SharePoint Security Audit & Reporting

Case Study: SharePoint Security Audit & Reporting

Client overview

Mosman Municipal Council is a local government authority on Sydney’s Lower North Shore, responsible for delivering community services, infrastructure and local governance for residents, businesses and visitors. Council staff rely on modern digital tools for collaboration, document management and reporting across planning, environment, community services and corporate functions.

With growing reliance on Microsoft 365 and SharePoint Online, Mosman Council sought a deeper understanding of its current SharePoint security posture, permissions model and potential risks, and required clear, actionable reporting to support governance and continuous improvement.

Challenges

• Complex SharePoint environment
  Multiple SharePoint sites, libraries and Teams workspaces had evolved over time, each with different ownership, permission structures and sharing practices.
• Limited visibility of access and sharing
  IT and information owners needed better insight into who could access sensitive content, where external sharing was enabled and where legacy permissions were no longer appropriate.
• Compliance and governance pressures
  As a local government agency, Mosman Council is subject to strict information management, privacy and record‑keeping obligations, requiring strong controls and auditable evidence of how information is protected.
• Need for clear, business‑friendly reporting
  Council leadership and information owners needed reports that translated technical SharePoint security data into clear, understandable findings and recommendations.

Our solution

Cloud Solution IT delivered a targeted SharePoint security audit and reporting engagement, giving Mosman Council a clear view of its current state and a roadmap for tightening security and governance.

• Discovery and scoping
  Worked with the IT team and key stakeholders to identify priority SharePoint sites and workloads, including those containing sensitive or business‑critical information. Defined audit scope, success criteria and reporting requirements.
• SharePoint permissions and access review
  Analysed site collections, sites, libraries and lists to identify permission inheritance, unique permissions, sharing links and external user access. Highlighted areas where permissions were overly broad, inconsistent or misaligned with intended ownership.
• Security configuration assessment
  Reviewed key Microsoft 365 and SharePoint security settings, including sharing policies, site sharing defaults, guest access settings and integration with conditional access and identity protection controls.
• Audit of external and anonymous sharing
  Identified where content was shared externally, which domains and users had access, and where anonymous or legacy sharing links could be tightened or removed in line with Council policy.
• Security findings and risk classification
  Categorised findings by risk level (high, medium, low) and mapped them to concrete issues such as excessive permissions, orphaned access, legacy groups and ad‑hoc sharing practices.
• Clear, actionable security report
  Produced a structured security report summarising the current state, key risks, and recommended remediation steps. Included visuals and examples that could be easily understood by both IT and non‑technical stakeholders.
• Roadmap and quick wins
  Provided a prioritised roadmap of remediation actions, highlighting quick wins such as revoking unused external access, standardising sharing defaults and cleaning up legacy permission structures.

Client experience

“SharePoint had grown quickly for us, and while it was working day to day, we knew we needed a clearer picture of how secure and well‑governed our environment really was. Cloud Solution IT gave us exactly that – a detailed, but easy‑to‑understand view of our current SharePoint security, who had access to what, and where our biggest risks were. The final report and recommendations were practical, prioritised and aligned with our governance requirements. We now have a clear plan of action and much more confidence in how our information is secured and managed.”

IT Manager, Mosman Council

Outcomes

• Improved visibility and control
  IT and information owners now have a clear view of SharePoint permissions, external sharing and high‑risk areas, enabling more proactive management of access.
• Stronger governance and compliance alignment
  Recommended changes support Mosman Council’s obligations around privacy, records management and information security, reducing the risk of unintended exposure.
• Prioritised remediation roadmap
  A practical, phased plan allows Council to address the most critical issues first while progressively tightening security and standardising practices.
• Better communication with stakeholders
  Clear reporting and summaries make it easier to brief management and business units on the state of SharePoint security and the value of ongoing improvements.