Sharepoint Access Control

The University is committed to following best practices concerning data privacy and protection. Maintaining the confidentiality, integrity, availability and regulatory compliance of regulated or restricted university data stored and/or processed via SharePoint is a requirement of all GW SharePoint users, whether they are SharePoint site Owners, members, or visitors.

SharePoint site Owners (“Owners”) are individuals with Full Control privileges to a given SharePoint site. They are able to adjust the security/permissions of the site they own. They can adjust the site’s settings and appearance, edit pages, add web parts, create new sub-sites and even delete a site.

SharePoint site Members: individuals with edit and contribute permission level, who are able to edit site content. Permission level depends on the site template that was used to create the site.

SharePoint site Visitors: individuals with read only permission level, who are able to see site content, but not edit it.

SharePoint Site Owner  Responsibilities

Owners are responsible for compliance with applicable data privacy and data protection requirements, including compliance with privacy laws and regulations, as outlined in the Privacy of Personal Information Policy. 

Key steps to ensure compliance with privacy and data protection requirements: 

1. KNOW THE DATA STORED AND/OR MANAGED VIA YOUR SHAREPOINT SITE 

• Conduct a data inventory for your SharePoint site and identify the libraries and/or workflows where restricted or regulated university data is stored and managed. 
• Assess the level of sensitivity of the data stored and managed via your SharePoint site. Use the Data Classification Guide to determine whether the data stored is regulated, restricted or public. 
• Follow the data protection guidance to appropriately store and manage data in SharePoint. 

• Data Protection Guidance for SharePoint

  Regulated Data	Restricted Data	Public Data
  Do NOT store in SharePoint.	OK to store in SharePoint.	OK to store in SharePoint.

SharePoint has NOT been approved for storage of Regulated Data. 

SharePoint Team Sites with Business Process Automation (e.g. workflows) may include Regulated and/or Restricted data ONLY upon completion of a security assessment by GW IT Information Security and an Authority to Operate (ATO) granted prior to Go Live.

2. PROTECT YOUR DATA - MANAGE PERMISSIONS TO YOUR SHAREPOINT SITE

The Owner is responsible for all access and permissions to content stored on their SharePoint site. Permissions define what access groups and individuals have on the SharePoint sites. A permission level is a set of permissions that can be assigned to a specific group for a specific SharePoint site or Library. 

Owners must:

• Determine who needs access to your SharePoint site and the permission level needed for each individual.
• Follow the Principle of Least Privilege: Give people the lowest permission levels they need to perform their assigned tasks.  
• Give people access by adding them to groups (such as Members, Visitors, and Owners).  

SharePoint Groups 

3. PROTECT YOUR DATA – MANAGE LIST AND LIBRARIES PERMISSIONS 

By default, each list and library will inherit the Site permissions.  If you have sensitive data, you may want to override the site permissions.  This allows you to customize the permissions to the right set of users. To customize your list or library permissions, follow these instructions:  

• Navigate to the List or Library.  
• Choose  Settings and then List Settings.

• Click Permissions for this list.  

• Click  Stop Inheriting  permissions. 

• Check the group that you would like to remove and then click Remove User Permissions.   If you would like to Add a new group, click Grant permissions.   

4. PROTECT YOUR DATA – CONDUCT A PERMISSIONS REVIEW  

SharePoint Owners must review their site's permission settings, and content of permission groups periodically, for all SharePoint sites and libraries collecting and managing university data, to ensure compliance with applicable privacy policies and data protection requirements.  

Owners should determine the permissions review frequency based on the classification of the data they manage in SharePoint and the worst possible consequences of incorrect access. 

5. PROTECT YOUR DATA – ACCESS REVIEWS

Access reviews should be performed no less than once every year, especially for lists that contain Personal Identifiable Information (PII) data or sensitive information. 

• Navigate to the List or Library . 
• Choose  Settings and then  Site permissions. 
• Select Advanced permissions settings.

• Review permission group members and access, be sure to remove/add group members as needed.   

Manage Site Alerts – Site Owners should also avoid setting ‘alerts’ for site where PII data or sensitive information is stored.   

• Navigate to the SharePoint Site. 
• Select the ellipsis and then select Manage my alerts. 

• Select Delete Selected Alerts – if there are current alerts established, they will be visible here.  The Site Owner can then delete unwanted alerts from the list. 

MORE INFORMATION REGARDING SHAREPOINT PERMISSIONS MAY BE FOUND AT LINKEDIN LEARNING.