 Technological Infrastructure Acquisition Plan—Produce a plan for the

acquisition, implementation and maintenance of the technological infrastructure that meets established business, functional and technical requirements and is in accord with the organisation’s technology direction.

AI7 Install and Accredit Solutions and Changes AI7.1 Training—Train the staff members of the affected user departments and

the operations group of the IT function in accordance with the defined training and implementation plan and associated materials, as part of every information systems development, implementation or modification project.

AI7.2 Test Plan—Establish a test plan based on organisationwide standards that define roles, responsibilities, and entry and exit criteria. Ensure that the plan is approved by relevant parties.

AI7.3 Implementation Plan—Establish an implementation and fallback/backout plan.

AI7.4 Test Environment—Define and establish a secure test environment representative of the planned operations environment relative to security, internal controls, operational practices, data quality and privacy requirements, and workloads.

DS5 Ensure Systems Security DS5.1 Management of IT Security—Manage IT security at the highest

appropriate organisational level, so the management of security actions is in line with business requirements.

DS5.2 IT Security Plan—Translate business, risk and compliance requirements




Target Maturity

ReferenceHyper-

linkComments

into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, software and hardware. Communicate security policies and procedures to stakeholders and users.

DS5.3 Identity Management—Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. Maintain user identities and access rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.

DS5.4 User Account Management—Address requesting, establishing, issuing, suspending, modifying and closing user accounts and related user privileges with a set of user account management procedures. Include an approval procedure outlining the data or system owner granting the access privileges. These procedures should apply for all users, including administrators (privileged users) and internal and external users, for normal and emergency cases. Rights and obligations relative to access to enterprise systems and information should be contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.

DS5.10 Network Security—Use security techniques and related management procedures (e.g., firewalls, security appliances, network segmentation, intrusion detection) to authorise access and control information flows from and to networks.

DS9 Managing the Configuration DS9.1 Configuration Repository and Baseline—Establish a supporting tool and a

central repository to contain all relevant information on configuration items. Monitor and record all assets and changes to assets. Maintain a baseline of configuration items for every system and service as a checkpoint to which to




Target Maturity

ReferenceHyper-

linkComments

return after changes. DS9.2 Identification and Maintenance of Configuration Items—Establish

configuration procedures to support management and logging of all changes to the configuration repository. Integrate these procedures with change management, incident management and problem management procedures.

DS9.3 Configuration Integrity Review—Periodically review the configuration data to verify and confirm the integrity of the current and historical configuration.

DS11 Manage Data DS11.2 Storage and Retention Arrangements—Define and implement procedures

for effective and efficient data storage, retention and archiving to meet business objectives, the organisation’s security policy and regulatory requirements.

DS11.5 Backup and Restoration—Define and implement procedures for backup and restoration of systems, applications, data and documentation in line with business requirements and the continuity plan.

DS11.6 Security Requirements for Data Management—Define and implement policies and procedures to identify and apply security requirements applicable to the receipt, processing, storage and output of data to meet business objectives, the organisation’s security policy and regulatory requirements.

ME2 Monitor and Evaluate Internal Control ME2.1 Monitoring of Internal Control Framework—Continuously monitor,

benchmark and improve the IT control environment and control framework to meet organisational objectives.

ME2.2 Supervisory Review—Monitor and evaluate the efficiency and effectiveness of internal IT managerial review controls.

ME2.3 Control Exceptions—Identify control exceptions, and analyse and identify their underlying root causes. Escalate control exceptions and report to stakeholders appropriately. Institute necessary corrective action.

ME2.4 Control Self-assessment—Evaluate the completeness and effectiveness of management’s control over IT processes, policies and contracts through a continuing programme of self-assessment.

ME2.7 Remedial Actions—Identify, initiate, track and implement remedial actions arising from control assessments and reporting.

ME3 Ensure Compliance With External Requirements© 2011 ISACA. All rights reserved. Page 45



Target Maturity

ReferenceHyper-

linkComments

ME3.1 Identification of External, Legal, Regulatory and Contractual Compliance Requirements—Identify, on a continuous basis, local and international laws, regulations, and other external requirements that must be complied with for incorporation into the organisation's IT policies, standards, procedures and methodologies.

ME3.2 Optimisation of Response to External Requirements—Review and adjust IT policies, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated.

ME3.3 Evaluation of Compliance With External Requirements—Confirm compliance of IT policies, standards, procedures and methodologies with legal and regulatory requirements.

ME3.4 Positive Assurance of Compliance—Obtain and report assurance of compliance and adherence to all internal policies derived from internal directives or external legal, regulatory or contractual requirements, confirming that any corrective actions to address any compliance gaps have been taken by the responsible process owner in a timely manner.

ME4 Provide IT Governance ME4.1 Establishment of an IT Governance Framework—Define, establish and

align the IT governance framework with the overall enterprise governance and control environment. Report IT governance status and issues.

ME4.3 Value Delivery—Manage IT-enabled investment programmes and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise’s strategy and objectives. Ensure that the expected business outcomes of IT-enabled investments and the full scope of effort required to achieve those outcomes are understood; that comprehensive and consistent business cases are created and approved by stakeholders; that assets and investments are managed throughout their economic life cycle; and that there is active management of the realisation of benefits, such as contribution to new services, efficiency gains and improved responsiveness to customer demands.


Microsoft® SharePoint 2010 Audit/Assurance Program

VII. Maturity Assessment vs. Target Assessment

This spider graph is an example of the assessment results and maturity target for a SharePoint assessment
