| Date post: | 07-Sep-2018 |
| Category: | Documents |
| View: | 217 times |
| Download: | 0 times |
A SharePoint Administrators
Practical Guide to Cybersecurity
1060/CN/A.1/207/
Course 1060
Contributing Author:
Aaron Kraus, Certified Information System Security Professional (CISSP),
CompTIA Security+CE
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-2
To Join the Audio Conference
For todays session, were using a conference bridge to eliminate the need for microphones and system validations
From a direct line1. Enter your directly dialed
telephone number (no
extensions) into the Join
Teleconference dialog box
2. Click Call My Phone
From an internal extension line or from outside the U.S. or Canada
1. Dial:
2. Enter *5555#Note: To redisplay the Join
Teleconference dialog box, click
the Audio Conference Options
button at the bottom of the
Attendee List and select Call Me
1
2
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-3
Learning Tree AnyWareTM: Quick Tour
To ask questions Click the Chime In button icon and well unmute your audio
AnyWare status symbols Agree/Disagree
Chat Use to share information via a
text message
Click the drop-down arrow to
select the recipient
Private messages Use to send a private message
to your instructor
Displays in red text
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-4
Learning Tree AnyWareTM: Quick Tour
(continued)
Technical support If you need technical assistance,
click the Get Assistance button
to initiate a chat session with an
AnyWare support technician
Enter your question and click the
Send Message button
An AnyWare support technician
will provide the assistance that
you need
Once your issue is resolved, the
technician will close the ticket
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-5
About Learning Tree International
Learning Tree International was founded in 1974 More than 2.1 million technology professionals and managers from over
65,000 organizations trained to date
In-depth course curriculummore than 235 titles and growing Includes more than 90 management titles
Courses are developed and taught by technology and business professionals actively working in the field
Public and on-site courses are available at Learning Tree and client locations worldwide
This course is being delivered using Learning Tree AnyWare Our (patent pending) training delivery solution that connects online
participants to a live, instructor-led classroom
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-6
About Your Instructor
Background and education
Current position
Experience
Poll
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-7
Session Objectives
In this presentation, we will
Define cybersecurity and its importance to SharePoint admins
Plan for SharePoint security by integrating security throughout the SDLC Explore a real-world case study involving a SharePoint data breach
Address security requirements at various layers of a SharePoint deployment
Server and farm layer
Network and perimeter defenses
End-user layer
This presentation will be sent to all attendees following this course
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-8
SharePoint Security Best Practices
SharePoint is a team tool: Security may not be your responsibility, but
you can advocate for proper security measures
Establish a SharePoint steering committee to involve all stakeholders,
such as IT security, network, and business users
Start with a secure core of hardened infrastructure
Create unique credentials for SharePoint installation account
Create non-obvious user IDs and strong passwords for service accounts
Change SharePoint service account passwords regularly
Document SharePoint security/usage policies, and train your users
Provide additional training to users with escalated privileges, such as site
administrators and designers
Audit critical items, such as remote access, device configurations, and
user management
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-9
A SharePoint Administrators Practical Guide
to Cybersecurity
Define Cybersecurity
Plan for SharePoint Security by Integrating
Security Throughout the SDLC
Address Security Requirements at Various
Layers of a SharePoint Deployment
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-10
What Is Cybersecurity?
The ability to protect and defend critical Information Technology (IT) systems, preserving CIA:
Confidentiality: to ensure that only authorized users have access
Integrity: to ensure that only approved changes are made
Availability: to ensure that critical resources are accessible when and where
needed
SharePoint requires a multidisciplinary approach to security, because
It encompasses a broad range of technologies
It places a great deal of power in the hands of
end users, including security decisions
Cyber threat is one of the most serious economic
and national security challenges we face.
President Barack Obama
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-11
Data Breaches Are Costly
Data breaches are costly and can carry significant legal or regulatory consequences
The average cost of a data breach to an organization is $7.3 million per
breach ($214 per compromised record)*
Attacks against the Sony PlayStation network were estimated to cost more
than $178 million in 2011**
Costs for lost business, loss of goodwill,
etc., are impossible to calculate
Cybersecurity concerns for SharePoint admins Control user access
Enforce restrictions on user actions
Secure infrastructure and access methods
The goal of a SharePoint security program is to safeguard data!
*bit.ly/eiz9Ec
**bit.ly/LSjbpw
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-12
Standards, Laws, and Regulations
Securing SharePoint may require adherence to or implementation of Standards
ISO/IEC 27000-defined Information Security Management System
NIST Special Publication (SP) Series / DOD DIACAP Framework
ITIL V3 Information Security Management (ISM)
Laws
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-OXley (SOX)
EU Data Protection Directive/Regulation
Industry regulation
Payment Card Industry Data Security Standard (PCI DSS)
ISO/IEC = International Organization for Standardization/International Electrotechnical Commission
ITIL = Information Technology Infrastructure Library
NIST = National Institute for Standards and Technology
ITIL is a Registered Trade Mark of the Cabinet Office.
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-13
A SharePoint Administrators Practical Guide
to Cybersecurity
Define Cybersecurity
Plan for SharePoint Security by Integrating
Security Throughout the SDLC
Address Security Requirements at Various
Layers of a SharePoint Deployment
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-14
SharePoint Is Multilayered
A SharePoint ecosystem is composed of many elements, each with unique security concerns
Windows Server, MS SQL Server, .NET, IIS, ASP
A variety of end-user access protocols, devices, and client programs
Administrative responsibility is often split across the organization, including server admins, SharePoint admins, and individual site admins
Security should start before you install and deploy SharePoint
Properly securing SharePoint is a multidisciplinary, collaborative effort
SharePoint is a collaborative and user-empowering technology The majority of security decisions fall to end users
The tool is designed to facilitate information sharing, making it a virtual
goldmine for hackers
2012 Learning Tree International, Inc. All rights reserved, Inc. Not to be reproduced without prior written consent.
1060-15
A Plan is Required
Cost-effective controls should be chosen Control cost should never exceed the value of the asset being safeguarded
Categorize the data and access to the system to guide control selection
Security is most easily
of 41
