Adding Security to SharePoint for Stronger DoD 5015.2 Compliance

DoD 5015.2 mandates requirements for DoD records management systems. The ability to add metadata tags and to secure these tags is one of the key mandatory requirements. The general access control requirements are defined in section C2.2.8. Though SharePoint by itself can meet most of these security requirements, it can be overly complicated to setup security permissions in SharePoint especially when trying to protect information at the record level. Titus has developed a number of SharePoint security solutions which make it easier to meet DoD 5015.2 security requirements when using Microsoft SharePoint.

Automating Security Permissions Titus Metadata Security for SharePoint allows DoD administrators to quickly configure and maintain appropriate security permissions for their records. The solution allows administrators to automatically apply SharePoint permissions based on the record’s metadata. The example below shows how administrators can build simple rules in Titus Metadata Security for SharePoint to automatically maintain correct security permissions. This example shows how records with metadata = "Finance" can be automatically assigned SharePoint permissions.

 

Click to view larger image 

For the handling of Classified information DoD 5015.2 requires additional capabilities. One of the additional security requirements is defined in section C3.1.21. which states “RMAs shall provide a capability whereby authorized individuals may restrict access to records and their metadata based on access criteria. In addition to baseline access restriction capabilities, these additional criteria include:

C3.1.21.1. Current Classification (subparagraph C3.T1.2.).

C3.1.21.2. Supplemental Marking List (subparagraph C2.T2.6.).

C3.1.21.3. Metadata Elements identified by the organization to be used for access control.”

Titus Metadata Security for SharePoint meets the requirements of C3.1.21. The example below shows how an administrator can build a rule so that permissions to records are granted based on the record’s current classification.

Another requirement for the handling of Classified records as stated in C3.2.2. is the Marking of Printouts and Displays. “Current classification, reasons for classification, and downgrading instructions should be required metadata items for displays, printouts, reports, queries, review lists, etc. when organizations implement classification restrictions on individual selected metadata fields. The highest classification level shall be displayed (in the header and footer of the printout) when aggregate results are displayed.“

The Titus Document Policy Manager for SharePoint meets this requirement. This solution can automatically mark classification headers/ footers on Microsoft Office documents and PDFs for displays, printouts etc. The example below shows the results of automatic header / footer marking (CONFIDENTIAL) on a document.

Titus also offers solutions for classification / downgrading and declassification of records as required by DoD 5015.2 section C3.3. (PRODUCT COMBINATIONS) which states “RMAs should interact with auto-classifiers, tools for downgrading and declassifying, and other tools that support the creation of classified records. When RMAs are integrated with or use services of these tools, the tools should automatically pass record metadata from the creating environment to the appropriate RMA record metadata fields as mapped by the organization.” The Titus solutions interoperate with Microsoft SharePoint to pass the appropriate metadata fields to SharePoint Records Manager metadata fields.