2.25.20 SharePoint

Manual Transmittal

December 11, 2020

Purpose

(1) This transmits new IRM 2.25.20, Integrated Enterprise Portal-Web Services, SharePoint. This IRM will address operational controls, program level controls and technology governance for the Enterprise SharePoint environment.

Material Changes

(1) This transmits new rules and guidelines in the use and management of the IRS SharePoint Platform.

(2) SharePoint Services was previously known as SharePoint Program Management Office (SharePoint PMO)

Effect on Other Documents

None

Audience


Users of SharePoint to include IRS staff interfacing with the system in any capacity including administrator (site owner), content author (site member with write permissions), or content consumer (site visitor with read permissions).

Effective Date

(12-11-2020)

Nancy Sieger
Acting Chief Information Officer

Program Scope and Objectives

  1. SharePoint is used throughout the Service as a collaborative and content management platform to support and enhance the productivity of IRS staff (employees and contractors). SharePoint Services provides the IRS SharePoint platform and related capabilities.

  2. Purpose: SharePoint Services maintains operational continuity, enforces policy, provides enterprise-wide governance, and encourages SharePoint users to adopt SharePoint best-practices.

  3. Audience: Users of SharePoint to include IRS staff interfacing with the system in any capacity including administrator (site owner), content author (site member with write permissions), or content consumer (site visitor with read permissions).

  4. Policy Owner: The Director, Information Technology Enterprise Operations (IT-EOps) oversees the policies contained herein.

  5. Program Owner: IRS Information Technology Enterprise Operations (IT-EOps) Enterprise Technology Implementation Division (ETID) is responsible for the administration, procedures, and updates related to the maintenance and use of SharePoint.

  6. Primary Stakeholders: Any IRS organization utilizing the SharePoint platform, in any capacity, should be considered a stakeholder to the related policies and procedures. Certain IRS organizations work with SharePoint Services to support operations and governance of the platform. These stakeholders include, but are not limited to, the following:

    • Privacy, Governmental, Liaison and Disclosure (PGLD)

    • User and Network Systems (UNS)

    • Enterprise Operations (IT-EOps)

    • Enterprise Life-Cycle Program Management Office (ELC PMO)

  7. Program Goals: The goal of SharePoint Services is to maintain SharePoint operationally, improve capabilities, provide governance, enforce policy, and support user competency and efficiency with SharePoint functionality.

Background

  1. SharePoint Services was established to consolidate infrastructure operations and provide enterprise-wide governance and oversight into SharePoint activities.

Authority

  1. All IRS SharePoint environments are managed exclusively by SharePoint Services. No SharePoint servers or SharePoint Server software will be deployed/installed without prior approval from SharePoint Services.

  2. SharePoint Site Collections will only be created or deleted after approval from SharePoint Services.

  3. Once created, Site Collections are the responsibility of the requesting Business Unit unless ownership is transferred to another Business Unit.

  4. Any request to change, alter, or add to the IRS SharePoint system infrastructure must be reviewed and approved by SharePoint Services.

Responsibilities

  1. The Chief Information Officer (CIO) ultimately is responsible for this program as part of IT-EOps.

  2. SharePoint Services is responsible for implementation, operations, maintenance, management, governance, and enhancement of the SharePoint operating environment including all related hardware, software, and server configuration.

    • SharePoint Services is responsible to support best-practices and operational consistency via the performance of various communication and education activities.

  3. Individual IRS Business Units are responsible for ensuring that SharePoint is used in compliance with IRS policy and provide the primary support for their users.

    • The individual IRS Business Units are responsible to ensure their use of the SharePoint platform complies with all applicable privacy and data protection laws, regulations, and policies.

    • The individual IRS Business Units are responsible to ensure their use of the SharePoint platform complies with applicable sections of the IRS Internal Revenue Manual (IRM) including, but not limited to, the following:

    • IRM 10.8.1, Information Technology Security, Policy and Guidance

    • IRM 10.8.2, Information Technology Security, IT Security Roles and Responsibilities

    • IRM 11.3.12, Disclosure of Official Information, Designation of Documents

Program Management and Review

  1. The Infrastructure Enterprise Steering Committee (IESC) is the source of funding for SharePoint and provides high-level governance for the SharePoint program.

  2. The Enterprise Technology Implementation Division (ETID) is responsible for oversight of SharePoint activities and reports to the IESC.

  3. The SharePoint Governance Board (SPGB) and the Federal (FED) Customer Advisory Board (CAB) provide additional oversight and direction to SharePoint Services.

  4. Most program-level direction, strategy, and change management decision making authority has been delegated to SharePoint Services.

Program Controls

  1. This program uses multiple sources to establish controls. This IRM constitutes one of the controls.

  2. The SharePoint Program Project Management Plan (PMP) (available on SharePoint Central) is a resource guide used to manage the various SharePoint specific duties of governance process, operational controls and other activities at an enterprise level.

  3. The SharePoint Site Management Guide (available on SharePoint Central) specifies required activities, guidance, and policy for the management of individual site collections and sub-sites.

  4. The Self-Services Request Processes - Standard Operating Procedures (SOPs) specify program-level controls relative to the performance of the following SharePoint processes:

    • Site Collection Deployment

    • Site Collection Deletion

    • Site Collection Quota Management

    • Infrastructure Change Requests

    • Deployment Requests

Terms, Definitions, and Acronyms

  1. This program has specific terms and acronyms associated with it.

  2. The table lists commonly used terms and their definitions:

    Term Definition
    Business Unit A generic term used for any IRS organization (office, division, etc.).
    Business Unit Representative (BU Rep) An IRS organization Point-Of-Contact (POC) sometimes referenced as a BU SharePoint Contact that interfaces with, and facilitates communications with, SharePoint Services. These resources are interface with SharePoint Services and perform a variety of activities and roles including: Technical POC, Governance Representative, and Self-Services Reviewer.
    Content Owner An IRS organization specific resource with site or sub-site managerial responsibilities for content. Includes various responsibilities but does not rise to the level of Site Owner.
    Delegated Business Sponsor IRS personnel responsible for the content and configuration (permissions, etc.) associated with a SharePoint site collection from a management or non-technical perspective as necessary to satisfy all administrative, managerial, or governance obligations.
    Manager (or Site Manager) Any of the various SharePoint roles that includes site or sub-site management or administrative responsibilities. Includes Site Collection Sponsor, Site Collection Administrator, and Site Owner.
    Member (or Site Member) End-user of a site who may read or contribute information (items or documents) to the site.
    Out-of-the-Box Refers to software or a tool installed within an environment or platform as-is (with minimal configuration) and without any customizations or significant modifications.
    Owner (or Site Owner) Manages a specific site or sub-site. This individual has similar responsibilities as the Site Collection Administrator but has a more limited scope of responsibility and access. Site Owners ensure that a current SP Privacy Impact Assessment (PIA) is in place for their site, if needed, and that content on their site is Section 508 compliant.
    Section 508 Federal law mandating that all electronic and information technology developed, produced, maintained, or used by the federal government be accessible to people with disabilities.
    SharePoint Analyst Supports SharePoint Services with SharePoint management and administration including user support, communication, processing requests for service, and creating documentation (policy, procedures, or best-practices).
    SharePoint (or Solution) Developer Develops capabilities or solutions within SharePoint using SharePoint Designer (SPD) or custom code. Examples may be custom workflows or customizing the master page/page templates.
    SharePoint Environment An instance of SharePoint including Development, Test, Disaster Recovery, Production, SP Custom, etc.
    SharePoint Farm The collection of servers, software, and other components that provide the SharePoint service on an enterprise-level.
    SharePoint Farm Administrator Maintains, manages, and reports on one or more SharePoint farms. Provides support for any issues with the configuration of SP.
    SharePoint Platform All environments and components comprising IRS SharePoint. Includes Production, Test, Development environments. SharePoint, SharePoint components such as Designer and InfoPath as well as associated third-party add-ons such as Nintex, AvePoint and Quest.
    Site (also includes sub-sites) Sites are a generic term that refer to any site within the Site Collection. Sites could be top-level sites or sub-sites.
    Site Collection Site Collections are a grouping of sites and their sub-sites. Site Collections provide the core elements to all sites within the collection. Examples of these elements include security, navigation, content types, site and list templates, services, etc.
    Site Collection Administrator Responsible for all aspects of the Site Collection and manages core elements (e.g. metadata, navigation, permissions, templates, branding) across all-sub-sites. Provides support for any issues with all sub-sites.
    Site Collection Sponsor The Business Owner of a Site Collection responsible from a non-technical perspective.
    Third-Party Tool Administration Includes management of all third-party components and software used as part of the SharePoint platform. This could include user facing tools that facilitate forms or workflow development, or Administrator facing tools used to assist in SharePoint management and governance. In these cases, the SharePoint Farm Administrator would typically be an Administrator of the third-party tool or component.
    Visitor (or Site Visitor) End-user of a site who has read-only access to information (items or documents) stored within the site.

  3. The table lists commonly used acronyms and their definitions:

    Acronym Definition
    AC Access Controls
    AU Audit Controls
    BU Business Unit (an IRS organizational unit)
    CAB Customer Advisory Board
    CIO Chief Information Officer
    COTS Commercial Off-the-Shelf
    DB Database
    DBA Database Administrator
    ELC Enterprise Life-Cycle
    EOps Enterprise Operations
    ETID Enterprise Technology Implementation Division
    FED Federal
    IESC Infrastructure Enterprise Steering Committee
    IRAP Information Resources Accessibility Program
    IRM Internal Revenue Manual
    IT Information Technology
    ITM Integrated Talent Management
    KISAM (OS GetServices) Knowledge Incident/Problem Service Asset Management
    OOB Out-of-the-Box
    PCA Program Privacy Compliance and Assurance Program
    PCLIA Privacy and Civil Liberties Impact Assessment
    PGLD Privacy, Governmental Liaison and Disclosure
    PIA Privacy Impact Assessment
    PII Personally Identifiable Information
    PMO Program Management Office
    PMP Program/Project Management Plan
    POC Point-Of-Contact
    SA Systems Administrator
    SBU Sensitive But Unclassified
    SCA Site Collection Administrator
    SOP Standard Operating Procedure
    SP SharePoint (any version)
    SP CCB SharePoint Change Control Board
    SPD SharePoint Designer
    SPGB SharePoint Governance Board
    SPUG SharePoint User Group
    UA User Administrator
    UNS User and Network Services
    VPN Virtual Private Network

Related Resources

  1. The SharePoint Program/Project Management Plan (PMP) is a resource for information about this program and is available on SharePoint Central.

  2. SharePoint Central is a site providing a primary method to communicate announcements, procedures, policies, and support articles.

Program Overview

  1. Program-level direction, strategy, and change management decision making authority is delegated to SharePoint Services.

  2. SharePoint Services provides oversight, management, and operational support for IRS SharePoint.

    • SharePoint Services supports all aspects of SharePoint performance including capabilities, interfaces, and impacts.

  3. Business Units are responsible for the proper management, adherence to policy and overall administration of their organization's individual site collections.

  4. This IRM establishes controls that support SP governance and platform management. SharePoint Services established, maintains, and supports this IRM (*IT SharePoint Communications).

Information Technology Governance

  1. SharePoint Governance is a function of SharePoint Services. This is performed via interfaces with various governance organizations including the Infrastructure Executive Steering Committee (IESC).

  2. SharePoint Governance organizations and roles are identified in IRM 2.25.20.3.4.4, SharePoint Governance Roles.

  3. The primary objective of SP governance is to ensure the SharePoint platform is implemented and managed in a manner that follows IRS policy, procedures, and regulations.

  4. SharePoint governance includes the various Business Units to ensure that all stakeholders’ interests are considered.

  5. The specific duties of governance process are documented in the SharePoint Program/Project Management Plan (PMP).

  6. Local Business Unit SharePoint governance should not conflict with IRS SharePoint Services Governance policy, procedures, and regulations. IRS and SharePoint Services governance policy has precedence over local policy. Local policy is the ruling policy for the business unit unless it conflicts with IRS and SharePoint Services policy.

SharePoint Services

  1. The mission of this office is to deliver superior, leading-edge, flexible, and cost-effective collaborative solutions that enable IRS staff to solve business problems and complete activities.

  2. The primary purpose of this office is to perform day-to-day management of the IRS SharePoint platform, including ensuring operational continuity, enforcing policies, providing enterprise-wide governance, performance of all maintenance, and oversight of environment change management. The objectives of this office are to:

    • Maintain SharePoint successful operational up-time and minimize down-time mitigating risks associated with unavailability of the platform.

    • Interface with IRS Information Technology stakeholders, as needed, to perform maintenance, patching, and infrastructure changes.

    • Provide change management oversight for changes to SharePoint infrastructure/configuration or the deployment of customizations (including custom server-side code) to the platform.

  3. The secondary purpose of this office is to define, develop, institutionalize, and maintain proven guidance for the use of SharePoint (and related systems). The objectives of this office are to:

    • Identify strategic direction for SharePoint with consideration of IRS requirements, external process owners, and operational constraints of the platform.

    • Integrate and standardize process and change management activities to promote repeatable processes and consistency.

    • Provide leadership, consultation, and assistance to ensure understanding and effective use policy and guidance by all affected stakeholders.

  4. SharePoint Services does not generally perform site collection administration or other support activities that typically fall to the Site Managers. Exceptions may be made at SharePoint Services’ discretion.

  5. SharePoint Services provides high-level support to the Business Units via a hierarchical model that involves:

    • Users elevating concerns or needs to the appropriate Site Owner or Site Collection Administrator.

    • Site Owners or Site Collection Administrators escalate questions or concerns to the appropriate Business Unit Representatives.

    • Business Unit Representatives contact SharePoint Services for resolution of questions as needed.

Products and Services
  1. SharePoint Services offers the following products and services:

    • SharePoint Platform

    • SharePoint Central

    • SharePoint Related COTS Products

    • SharePoint Records Management

    • SP Central Service Requests

SharePoint Platform
  1. Microsoft’s web-based collaborative platform that integrates with MS Office and Exchange.

  2. The platform provides several areas of functionality:

    • Collaboration functionality supports the completion of activities among physically disconnected resources.

    • Document Management functionality supports the development and control of enterprise content.

    • Permissions functionality supports content access controls including levels associated with reading, editing, and/or deleting content.

SharePoint Central
  1. A SharePoint site providing a primary method to communicate announcements, procedures, policies, and support articles with end-users. Provides a method to submit SP Service Requests including: new site collection deployment, site collection deletion, site collection quota adjustments, infrastructure changes, and site/code deployments.

  2. The SP Central site can be found at: https://sharepointcentral.ds.irnet.gov.

SharePoint-Related Commercial-Off-the-Shelf (COTS) Products
  1. SharePoint Services facilitates the integration of various COTS add-ons for IRS SharePoint to improve and enhance end-user SharePoint experience.

  2. SharePoint Services participates in the offering and management of various COTS products used with SharePoint; a list is available on SP Central.

  3. All SharePoint products and services including any related COTS components within the IRS SharePoint environment must be reviewed and approved by SharePoint Services.

SharePoint Records Management
  1. SharePoint Services supports Privacy, Governmental Liaison and Disclosure (PGLD) in the configuration of SharePoint records management services and functions to support electronic records management per IRM 1.15.6, Managing Electronic Records.

    • SharePoint Services supports PGLD in the configuration of SharePoint components to maintain the security of electronic records per IRM 1.15.6.8, Security of Electronic Records.

    • SharePoint Services supports PGLD in the configuration of SharePoint components to support the retention, and the disposition, of electronic records per IRM 1.15.6.9, Retention and Disposition of Electronic Records.

  2. SharePoint Services supports PGLD in the configuration of SharePoint components, including records management services, to support Privacy and Information Protection per IRM 10.5.2.2.5.2, Shared Storage PIAs.

    • SharePoint Services supports the creation and submission of SharePoint specific Privacy Impact Assessments (SP-PIAs) to Privacy, Governmental Liaison and Disclosure (PGLD) per IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA).

  3. SharePoint Services supports business units, PGLD, and IT organizations in the design and implementation of records management functionality in SharePoint but does not configure and manage records management schedules including any disposition or retention decisions.

    • SharePoint Services is not responsible for performing records management on behalf of IRS business/operational units or providing records management guidance.

    • SharePoint Services is responsible for providing expertise on how SharePoint capabilities and functions may be used to support records management objectives.

  4. All infrastructure or functional changes made to the IRS SharePoint environment to support records management must be reviewed and approved by SharePoint Services.

SharePoint Central Service Requests
  1. SharePoint Service Requests are available via SP Central and include the following:

    • Site Collection Deployment

    • Site Collection Deletion

    • Site Collection Quota Adjustment

    • Infrastructure Change Requests

    • Deployment Requests

  2. SharePoint Service Requests must be made via SP Central and are subject to the review and approval of the Business Unit SharePoint Representative and SharePoint Services.

    • Certain service requests may require review and approval of the SharePoint Change Control Board (SP CCB), other IRS organizations, or other external IT governance organizations.

SharePoint ServicesTechnical Support
  1. SharePoint Services supports the resolution of certain incident management tickets submitted via Knowledge Incident/Problem Service and Asset Management (KISAM/OS GetServices) from the Business Unit.

  2. SharePoint Services Technical Support is limited to supporting issues associated with the SP environment configuration and/or SharePoint Services managed infrastructure.

  3. Certain Information Technology components affiliated with the SharePoint environment are not supported by the SharePoint Services. This includes, but is not limited to, the following:

    • Active Directory User profiles

    • IRS Network including Virtual Private Network (VPN) connections

    • Users’ systems including browser settings and configurations

  4. In certain situations, SharePoint Services may be able to assist Site Collection Administrators with the recovery of data or content via the Out-of-the-Box (OOB) SharePoint Recycle Bin or the Database (DB) tape backup.

    • Data loss recovery is limited based on the capabilities and durations of the SP Recycle Bin and the DB tape backup methodology.

Roles and Responsibilities

  1. The SharePoint standard roles are common terms that are similar across SharePoint implementations (See IRM 2.25.20.1.6, Terms, Definitions, and Acronyms).

  2. Each organization that deploys SharePoint will use these roles in a generic sense.

  3. There are IRS specific roles established to support IRS SharePoint governance and management.

  4. IRS SharePoint users are expected to obtain training (including security training) appropriate to their level of use of the platform.

SharePoint Services

  1. SharePoint Services manages the SharePoint platform and works with the Business Unit Representatives (BU Reps) or other Points-of-Contacts (POCs) to support SharePoint operations.

  2. The SharePoint Services supports the activities of the various IRS organizational units formalized by SharePoint Self-Services Requests, KISAM/OS GetServices Tickets, Patch Management, Backup/Restore Requests, Operations & Maintenance Services and other ad-hoc SharePoint Service Requests.

  3. The SharePoint Services manages the platform’s infrastructure including all hardware, software and components comprising the SharePoint environment.

  4. The SharePoint Services establishes enterprise IRS SharePoint governance policy and best practices.

SharePoint Farm Administrator
  1. The Farm Administrator is a SharePoint Services specific role.

  2. This role maintains, manages, and reports on one or more SharePoint farms and provides support for any issues with the configuration of SP.

  3. These activities require elevated rights and permissions on a variety of infrastructure components including, but not limited to, the following:

    • SharePoint Farm Administration across all SharePoint environments (Development, Test, Disaster Recovery, Production, SP Custom, etc.) to include permissions to access and manipulate all aspects of all SP Farms and the site collections contained therein.

    • Database Administration across all supporting databases to include permissions to access and manipulate all aspects of the databases comprising the SP environment.

    • Server Administration across all servers and system tools to include permissions to access and manipulate all aspects of the infrastructure comprising the SP environment.

    • Third-Party Tool Administration rights across all third-party components and software used to support and facilitate the use of the SharePoint platform at IRS including, for example, form tools, workflow tools, governance support tools, reporting tools, etc.

  4. Supports the resolution of incident management tickets submitted via KISAM/OS GetServices from the Business Units

  5. Supports general activities associated with SharePoint management and administration including user support, communication activities, processing requests for service, and creating documentation (policy, procedures, governance or best-practices).

  6. Farm Administrators are required to take specialized IT training per IRM 10.8.2, IT Security Roles and Responsibilities, (see Exhibit 10.8.2-1, Roles That Require Special Training) due to their system administrator role.

  7. The Farm Administrator role includes roles defined in IRM 10.8.2, IT Security Roles and Responsibilities, including, but not limited to, the following (this is because the following roles overlap with the Farm Admin role):

    • IRM 10.8.2.2.1.11, Enterprise Architect

    • IRM 10.8.2.2.1.19, Database Administrator (DBA)

    • IRM 10.8.2.2.1.21, Network Administrator

    • IRM 10.8.2.2.1.22, Program Developer/Programmer

    • IRM 10.8.2.2.1.23, Web Developer

    • IRM 10.8.2.2.1.26, System Administrator

    • IRM 10.8.2.2.1.35, System Designer

    • IRM 10.8.2.2.1.36, Technical Support Staff (Desktop)

SharePoint Analyst
  1. This is a SharePoint Services specific role.

  2. This role supports general activities associated with SharePoint management and administration including user support, communication activities, processing requests for service, and creating documentation (policy, procedures, governance or best-practices).

  3. SharePoint Analysts are required to take specialized IT training per IRM 10.8.2, IT Security Roles and Responsibilities (see Exhibit 10.8.2-1, Roles That Require Special Training).

  4. This Includes roles defined in IRM 10.8.2, IT Security Roles and Responsibilities, including, but not limited to, the following (this is because the following roles overlap with the Farm Admin role):

    • IRM 10.8.2.2.1.23, Web Developer

    • IRM 10.8.2.2.1.27, Systems Operations Staff

    • IRM 10.8.2.2.1.29, User Administrator (UA)

    • IRM 10.8.2.2.1.34, Management/Program Analyst

    • IRM 10.8.2.2.1.36, Technical Support Staff (Desktop)

Business Units

  1. Business Units are responsible for ensuring their organization’s SharePoint sites are used in compliance with IRS policy.

  2. Business Units own and manage the content (e.g. document libraries, lists, calendars, etc.) associated with their SharePoint Site Collections.

  3. Business Units are responsible for ensuring their organization’s use of SharePoint is compliant with applicable data management and processing rules, policies, and other applicable IRMs.

  4. Business Units can develop their own supplemental or organization specific policies regarding SharePoint use and management.

    • Participants in the development of any enhanced, supplemental, or organization specific SharePoint policy are determined by the IRS organization developing policy.

    • SharePoint Services recommends that individuals shaping organization specific SharePoint policy be involved and engaged with the SharePoint Services via the various SP governance organizations (for example, the SharePoint Governance Board (SPGB) or the Federal (FED) Customer Advisory Board (CAB)) that provide oversight and direction to SharePoint Services.

    • Any organization specific or enhanced SharePoint policy is scoped and limited to what is supportable by the SharePoint Services from operational, organizational, and governance and policy perspectives. SharePoint Services does not alter its practices or procedures to satisfy Business Unit specific policies or requirements.

  5. This IRM and all SharePoint Services identified policies and procedures takes precedence over any Business Unit specific policy.

Delegated Business Sponsor
  1. The Delegated Business Sponsor of one or more SharePoint Site Collections is responsible for the content stored within the site collections and all operations of the site collections from a non-technical perspective as necessary to satisfy all administrative, managerial, or governance obligations.

  2. Responsible to identify Site Collection Administrators (SCAs) and may rely on the assistance or advice of SCAs, and other IT staff, in the implementation of all responsibilities including:

    • Securing sensitive content from dissemination or alteration.

    • Protecting IRS records from inadvertent removal or deletion.

    • Maintaining operational compliance with all system mandates.

  3. Delegated Business Sponsors shall ensure that personnel within their site collection(s) performing administrative functions (full-control permissions) have, in addition to the other duties they perform, a working knowledge of SharePoint security and how it can be used to improve and enforce content security and records management compliance.

  4. Delegated Business Sponsors are not required to be, but typically are, executive or senior-level federal employees.

  5. Delegated Business Sponsors shall:

    • Ensure their site collections are operated according to applicable security standards and SharePoint best-practices.

    • Ensure their Site Collection Administrators (SCAs) are properly designated and trained (including FISMA specialized security training).

    • Ensure their site collections user permissions models are focused on granting permissions via groups and not directly to individuals, direct permissions should be used when the use of groups is not feasible or practical.

    • Grant access to the system with associated rights and privileges, adhering to the principles of least privilege (giving individuals the least possible privileges necessary for performance of their duties).

    • Re-evaluate access privileges periodically and revoke access in a timely manner upon personnel transfer or termination.

    • Establish and maintain SP PIAs for any site collection(s) storing, or intended to store, Personally Identifiable Information (PII) or Sensitive But Unclassified (SBU) data.

    • Support applicable IRS policies regarding personnel managing, administering, or accessing the system.

    • Assist in the investigation of various site collection use questions and incidents as necessary (site use, permissions, content recovery, etc.).

    • Ensure security parameters are defined according to business need unless system security controls have been established by higher-level authorities such as the Federal Government, the Department of Treasury, IRS policy, or SharePoint Services.

    • In the case of outsourced systems and services, ensure the appropriate and applicable security requirements and controls are integrated into the procurement (or other contract or service provisioning) vehicle.

    • Ensure the site collection certification requirements (PII/SBU, Permissions, Audit Log) are maintained.

Business Unit (BU) Representative (BU Rep)
  1. An IRS organization specific resource that interfaces with, and facilitates communications with SharePoint Services.

  2. Serves as their organizations primary Point-Of-Contact (POC) with SharePoint Services and perform a variety of activities including:

    • Approving requests made by their organization for new Site Collections, Site Collection Deletions, or for additional Site Collection Quota allocations.

    • Approving requests made on behalf of Site Collection Administrators for SharePoint infrastructure changes or custom deployments.

    • Facilitating communications with SharePoint Services for their organization's Site Managers.

    • Facilitating their organization's compliance with SharePoint certification and security training requirements.

    • Generally assisting Site Managers (and users) within their business/organization unit SharePoint support issues and facilitating engagement with SharePoint Services when necessary.

  3. Supports the resolution of incident management tickets submitted via KISAM/OS GetServices from the Business Unit, additional information is discussed in the Site Management Guide on SP Central.

Site Collection Level

  1. Site Collections are a unit within SharePoint that comprise one or more sites in a hierarchy and provides a logical and secure boundary to compartmentalize functionality and content.

  2. Site Collections are a fundamental SharePoint element; they hold all the sites that share a similar theme or purpose.

Site Collection Administrator
  1. Responsible for all aspects of the Site Collection and manages core elements (e.g. metadata, navigation, permissions, templates, branding) across all sub-sites.

    • Two Site Collection Administrators (SCAs) are required to be identified upon Site Collection request/creation.

    • Each site collection is expected to maintain a minimum of two active Site Collection Administrators.

  2. Provides resolution and support for any technical issues with sub-sites, for example; permissions management, sub-site deployment/deletion, restore items from the Site Collection's Recycle Bin, edit search keywords, and manage search scopes.

  3. Support the resolution of support/trouble tickets submitted via KISAM/OS GetServices.

  4. If necessary, Site Collection Administrators (SCA) are responsible for submitting a SP PIA and/or 508 Compliance Package.

  5. Responsible to deploy any sub-sites and assign the corresponding Site Owners with permissions to manage the sites.

  6. Responsibilities of the SCA include:

    • Ensuring only authorized PII/SBU is stored on site collections

    • Managing Site Collection permissions including provisioning, changing or removing user access

    • Providing first-level technical support for all end-user of the site collection

    • Completing site collection certifications including PII/SBU, Permissions, and Auditing

  7. All SharePoint users performing the role of Site Collection Administrator are expected to review SharePoint Services prepared documentation and supporting reference materials distributed via SP Central including, but not limited to, the following:

    • Site Management Guide

    • Self-Services Standard Operating Procedures (SOP)

  8. Site Collection Administrators are expected to take IRS-specific SharePoint training via Integrated Talent Management (ITM). This training will be performed on periodic intervals with a frequency to be determined by SharePoint Services. Self-certification will be used to record compliance with training requirements. ITM courses include:

    • 64060: SharePoint in the IRS

    • 64061: SharePoint Site Management

  9. Business Units may require additional training for their personnel performing the role of Site Collection Administrator as they deem necessary.

SharePoint Users
  1. SharePoint provides three types of users may have access to one or more site collections or sites and can take actions depending on their specific access level.

Owners
  1. Manager of a specific site or sub-site with responsibilities like the Site Collection Administrator, but with a more limited scope of responsibility and access.

  2. Administrative duties and functions may fall under other roles established by the local policies, procedures, and governance for the Business Unit. In these situations, local policies will supersede.

  3. Ensure that a current SP PIA is in place for their site, if needed, and that content on their site is Section 508 compliant.

  4. Manage the site permissions including provisioning, changing or removing user access.

  5. Support the resolution of support/trouble tickets submitted via KISAM/OS GetServices.

  6. Provide support and management for the site including any sub-sites; activities include but are not limited to; permissions management, content management, ensuring that only approved sites are used for PII/SBU, identification and reporting of any out of ordinary or suspicious behaviors.

  7. All SharePoint users performing the role of Site Owners are expected to obtain mandatory training including IRS specific SP training via ITM and review SharePoint Services prepared documentation and supporting reference materials distributed via SP Central including, but not limited to, the following:

    • Site Management Guide

    • Self-Services Standard Operating Procedures (SOP)

Members
  1. End-user of a site who may read or contribute information to the site.

  2. Members are responsible for following all acceptable use policies and ensuring content they contribute is compliant with the applicable SharePoint Privacy Impact Assessment (SP PIA) and Section 508 considerations.

Visitors
  1. End-user of a site who has read-only access to information stored within the site.

Other Roles

  1. IRS SharePoint includes other roles that are ancillary or defined to support IRS specific activities.

Solution Developers
  1. Develops capabilities or solutions within a SharePoint using SharePoint Design components, COTS applications/tools, or custom code. Examples include: custom workflows or customizing the master page/page templates.

  2. Solution Developers are required to take eight hours of specialized IT training per IRM 10.8.2, IT Security Roles and Responsibilities (see Exhibit 10.8.2-1, Roles That Require Special Training).

Site Managers
  1. Site Managers refers to multiple organizational unit roles (Site Collection Sponsors, Site Collection Administrators, and Site Owners) that are expected to support the day-to-day administration and management of the sites that corresponds to their level of involvement.

Content Owners
  1. Content Owners refer to users that perform various functions with a Site or sub-site. This includes, but is not limited to, the following types of activities:

    • Add, delete, or modify content within SharePoint components (Web Parts, Pages, Lists, etc.) without intervention from other users

    • Approve permission changes or access requests for their sites (or sub-sites)

    • Provide best practice utilization guidance to site users

    • Monitor sites to ensure they are used in an acceptable, professional manner and content is appropriate

    • Ensure SBU/PII data is handled according to IRS privacy policies

    • Ensure content meets section 508 accessibility requirements

    • Address, report, or resolve usage concerns or violations

    • Support the resolution of support/trouble tickets submitted via KISAM/OS GetServices

SharePoint Governance Roles
  1. IRS SharePoint governance strategy involves the creation of several IRS specific roles.

  2. These roles support SharePoint governance and the implementation of best-practices.

  3. These roles provide various levels of support to Site Managers and may have direct or indirect involvement with the management of Site Collections and sub-sites.

SharePoint Governance Board (SPGB) Representatives
  1. The SPGB provides policy oversight to SharePoint Services and prioritizes the activities subject to the discretion and/or approval of the IESC and/or ETID.

  2. The SPGB identifies guiding principles for current and future direction.

  3. The organization is comprised of representatives from the various IRS organizations.

Federal Customer Advisory Board (FED CAB) Representatives
  1. The FED CAB provides recommendations to the SPGB regarding SharePoint policy, strategy, and communications.

  2. The organization is comprised of representatives from the various IRS organizations.

SharePoint Change Control Board (SP CCB)
  1. The SP CCB reviews proposed changes to the SharePoint infrastructure and environment.

  2. The SP CCB membership meets to review and discuss the request changes.

  3. The SP CCB Chairman, with guidance from the SP CCB members, determines if each requested change can and should be implemented.

  4. The organization is comprised of SharePoint Services employees and contractors from the various IRS organizations.

SharePoint User Group (SPUG)
  1. The SPUG is a community of practice that conducts open calls with any interested SharePoint users to facilitate communications, best practices, and training.

  2. The organization is comprised of representatives from the various IRS organizations.

  3. Participation is open to any interested IRS user of SharePoint regardless of permission level.

Business Unit Help Desk Assignment Group
  1. Members in this group help resolve KISAM/OS GetServices submitted SharePoint issues including incidents and inquiries, unrelated to the infrastructure. This includes, but is not limited to, the following:

    • Business Unit specific SharePoint configurations and customizations

    • Questions about SharePoint functionality addressed via training

  2. This group is comprised of representatives of the various IRS organizational units.

  3. Business Units may also have their own KISAM/OS GetServices membership group.

Business Unit Technical Point-of-Contact (POC)
  1. IRS Business Unit identified Technical Point-of-Contact (POC) for SharePoint user questions and concerns.

  2. The Technical POCs may be different resources than the Business Unit SharePoint Representatives or they may overlap (in whole or part).

  3. These Technical POCs help address end-user technical questions and may provide support and insight to SharePoint best-practices.

Business Unit Service Request Reviewers
  1. Service Request Reviewers approve SharePoint Service Requests on behalf of the Business Unit.

  2. The Reviewers may be different resources than the Business Unit SharePoint Representatives or they may overlap (in whole or part).

SharePoint Security

  1. SharePoint Security responsibilities and activities are decentralized and performed hierarchically by various IRS organizations and SharePoint roles.

SharePoint Services

  1. SharePoint Services is responsible for establishing policies, providing direction, and communicating guidance for security of the SharePoint platform. This includes, but is not limited to, the following:

    • Providing guidance for site collection creation, access and group controls

    • Establishing security policy for the following:

      • Purpose (or reason for some policy, guidance, or recommendation)

      • Scope

      • Roles/Responsibilities

      • Executive Sponsorship

      • Compliance

    • Identifying information site account types to support organizational missions/business functions

    • Providing guidance to site managers for group and role membership

    • Requiring approval by the Business Unit (Delegated Business Sponsors or Business Unit Representatives) for requests to create sites for which they are responsible

    • Establishing a process for reissuing shared/group account credentials when individuals are removed from the group

  2. The SharePoint Program/Project Management Plan (PMP) is a resource for information about this program and is available on SharePoint Central.

Business Units

  1. The individual Business Units are responsible for applying and enforcing security policies, guidance, and recommendations across all owned site collections. This includes, but is not limited to, the following:

    • Ensure implementation of security controls for protecting sensitive (i.e., SBU, PII) IRS data residing in the BU’s SharePoint sites and collaborative environments.

    • Ensure all applicable security training requirements are met by employees managing SharePoint.

    • Following any SharePoint relevant Access Controls (AC) and enhancements including:

      • IRM 10.8.1.4.1.1 Section (1 sub-sections b, d, e, f), (2), (3), (4), (5), (6), (7, (8), and (9)

      • IRM 10.8.1.4.1.1.1 Sections (1) and (6)

      • IRM 10.8.1.4.1.1.7 All sections

      • IRM 10.8.1.4.1.1.11 All sections

      • IRM 10.8.1.4.1.2 All sections

    • Following any SharePoint relevant Audit Controls (AU) and enhancements including:

      • IRM 10.8.1.4.3.1 All sections

      • IRM 10.8.1.4.3.1.1 All sections

      • IRM 10.8.1.4.3.2 All sections

    • Assign Site Managers to manage and perform the various security activities.

Site Managers

  1. Site Managers (Site Collection Sponsors, Site Collection Administrators, and Site Owners) are responsible for performing recommended security practices and activities for all assigned SharePoint sites (Site Collections or sub-site). This includes, but is not limited to, implementing security controls and enhancements.

  2. Site Managers shall be assigned by the Business Units.

Compliance with IRS Policies

  1. SharePoint use is subject to numerous policies and direction established by the Federal Government, the Department of Treasury, and the IRS. The following sections are IRS-specific and are not intended to absolve users from adherence from following higher-level governance, direction, mandates, etc.

General

  1. Proper operation of the SharePoint environment requires specific governance, numerous policies and processes, and artifacts to guide the actions of SharePoint program staff, Business Units, and end users.

Process Owners

  1. SharePoint Services interfaces with process owners to ensure IRS policies are complied with in the IRS SharePoint environment. The process owners include:

    • Privacy, Governmental Liaison and Disclosure (PGLD) – Determines the PII/SBU data policies all SharePoint site owners and users must follow and identifies the records management configuration and policies that must be supported by SharePoint to support in-place and centralized records management.

    • Information Resources Accessibility Program (IRAP) – Determines the accessibility requirements which apply to the IRS SharePoint platform.

    • CyberSecurity – Establishes baseline security controls and configurations for servers and guidance for all servers and network components comprising the IRS SharePoint platform.

    • Enterprise Services/Enterprise Architecture – Develop the technical architecture and direction, including product selection, in coordination with SharePoint Services.

Personally Identifiable Information (PII)/Sensitive But Classified (SBU) Data

  1. The storage of PII/SBU in SharePoint is authorized provided approval from PGLD has been obtained (prior to storing PII/SBU data) in the form of a current SP PIA.

    • SharePoint users are required to ensure that sensitive information is protected from unauthorized disclosure and access. This includes taxpayer information as well as other non-tax information, documents, records and processes.

  2. SharePoint Services supports the creation and submission of SharePoint specific Privacy Impact Assessments (SP PIA) to Privacy, Governmental Liaison and Disclosure (PGLD) per IRM 10.5.2.2, Privacy and Civil Liberties Impact Assessment (PCLIA).

  3. SharePoint Services is not responsible for the monitoring of SP PIA status and will rely on PGLD to notify SharePoint Services if a site is not in compliance.

  4. The PII/SBU compliance status of a site collection must be reviewed and certified periodically by the Site Collection Administrators, per the IRS Site Management Guide in accordance with PGLD requirements.

  5. Failure of the Business Unit and Site Collection Administrators to certify by the deadline could lead to the site being disabled or removed at the discretion of SharePoint Services and/or PGLD.

  6. The storage of PII/SBU data is not permitted within SharePoint Development or Test environments.

Permissions

  1. Permissions should be assigned via SharePoint Groups. Direct permissions should be used when the use of groups is not feasible or practical (typically in situations when item level permissions are used as part of an automated tool). Permissions best-practices are discussed within the IRS Site Management Guide.

  2. Site Collection permissions must be reviewed and certified periodically by the Site Collection Administrators, per the IRS Site Management Guide according to guidelines determined by SharePoint Services, approved policies, or any applicable IRMs.

  3. Failure to certify by the deadline could lead to the Site Collection being disabled or removed at the discretion of SharePoint Services and/or CyberSecurity.

  4. Site Collection Administrators and Owners are discouraged from making any changes to the base SP Permissions model including customizations to the Out-of-the-Box (OOB) permission levels.

  5. All infrastructure changes made to IRS SharePoint to support permissions management are reviewed and approved by SharePoint Services.

Audit Logs

  1. Unless otherwise authorized by the SharePoint Services, all Site Collections must have auditing of permission changes enabled with at least a 120-day audit log retention. Site Collection Administrators are free to enable additional auditing and specify a longer retention time.

  2. Audit Logs must be reviewed and certified periodically by the Site Collection Administrators, per the IRS Site Management Guide according to guidelines determined by SharePoint Services, approved policies, or any applicable IRMs.

  3. Failure to certify by the deadline could lead to the site being disabled or removed at the discretion of SharePoint Services and/or CyberSecurity.

  4. The individual IRS Business Units are responsible to ensure their SharePoint permissions and permissions auditing complies with applicable sections of the IRS IRM including; but not limited to, the following:

    • IRM 10.8.1, Information Technology Security, Policy and Guidance

    • IRM 10.8.2, Information Technology Security, IT Security Roles and Responsibilities

Records Management

  1. Records stored in SharePoint must be managed in accordance with PGLD guidelines as documented in IRM 2.25.20.2.2.1.4, SharePoint Records Management and IRM 1.15, Records and Information Management.

Configuration Standards

  1. SharePoint Technical architecture is defined and managed by SharePoint Services in consideration of guidance and direction provided by stakeholders.

  2. All changes to the SharePoint infrastructure, the deployment of code, and the moving of sites between environments are managed by the SharePoint Change Management process (see Self-Services Standard Operating Procedures (SOP) for additional details).

  3. All SharePoint, and related, configuration changes must be reviewed and approved by SharePoint Services.

SharePoint Environments

  1. SharePoint Services will maintain Development, Test, Disaster Recovery, Production, and SP Custom, etc. environments as required based on the established technical architecture.

  2. SharePoint Services establishes thresholds, limits, or other throttles to functions within the IRS SharePoint environment to reduce operational risks to uptime targets.

  3. Any request to remove, change, or modify the environmental thresholds, limits, or throttles must be reviewed and approved by SharePoint Services via the SharePoint Change Management process (see Self-Services Standard Operating Procedures (SOP) for additional details).

Site Collection Types

  1. SharePoint Services predefines Site Collection types to ensure that deployed sites are consistent with applicable design standards, accessibility regulations, and SharePoint recommendations.

  2. The various types of Site Collections are defined within the IRS Site Management Guide.

Servers

  1. SharePoint servers and all related server configurations are managed by SharePoint Services.

  2. Requests to change configurations of components must be reviewed and approved by SharePoint Services via the SharePoint Change Management process (see Self-Services Standard Operating Procedures (SOP) for additional details).

Infrastructure

  1. All SharePoint infrastructure, including physical or virtual components, or any interfacing software is managed by SharePoint Services.

Auditing Requirements

  1. Infrastructure and configuration of SharePoint Technical environment is audited in compliance with applicable sections of the IRS IRM including; but not limited to, the following:

    • IRM 10.8.1, Information Technology Security, Policy, Guidance

    • IRM 10.8.6.3.3, Audit and Accountability

Disaster Recovery

  1. The IRS SharePoint Backup Plan provides additional details on the IRS SharePoint Disaster Recovery function.

  2. Any external connections made to IRS SharePoint may require manual configuration disaster recovery operation.

  3. External connections must be configured within the DR environment for disaster recovery operations to perform automatically.

  4. External connections must be reviewed and approved by SharePoint Services prior to implementation.

Customization and Configuration of SharePoint

  1. The SharePoint environment configuration is managed by Change Management practices (see Self-Services Standard Operating Procedures (SOP) for additional details).

  2. SharePoint Services has established a set of practices and procedures to follow in performing customization activities.

  3. All infrastructure changes or customizations must be approved and managed by SharePoint Services.

SharePoint Services Maintenance and Configuration

  1. All maintenance to the IRS SharePoint environment (including patching and upgrades) is performed by SharePoint Services in accordance with the documented Change Management practices (see Self-Services Standard Operating Procedures (SOP) for additional details).

Deployment of Server-Side Code of Components

  1. Changes to the SharePoint infrastructure, the deployment of server-side managed code, and the moving of sites between environments are performed via the SharePoint Change Management process documented on SP Central.

  2. SharePoint Services has established a set of practices and procedures that must be followed in performing customization activities.

    • Proposed server-deployed code should be vetted by SharePoint Services prior to analysis and development.

    • To submit a proposed concept for consideration SP users will create an entry on the SharePoint Registry.

  3. Server-deployed custom code shall be developed consistent with the IRS SharePoint Development Standard available on SharePoint Central.

  4. All server-deployed custom code developed by business units with the intention of deployment to the IRS SharePoint environment shall be developed in accordance to IRS Enterprise Life-Cycle (ELC) methodology (and documentation requirements).

  5. SharePoint Services must approve all proposals for server-deployed custom code prior to development (via the SharePoint Change Control Board (SP CCB)).