A subject that often gets raised in organisations is how secure is the data being stored. With SharePoint you could use permissions on a site level, list or library level, sub-folder level, or document level to restrict access to information. Then you can decide if they can read, edit or manage that content on those levels using the default groups of Members, Owners and Visitors.
However, that doesn’t mean that those documents won’t come up in the search results anyway. This is something that the Risk departments often raise. Users could get sneaky with the way they search, or you may not understand permissions yet and inadvertently be exposing your sensitive data to everyone in the organisation.
As a Site Owner or Site Collection Administrator, you can decide if the content on an entire set of sites can be available in search results or not; or the content of a specific list or library; or the data that exists in columns and web parts – all without setting permissions.
To prevent content from being searchable on a site level, you would click on Site Actions – Site Settings – Search and Offline Availability. Note what the description says : if you block search from this site, all subsites from this level down will also be excluded from the search results. Plan correctly.
You can also drop web parts onto a page that has content with unique permissions on it. To be extra sure that content does not get exposed by accident, you can also keep the setting for search on aspx pages. (Look in the URL / link of your SharePoint site, at the end you will see .aspx, the sites, lists and libraries all end with that extension). Again, Site Actions – Site Settings – Search and Offline Availability, select Do Not Index Web Parts if This Site Contains Fine-Grained Permissions; (that means unique permissions on something).
And finally, you can restrict what columns (metadata) can be searched to secure sensitive data. Site Actions – Site Settings – Searchable Columns (under Site Administration. This is not available in SharePoint Foundation though). All the available columns are displayed and you can click to select the columns you want hidden, like salaries. The columns displayed are the ones applicable to that site you’re on.
While these are great options for preventing accidental exposure of your content, it is best practices to fully understand the permission / security model of SharePoint sites to make everything super secure.
You need to have governance in place as to what is considered sensitive or confidential content – that must be clearly define. You need to decide what the security levels all your content needs to be and tag all your content accordingly. This is also a legislative requirement in many industries. All this needs to be clearly communicated to your user base.
If you are using team sites, intranet sites and My Sites, make sure people understand the differences between storing their content on each of those areas, and get your IT department to make sure the search scopes are set up correctly to prevent operational, ring-fenced content from being exposed to the whole organisation.
To find out who has access to a specific document across the whole platform, you would need third party tools, you can’t do that out of box. You’d need to look at products like AvePoint, Idera, ControlPoint, etc.
That’s what Bruce would do!