SHPT-00-000009 - SharePoint information management policies must be created, configured, and maintained to support the use of organizationally defined security attributes.


A SharePoint information management policy is a set of rules governing the availability and behavior of a certain type of content in the application. These policies enable administrators to control and evaluate who can access information, how long to retain information, and how effectively people are complying with the policy. For all systems processing non-publicly releasable information, an information management policy must be applied to content in document libraries and site collections by default. Applying policy to a content type or metadata allows the policy to be applied globally across document libraries, sites, or site collections.

These policies must be created and configured to automatically enforce organizationally-defined security policy to a document library, a site, or a specific content type. Information management policy can be used to apply permissions, audit requirements, security labels, or barcodes based on organizationally defined content types, thus leveraging a centralized security policy and security attributes that binds to SharePoint information while in storage and in process.

NOTE: Sites should run and review usage reports for the information management policy. This report shows how many policies are in place in a web application and how many documents are affected by each policy. This information can help identify which SharePoint sites are not using the global policies which may indicate a compliance issue. The information on this report can also help organizations determine how effectively the organizationally-defined labeling and other compliance requirements documented in the Site Security Plan (SSP) are being implemented.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Create an information management policy and apply to lists, libraries, and list content.
1. On the site collection home page, click Site Actions, then click Site Settings.
2. On the Site Settings page, in the Site Collection Administration list, click Site collection policies.
3. On the Site Collection Policies page, click Create.
4. Follow the menus and prompts to create a name and description for the policy.
5. Configure the desired features to associate with the policy.
6. When finished selecting the options for the individual policy features to add to this information management policy, click OK to apply the policy features.
7. Once an information management policy has been created for the site collection level, apply it to lists, libraries, or list content type in accordance with organizationally defined security requirements.

See Also

Item Details


References: 800-53|CM-1a.1., CAT|II, CCI|CCI-000287, Rule-ID|SV-40023r2_rule, STIG-ID|SHPT-00-000009, Vuln-ID|V-30364

Plugin: Windows

Control ID: 0d93821cb9c971ef4dc4e247d13cb024c68e844a3a9815ef74de6eb05a3ca227