SlideShare uma empresa Scribd logo

SharePointlandia 2013: SharePoint and Compliance

Transferir como PPTX, PDF
M
Matthew R. Barrett

How does security compliance translate into the sharepoint world? Presentation outlines security basics, specific compliance requirements, and real-time application of that compliance to sharepoint.

Tecnologia
1 de 35
SharePoint and Compliance… Oil and Water or Milk and Cookies?
Agenda Permissions o About o Security Redux o Permissions o Authentication o Content/Access Control o Compliance o Alphabet Soup o The road to Compliance o Compliance Specifics o Review Security Complianc e
Matt Barrett Senior Solutions Engineer - Axceler - 6 years in security, 2 in SharePoint - Worked on the Metasploit project - Security Evangelist - Compliance Expert Twitter: @mrbarrett LinkedIn: www.linkedin.com/mrb08 Obligatory Self Promotion
Axceler Overview liberating collaboration in the social enterprise through visibility and control • - Have been delivering award-winning administration and migration software since 1994 • - 3000 Customers Globally Dramatically improve SharePoint Management • - Innovative products that improve security and scalability • - Making IT more effective and efficient and lower the total cost of ownership • 3000 Customers Globally Focus on solving specific SharePoint problems • - Coach enterprises on SharePoint best practices • - Give administrators the most innovative tools available • - Deliver “best of breed” offerings
Security Redux Governance How are you using SharePoint? • Document Repo vs. Core Business • Few select users or everybody? What secure content do you have? • Where is it? Permissions
Security Redux Governance Authentication Methods • Windows Authentication • NTLM – Kerberos – Digest – Basic • SP Groups • Claims • SAML tokens • Forms-based – AD DS – LDAP Permissions
Security Redux Governance What can be secured? • Sites • Libraries/Lists • Folders • Documents/Items Permissions
Security Redux Governance Management Challenges • Distributed vs. Centralized Permissions
Security Redux Centralized? Management Challenges • Distributed vs. Centralized • Who’s responsibility is it? Distributed?
Security Redux Security Typical Best Practices vs. Compliance Best Practices • Visitors • Members • Read only? Compliance
Security Redux Security Typical Best Practices vs. Compliance Best Practices • Sites, Lists, Libraries share most permissions • Sensitive data is separated from normal data (typically this is all you need) Compliance
Compliance Changes Things… Plan your work, work your plan
Compliance – Alphabet Soup HIPAA o Sarbanes-Oxley Act (SOX Compliance) o Healthcare Services (HIPAA) o GLBA o California Senate Bill No. 1386 o NERC Cyber Security Standards o Financial Services (GLBA) o Visa Cardholder Information Security Program o MasterCard Site Data Protection Program o American Express Data Security Standard SOX PCI
Compliance Fact Sheet HIPAA SOX PCI • 45 states (including CA) have some form of data breach law • All different, but require protection of PII (Personally Identifyable Information)
What is PII? HIPAA SOX PCI • Full Name • National ID number • IP address (in some cases) • License Plate Number • Driver’s License Number • Face, Fingerprints or Handwriting • Credit Card Numbers!! • Date of Birth • Birthplace • Genetic information
Where Does This Come From? NIST NIST (National Institute of Standards and Technology) • Access Enforcement • Separation of Duties • Least Privilege • Limitign Remote Access • Protecting information at rest through the use of encryption SP800-53
Breaches are Costly! HIPAA SOX PCI • Sony – 77 million credit numbers (april, 2011), cost $171m to fix • Fortune 50 leader in Aerospace – fined $75m for leaking helicopter part information • Breaches are on average $6m+* Source: Ponemon institute
Compliance Changes Things… It’s far more expensive to certify than secure... • Best Advice: Limit your scope!
Step 1: Define Your (forced) Compliance Goals! Security Efficiency Verify • Security vs. Effeciency Paradox • Trust but Verify
Step 1: Define Your Compliance Goals! Benchmarks Ripples Compliant? Understand your Benchmarks • What current business processes could potentially be affected? • Optimization ”ripples” • Effeciency theories • Collaboriation? Is it compliant?
Step 1: Define Your Compliance Goals! Breaches Are Sad Quickest is not always best • Take your time • Far cheaper in the long run • Shortcuts lead to breaches • Breaches lead to sad
Step 2: Commit Pilot Review Deploy Building from Scratch vs. Adaptation • ”You can tailor a framework to a regulation, but you can’t tailor a regulation to a framework”
Step 2: Commit Dev Build Your Pilot • Separate server • No real data • Study! • Gap Analysis Staging
Step 2: Commit Dev Bring More Cooks in the Kitchen • Legal • Security Team • Consultants (if necessary) Staging
Step 3: Assimilate
Step 3: Assimilate Test Once You’re Sure... • After Gap Analysis • Dev to Staging • Typically single-server • Introduce Pilot Users (try to break it) • Penetration Test • Production Verify
Step 4: Maintain Server SharePoint Users Compliance one day doesn’t guarantee compliance the next... • Monitor • Service Packs • User Activity • Confirmation of Permissions • Monitor Regulations • They Change!
Step 4: Maintain Server SharePoint Users Every new element needs to be vetted • One insecure element makes EVERYTHING insecure
Compliance Generalities CIA Triad • Confidentiality • Integrity • Availability Compliance follows common themes...
Compliance Specifics: HIPAA Data must always be encrypted • In transit, at rest • SSL Data must never be lost • DR Plan Data must only be accessible by authorized personnel • Access Control/Authentication • User Security • Password Policies • New Employee Procedures
Compliance Specifics: HIPAA Data must never be tampered with or altered • Audit controls/integrity • Unauthorized modification prevention Data should be encrypted if being stored/archived • Transparent SQL DB encryption Can be permanenty disposed of when no longer needed • Remember: Heath records must be stored for 6 years • Document retention policies
Compliance Specifics: SOX All data must be... • Stored • Retained • Secured • Audited Proof of internal controls • Plans • Framework Disclosure
Compliance Specifics: PCI “if it touches something that stores or processes credit cards, it falls into the compliance” • Pen Testing • External environment scanning • Gap Analysis (PCI DSS) • Document management system
Conclusion Compliance changes things slightly... • Fines are off the charts • More work • More dilligence
Thank You! Learn more about Axceler Solutions • www.axceler.com • Matthew.barrett@axceler.com

Recomendados

Learning about Security and Compliance in Office 365
Learning about Security and Compliance in Office 365Learning about Security and Compliance in Office 365
Learning about Security and Compliance in Office 365Aptera Inc
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAmazon Web Services
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Salesforce Security with Visibility, Control & Data Protection
Salesforce Security with Visibility, Control & Data ProtectionSalesforce Security with Visibility, Control & Data Protection
Salesforce Security with Visibility, Control & Data ProtectionCipherCloud
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudNextel S.A.
 
apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays
 

Recomendados

Learning about Security and Compliance in Office 365
Learning about Security and Compliance in Office 365Learning about Security and Compliance in Office 365
Learning about Security and Compliance in Office 365Aptera Inc
 
Security as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveSecurity as an Enabler for the Digital World - CISO Perspective
Security as an Enabler for the Digital World - CISO PerspectiveApigee | Google Cloud
 
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAWS Enterprise Summit London 2013 - Stephen Schmidt - AWS
AWS Enterprise Summit London 2013 - Stephen Schmidt - AWSAmazon Web Services
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Salesforce Security with Visibility, Control & Data Protection
Salesforce Security with Visibility, Control & Data ProtectionSalesforce Security with Visibility, Control & Data Protection
Salesforce Security with Visibility, Control & Data ProtectionCipherCloud
 
Seguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudSeguridad: sembrando confianza en el cloud
Seguridad: sembrando confianza en el cloudNextel S.A.
 
apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays LIVE New York 2021 - Securing access to high performing API in a regu...
apidays LIVE New York 2021 - Securing access to high performing API in a regu...apidays
 
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
 
OWASP Nagpur Meet #4
OWASP Nagpur Meet #4 OWASP Nagpur Meet #4
OWASP Nagpur Meet #4 OWASP Nagpur
 
Expertslive 2018 advanced data governance
Expertslive 2018 advanced data governanceExpertslive 2018 advanced data governance
Expertslive 2018 advanced data governanceAlbert Hoitingh
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Digital Consent: Taking UMA from Concept to Reality
Digital Consent: Taking UMA from Concept to RealityDigital Consent: Taking UMA from Concept to Reality
Digital Consent: Taking UMA from Concept to RealityForgeRock
 
Webinar Wednesday: Locking Up the Cloud
Webinar Wednesday: Locking Up the CloudWebinar Wednesday: Locking Up the Cloud
Webinar Wednesday: Locking Up the CloudAccellis Technology Group
 
Azure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachAzure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachJoanne Klein
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Vishwas Manral
 
Office 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your DataOffice 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your DataBitglass
 
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...Priyanka Aash
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
Hallwaze security snapshot
Hallwaze security snapshotHallwaze security snapshot
Hallwaze security snapshothallwaze_1
 
CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud
 
David Slater G-Cloud Meet Up
David Slater G-Cloud Meet UpDavid Slater G-Cloud Meet Up
David Slater G-Cloud Meet UpWeAreEsynergy
 
Dos and Don’ts for Managing External Connectivity to/from Your Network
Dos and Don’ts for Managing External Connectivity to/from Your NetworkDos and Don’ts for Managing External Connectivity to/from Your Network
Dos and Don’ts for Managing External Connectivity to/from Your NetworkAlgoSec
 
CIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud AdoptionCIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud AdoptionCipherCloud
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014Alexey Vlasenko
 
SharePoint and GDPR Compliance
SharePoint and GDPR Compliance SharePoint and GDPR Compliance
SharePoint and GDPR Compliance SysKit Ltd
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyOkta-Inc
 
The Future of CASBs - A Cloud Security Force Awakens
The Future of CASBs - A Cloud Security Force AwakensThe Future of CASBs - A Cloud Security Force Awakens
The Future of CASBs - A Cloud Security Force AwakensBitglass
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 

Mais conteúdo relacionado

Mais procurados

API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...dsapps
 
OWASP Nagpur Meet #4
OWASP Nagpur Meet #4 OWASP Nagpur Meet #4
OWASP Nagpur Meet #4 OWASP Nagpur
 
Expertslive 2018 advanced data governance
Expertslive 2018 advanced data governanceExpertslive 2018 advanced data governance
Expertslive 2018 advanced data governanceAlbert Hoitingh
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Digital Consent: Taking UMA from Concept to Reality
Digital Consent: Taking UMA from Concept to RealityDigital Consent: Taking UMA from Concept to Reality
Digital Consent: Taking UMA from Concept to RealityForgeRock
 
Azure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachAzure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachJoanne Klein
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Vishwas Manral
 
Office 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your DataOffice 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your DataBitglass
 
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...Priyanka Aash
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...PECB
 
Hallwaze security snapshot
Hallwaze security snapshotHallwaze security snapshot
Hallwaze security snapshothallwaze_1
 
CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud
 
David Slater G-Cloud Meet Up
David Slater G-Cloud Meet UpDavid Slater G-Cloud Meet Up
David Slater G-Cloud Meet UpWeAreEsynergy
 
Dos and Don’ts for Managing External Connectivity to/from Your Network
Dos and Don’ts for Managing External Connectivity to/from Your NetworkDos and Don’ts for Managing External Connectivity to/from Your Network
Dos and Don’ts for Managing External Connectivity to/from Your NetworkAlgoSec
 
CIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud AdoptionCIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud AdoptionCipherCloud
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014Alexey Vlasenko
 
SharePoint and GDPR Compliance
SharePoint and GDPR Compliance SharePoint and GDPR Compliance
SharePoint and GDPR Compliance SysKit Ltd
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyOkta-Inc
 
The Future of CASBs - A Cloud Security Force Awakens
The Future of CASBs - A Cloud Security Force AwakensThe Future of CASBs - A Cloud Security Force Awakens
The Future of CASBs - A Cloud Security Force AwakensBitglass
 

Mais procurados (20)

API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
API World 2019 Presentation on Securing sensitive data through APIs and AI pa...
 
OWASP Nagpur Meet #4
OWASP Nagpur Meet #4 OWASP Nagpur Meet #4
OWASP Nagpur Meet #4
 
Expertslive 2018 advanced data governance
Expertslive 2018 advanced data governanceExpertslive 2018 advanced data governance
Expertslive 2018 advanced data governance
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
 
Digital Consent: Taking UMA from Concept to Reality
Digital Consent: Taking UMA from Concept to RealityDigital Consent: Taking UMA from Concept to Reality
Digital Consent: Taking UMA from Concept to Reality
 
Webinar Wednesday: Locking Up the Cloud
Webinar Wednesday: Locking Up the CloudWebinar Wednesday: Locking Up the Cloud
Webinar Wednesday: Locking Up the Cloud
 
Azure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team ApproachAzure Information Protection - Taking a Team Approach
Azure Information Protection - Taking a Team Approach
 
Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2Microservices security CSA meetup ppt 10_21_2015_v2-2
Microservices security CSA meetup ppt 10_21_2015_v2-2
 
Office 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your DataOffice 365 Security: How to Safeguard Your Data
Office 365 Security: How to Safeguard Your Data
 
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
(SACON) Suhas Desai - The Power of APIs – API Economy Trends & Market Drivers...
 
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
Key Data Privacy Roles Explained: Data Protection Officer, Information Securi...
 
Hallwaze security snapshot
Hallwaze security snapshotHallwaze security snapshot
Hallwaze security snapshot
 
CipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution OverviewCipherCloud for Salesforce - Solution Overview
CipherCloud for Salesforce - Solution Overview
 
David Slater G-Cloud Meet Up
David Slater G-Cloud Meet UpDavid Slater G-Cloud Meet Up
David Slater G-Cloud Meet Up
 
Dos and Don’ts for Managing External Connectivity to/from Your Network
Dos and Don’ts for Managing External Connectivity to/from Your NetworkDos and Don’ts for Managing External Connectivity to/from Your Network
Dos and Don’ts for Managing External Connectivity to/from Your Network
 
CIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud AdoptionCIO's Guide to Enterprise Cloud Adoption
CIO's Guide to Enterprise Cloud Adoption
 
O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014O365 security and privacy de_novo_event_july2014
O365 security and privacy de_novo_event_july2014
 
SharePoint and GDPR Compliance
SharePoint and GDPR Compliance SharePoint and GDPR Compliance
SharePoint and GDPR Compliance
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust Strategy
 
The Future of CASBs - A Cloud Security Force Awakens
The Future of CASBs - A Cloud Security Force AwakensThe Future of CASBs - A Cloud Security Force Awakens
The Future of CASBs - A Cloud Security Force Awakens
 

Semelhante a SharePointlandia 2013: SharePoint and Compliance

The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeCompliancy Group
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1Mike Stone
 
Seattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and PrivacySeattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and PrivacySabra Goldick
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Precisely
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?Precisely
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Edge Pereira
 
Discover365 Integration Presentation
Discover365 Integration PresentationDiscover365 Integration Presentation
Discover365 Integration PresentationJames Garrett
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingAtif Ghauri
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iPrecisely
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Software
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008Denny Lee
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriAtif Ghauri
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Avi Networks
 

Semelhante a SharePointlandia 2013: SharePoint and Compliance (20)

The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Plain talk about security public - ms1
Plain talk about security public - ms1Plain talk about security public - ms1
Plain talk about security public - ms1
 
Seattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and PrivacySeattle Tech4Good meetup: Data Security and Privacy
Seattle Tech4Good meetup: Data Security and Privacy
 
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
Protect Sensitive Data on Your IBM i (Social Distance Your IBM i/AS400)
 
What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?What Does a Full Featured Security Strategy Look Like?
What Does a Full Featured Security Strategy Look Like?
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...
 
Discover365 Integration Presentation
Discover365 Integration PresentationDiscover365 Integration Presentation
Discover365 Integration Presentation
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
 
Privacies are Coming
Privacies are ComingPrivacies are Coming
Privacies are Coming
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM i
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery ProfessionalsHeureka Webinar – Security, the Growth Engine for eDiscovery Professionals
Heureka Webinar – Security, the Growth Engine for eDiscovery Professionals
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

SharePointlandia 2013: SharePoint and Compliance

  • 1. SharePoint and Compliance… Oil and Water or Milk and Cookies?
  • 2. Agenda Permissions o About o Security Redux o Permissions o Authentication o Content/Access Control o Compliance o Alphabet Soup o The road to Compliance o Compliance Specifics o Review Security Complianc e
  • 3. Matt Barrett Senior Solutions Engineer - Axceler - 6 years in security, 2 in SharePoint - Worked on the Metasploit project - Security Evangelist - Compliance Expert Twitter: @mrbarrett LinkedIn: www.linkedin.com/mrb08 Obligatory Self Promotion
  • 4. Axceler Overview liberating collaboration in the social enterprise through visibility and control • - Have been delivering award-winning administration and migration software since 1994 • - 3000 Customers Globally Dramatically improve SharePoint Management • - Innovative products that improve security and scalability • - Making IT more effective and efficient and lower the total cost of ownership • 3000 Customers Globally Focus on solving specific SharePoint problems • - Coach enterprises on SharePoint best practices • - Give administrators the most innovative tools available • - Deliver “best of breed” offerings
  • 5. Security Redux Governance How are you using SharePoint? • Document Repo vs. Core Business • Few select users or everybody? What secure content do you have? • Where is it? Permissions
  • 6. Security Redux Governance Authentication Methods • Windows Authentication • NTLM – Kerberos – Digest – Basic • SP Groups • Claims • SAML tokens • Forms-based – AD DS – LDAP Permissions
  • 7. Security Redux Governance What can be secured? • Sites • Libraries/Lists • Folders • Documents/Items Permissions
  • 8. Security Redux Governance Management Challenges • Distributed vs. Centralized Permissions
  • 9. Security Redux Centralized? Management Challenges • Distributed vs. Centralized • Who’s responsibility is it? Distributed?
  • 10. Security Redux Security Typical Best Practices vs. Compliance Best Practices • Visitors • Members • Read only? Compliance
  • 11. Security Redux Security Typical Best Practices vs. Compliance Best Practices • Sites, Lists, Libraries share most permissions • Sensitive data is separated from normal data (typically this is all you need) Compliance
  • 12. Compliance Changes Things… Plan your work, work your plan
  • 13. Compliance – Alphabet Soup HIPAA o Sarbanes-Oxley Act (SOX Compliance) o Healthcare Services (HIPAA) o GLBA o California Senate Bill No. 1386 o NERC Cyber Security Standards o Financial Services (GLBA) o Visa Cardholder Information Security Program o MasterCard Site Data Protection Program o American Express Data Security Standard SOX PCI
  • 14. Compliance Fact Sheet HIPAA SOX PCI • 45 states (including CA) have some form of data breach law • All different, but require protection of PII (Personally Identifyable Information)
  • 15. What is PII? HIPAA SOX PCI • Full Name • National ID number • IP address (in some cases) • License Plate Number • Driver’s License Number • Face, Fingerprints or Handwriting • Credit Card Numbers!! • Date of Birth • Birthplace • Genetic information
  • 16. Where Does This Come From? NIST NIST (National Institute of Standards and Technology) • Access Enforcement • Separation of Duties • Least Privilege • Limitign Remote Access • Protecting information at rest through the use of encryption SP800-53
  • 17. Breaches are Costly! HIPAA SOX PCI • Sony – 77 million credit numbers (april, 2011), cost $171m to fix • Fortune 50 leader in Aerospace – fined $75m for leaking helicopter part information • Breaches are on average $6m+* Source: Ponemon institute
  • 18. Compliance Changes Things… It’s far more expensive to certify than secure... • Best Advice: Limit your scope!
  • 19. Step 1: Define Your (forced) Compliance Goals! Security Efficiency Verify • Security vs. Effeciency Paradox • Trust but Verify
  • 20. Step 1: Define Your Compliance Goals! Benchmarks Ripples Compliant? Understand your Benchmarks • What current business processes could potentially be affected? • Optimization ”ripples” • Effeciency theories • Collaboriation? Is it compliant?
  • 21. Step 1: Define Your Compliance Goals! Breaches Are Sad Quickest is not always best • Take your time • Far cheaper in the long run • Shortcuts lead to breaches • Breaches lead to sad
  • 22. Step 2: Commit Pilot Review Deploy Building from Scratch vs. Adaptation • ”You can tailor a framework to a regulation, but you can’t tailor a regulation to a framework”
  • 23. Step 2: Commit Dev Build Your Pilot • Separate server • No real data • Study! • Gap Analysis Staging
  • 24. Step 2: Commit Dev Bring More Cooks in the Kitchen • Legal • Security Team • Consultants (if necessary) Staging
  • 26. Step 3: Assimilate Test Once You’re Sure... • After Gap Analysis • Dev to Staging • Typically single-server • Introduce Pilot Users (try to break it) • Penetration Test • Production Verify
  • 27. Step 4: Maintain Server SharePoint Users Compliance one day doesn’t guarantee compliance the next... • Monitor • Service Packs • User Activity • Confirmation of Permissions • Monitor Regulations • They Change!
  • 28. Step 4: Maintain Server SharePoint Users Every new element needs to be vetted • One insecure element makes EVERYTHING insecure
  • 29. Compliance Generalities CIA Triad • Confidentiality • Integrity • Availability Compliance follows common themes...
  • 30. Compliance Specifics: HIPAA Data must always be encrypted • In transit, at rest • SSL Data must never be lost • DR Plan Data must only be accessible by authorized personnel • Access Control/Authentication • User Security • Password Policies • New Employee Procedures
  • 31. Compliance Specifics: HIPAA Data must never be tampered with or altered • Audit controls/integrity • Unauthorized modification prevention Data should be encrypted if being stored/archived • Transparent SQL DB encryption Can be permanenty disposed of when no longer needed • Remember: Heath records must be stored for 6 years • Document retention policies
  • 32. Compliance Specifics: SOX All data must be... • Stored • Retained • Secured • Audited Proof of internal controls • Plans • Framework Disclosure
  • 33. Compliance Specifics: PCI “if it touches something that stores or processes credit cards, it falls into the compliance” • Pen Testing • External environment scanning • Gap Analysis (PCI DSS) • Document management system
  • 34. Conclusion Compliance changes things slightly... • Fines are off the charts • More work • More dilligence
  • 35. Thank You! Learn more about Axceler Solutions • www.axceler.com • Matthew.barrett@axceler.com