SharePoint Legal, Compliance and Accountability Standards
Back To All SharePoint Standards
What follows are merely suggestions as a starting point for defining your SharePoint legal and accountability standards. Realistically your standards might vary quite a bit depending on your industry, SharePoint usage and compliance needs.
Content
- Do not post content that we do not own the legal right to post electronically, including .PDFs or scanned images of journal articles or other documents from sources to which our organization does not have online publishing rights. A link may be created to this content on the content owner’s Web site.
- Copyright violations can be very costly to our business.
Am I missing a legal, compliance, or accountability standard? Don’t agree with one? Please let me know in the comments.
Hope this helps,
Richard Harbridge
{ 6 comments… read them below or add one }
Hey Richard. Just now getting around to reading trhough eveything on the site. Coming along nicely!
With regards to the subject I think that as SharePoint is moved into more and more mainstream uses (Human Resources, Accounting/Finances, etc….) that managing privacy information is going to become more and more critical. Add to that the beginning of a move towards proactivly addressing security/database breaches rather than addressin them reactively and it is going to become a matter of legal compliance rather than security best practice.
That being said I think that adding a section on how to address the management of information or data considered to be privacy related would be a good idea.
Your thoughts?
– Jay
I am in 100% agreement.
So I was considering breaking this one out once I have more content. Particularly I know that encryption of data is key (such as employee data) when it exists in SharePoint. This doesn’t natively happen in SharePoint so it would require additional steps like setting up SQL encryption.
Feel free to share a number of thoughts on privacy, compliance, and security with me in the comments here and I will update/revise the ‘standards’ or other content appropriately. 🙂
There are two ways to go as I see it.
1. You can take everything privacy related and break it out into its own section and have sub-headings for Legal, compliance, security, content, and social.
2. You can add a privacy section to each of the above.
Personally I think that a single section to address privacy as a whole with sub-headings is the way to go. This consolidates all the privacy information into a single “bucket” and makes it easier to reference, understand and find.
Short break out of sub-headings and specific topics covered by each:
• Legal – I think this section addresses existing laws and regulations as well as legislation that would be considered both “in process” or “under consideration”
• Compliance – This section should address what constitutes compliance to any privacy standards put in place is, how it is tracked and what the consequences of failing to comply with privacy standards entails. Examples:
o Who approves the development and creation of the application or site?
o How frequently are access audits performed?
What are the consequences of being found in “non-compliance”
o Who is responsible for the periodic review of the policies, procedures and processes currently in place?
• Security – Section should cover how access to applications where the potential for the exposure of privacy information exists at two levels:
o What are the criteria for implementation of applications or sites where the potential for the exposure (intended or unintended) of privacy information exists? Think of this as the application layer.
Who approves the development and creation of the application or site?
How the site or application configured (separate web application, separate site collection, etc…)?
What plans, processes or procedures are in place in the event of a potential breach?
What plans, processes, procedures or policies are in place to prevent a potential breach?
o Who manages those applications or sites that contain privacy information? The personnel layer so to speak.
What steps are required to gain access?
Who approves access requests?
How are requests for access tracked?
• Content – what kind of privacy related information is allowed to be collected?
o Names and addresses
o Social Security numbers
o Pictures
o Home phone numbers
o Education
• Social – what kind of information can the general user population share about themselves
o Names and addresses
o Pictures
o Home phone numbers
o Education
o Personal activities(going on vacation or something similar).
Just a quick list I’ve had rattling around in my head as I think about how to put this into a session for a SharePoint Saturday or BPC in March. It could probably be better categorized with some more thought. As soon I finish up the writing project I have going on I’ll try and clean it up some more and add to it and will send it to you.
– Jay
Definitely looking forward to it! Sounds like it’s going to be a pretty interesting presentation. Hopefully I can attend. 🙂
* Do not use commercial stock images or photographs without purchasing a license to use them
* Do not “borrow” images from sites on the Internet without permission (even if it’s for an internal site)
* Images and content licensed under a creative commons license (or similar license) are okay to use as-is
* Provide credit back to the source if required by the license
Thank you Bil. Great points and good specifics.
There are other specifics I intend to add based on feedback from clients around employee picture use as well.