SharePoint Security Guide
The following information outlines the steps necessary to store sensitive data in SharePoint securely. As a site owner, you are responsible for ensuring that configuration changes are made before any data is stored in SharePoint. A site owner also manages the groups and users that have access to their site(s).
Create a New SharePoint Site
Sensitive data may be stored in SharePoint. However, it is essential to configure the site so that data is protected. This section provides a walkthrough for creating a new SharePoint Site with a secure configuration.
- Log in to Office 365, then navigate to the SharePoint app.
- Click Create site in the top left corner to create a new site.
- From the window that appears, select Teams Site.
- Fill out the Site Information such as site name and description. In the Privacy Settings box, select Private, then select Next when you are done.
- Use the Who do you want to add? window to add people–by name or email address–as either site Owner or site Member. When you are done, click Finish.
Note: The number of site owners needs to be as small as possible; usually, there only needs to be one. The site creator is automatically a site owner. All other team members can be added as site members. Site members will have edit permission to all files on the site. Later we will cover how to give read-only access to members.
- To set controls for sharing and adding new members, click the top-right gear icon for setting options, then select Site permissions from the the drop-down menu.
- Use the site permission panel to invite more new members, change the existing user and group access level, and change how members can share.
Note: Clicking the Advanced permissions settings link opens a new window that offers the same functionality as the current panel.
- Click Change how members can share, then select the third option from the Sharing permissions window.
Note: Only site owners can share a file outside of the site.
- Set Allow access requests to Off, then click Save.
Note: This means that anyone interested in joining the site will need to contact the site owner directly.
Your site is ready for sensitive data. It is the responsibility of the site owner to make sure the secure configurations stay intact. The site owner must continue to monitor site members and remove anyone who no longer needs access.
Edit Permission Levels for Users and Groups
Permission levels for users and groups will probably need to change through the site’s lifecycle. To change user and group permission levels:
- Click the top right gear icon for setting options, then select Site permissions from the drop-down menu. For more information, see the sharing settings at the site level steps.
- All current team members’ permission levels can be viewed on this panel. The drop-down arrow below each user or group will allow the site owner(s) to change the permission level. Any user or group with full control will be list in the site owner section.
Note: The site owner group needs to remain as small as possible. Any user or group with edit permission will be listed in the site member’s section. Any user or group with read permission will be listed in the site visitor section.
It is the responsibility of the site owner to manage who needs edit or read-only permissions. If a user or group no longer needs any access to the site, they can be removed entirely from this panel.
Add External Collaborators (As Needed)
A site owner can share the contents of a site with non-Pitt collaborators by following these steps:
- Click the top right gear icon for setting options, then select Site permissions from the drop-down. For more information, see the sharing settings at the site level steps.
- Click Invite people at the top of the panel. then select Share site only from the drop-down menu.
Note: It will not work if you select Add members to group.
- Enter the external user's name or email address in the text field provided, locate the user from the drop-down list, then click Add.
It is the responsibility of the site owner to manage the external users that require access. It is important to set their permission levels to edit or read. Please remove their access when it is no longer required.