Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Real world SharePoint information governance a case study - published

1,274 views

Published on

Many organizations recognize the need to establish a governance plan in order to “control the chaos” within their SharePoint portals.  But, how do businesses truly do this in the real world?  How do they develop a plan, and once they have one, put the policies and procedures which make up the plan actually into practice?  What are typical challenges and what are real viable solutions?  How do you move an organization to a more well-governed state when you already have a large unorganized content repository (SharePoint or otherwise)?  How much responsibility do you impose on your business users, and how much do you control centrally?  This session will look at solutions to these questions (and more) through two real life case studies: one of a global financial institution and the other of a Fortune 100 energy firm.  These case studies will look at how they developed, implemented and promoted information governance policies and how they put them into practice for SharePoint in their enterprises.  This session will also look at real software solutions (that you can build) within SharePoint to facilitate a business’ evolution from using a loosely-managed file repository to collaborating within a strongly-governed corporate information portal.

Published in: Software
  • Be the first to like this

Real world SharePoint information governance a case study - published

  1. 1. Real-World SharePoint Information Governance A Case Study Antonio Maio Email: Antonio.maio@protiviti.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2
  2. 2. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Information Governance Information Governance means setting out the structures, people, policies, procedures and controls necessary to manage information and support an organization's immediate and future requirements -Wikipedia
  3. 3. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Standards for Managing and Using Information Immediate and Future Requirements • Define Roles & Responsibilities • Document End User Needs • Regulatory Compliance Requirements • Legal Department Requirements (Records, eDiscovery, legal hold) • Risk Management & Mitigation • Administrative Needs • Environmental Needs • Operational Needs and on and on…
  4. 4. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Define Information Architecture/Structures (Includes Metadata Taxonomy) Confidential Developing a SharePoint Governance Plan Key Areas to Focus Define Security Groups, Permissions & Roles for Assigning Permissions Define Roles, Responsibilities, Authority Determine Training Needs; Plan to Educate User Community Define Rules for Site Creation, Management, Decommissioning
  5. 5. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. So you have a plan! Now what?
  6. 6. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Governance is really about Organizational Change
  7. 7. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Planning, Thought, Creativity Hard Work
  8. 8. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. OIL AND GAS Information Governance Case Study 1
  9. 9. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Client Profile: Oil and Gas Industry  Houston based  3500 Employees  Fortune 70 Company  Heavily Regulated: PHMSA, DOE, DOT  Most Sensitive Information: Human Resources Data Salaries, Bonuses, Stock Grants
  10. 10. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Information Governance Journey  Going thru Enterprise-wide SharePoint 2013 migration  Building department based site collections  Security was top of mind  They equated good security with good information governance  Other drivers: records management, versioning, roles  Executive Sponsorship: VP of Information Services  Enterprise Migration to SharePoint 2013  Information Governance Process
  11. 11. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Information Governance Journey Governance Committee – Define Vision & Goals  Establish a SharePoint Governance committee or working group  Define leadership and ownership of the overall ECM vision for the organization  Establish a meeting cadence & define a vision, with goals & objectives  Define a charter with committee responsibilities Roles & Responsibilities • Define the roles & responsibilities related to the design, administration & adoption of the ECM environment • Including executive, technical/administrative and business leadership roles • Direct usage and growth of SharePoint within the organization
  12. 12. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Site Architecture, Configuration & Processes  Define overall SharePoint site structure for the organization  Include site owner responsibilities  Site monitoring, decommissioning and management processes Operational and IT Administration  Identify operational & IT management processes  Include maintenance, disaster recovery, backup and storage needs  Define permissions required for each IT role Content Management & Regulatory Compliance  Define & identify processes for content management  Records management, retention, archiving  Requirements to meet regulatory compliance standards within SharePoint Social Collaboration  Define usage of personal sites, newsfeeds, blogs, and social collaboration tools like Yammer Information Governance Journey
  13. 13. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Security & Controls  Define security and monitoring controls  Include farm level controls, user authentication, authorization/permissions, security policies, identity management, automated monitoring/alerts, access to content, etc. Training  Identify immediate and ongoing SharePoint training needs for diverse audiences  Include end users, power users, site owners, administrators  Include specialty areas like Business Intelligence, Responsive Design and building Workflow processes. User Adoption  Define & identify needs for increasing SharePoint user adoption  Include topics like good user experience design, a robust information architecture and clear role/ responsibility definition Information Governance Journey
  14. 14. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Using a SharePoint Information Governance site, OneNote and the Protiviti Information Governance Template, allows stakeholders to actively participate in developing the information governance plan. Information Governance Site & Notebook
  15. 15. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Develop goals & objectives, vision, form the governance committee, develop governance committee charter with responsibilities + tactical meeting details. Information Governance Site & Notebook
  16. 16. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Identify roles and responsibilities, environmental structure, server configuration and operational concerns, authentication & analyze support structure, etc…Information Governance Site & Notebook
  17. 17. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Identify roles and responsibilities, environmental structure, server configuration and operational concerns, authentication & analyze support structure, etc…Success Criteria and Outcomes  Timing was critical  Occurred during Enterprise-Wide SharePoint Migration  Business departments are already engaged  Heavy IT involvement when implementing the plan  Provide training, implement controls, automate through workflows, work with business groups, regular security reviews  Organizational change occurred one department at a time – manageable  Centralized permission management and site creation  Planning Process was very interactive  SharePoint Site & OneNote allows us to develop the plan during committee meetings  Defined data owners for each department  Defined permission monitoring and regular re-certification process  Defined/communicated responsibilities
  18. 18. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Still had to produce that document! Information Governance Plan
  19. 19. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. FINANCIAL SERVICES Information Governance Case Study 2
  20. 20. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Client Profile: Financial Services  New York based  4000 Employees  Fortune 700 Company  SEC Regulated  Most Sensitive Information: Material Non-Public Information (MNPI) Information is material if there is a substantial likelihood that a reasonable investor would consider it important in deciding whether to buy, hold or sell a security. Information is non-public if it has not been publicly disclosed.
  21. 21. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Information Governance Journey  Failed an SEC Audit related to access control on file shares and sites, specifically for MNPI data  2200 Fileshares and 1600 SharePoint Sites  Permissions management was delegated to business users  Already had a SharePoint Governance Plan  Didn’t apply to those file shares and sites  Executive Sponsorship: Head of Compliance  Remediate the security issues  Take measures to prevent issues in the future …and do it all within 3 months
  22. 22. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Step 1: Identify Data Owners  Gathered list of File Shares and Sites  Reporting to determine obvious ownership  Result: 400 file shares or sites claimed (approx. 200 file shares, 200 sites)  Ensure always have 2 data owners for each  Work directly with data owners to review and certify permissions  Get documented confirmation of review/certification  What about the remaining 2000 file shares, 1400 sites?
  23. 23. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. SharePoint Site to Claim Ownership Make it Easy! Calculated Column, Content Editor Web Part & JavaScript to Auto-Populate Claim Form Make it Easy! Views to Review ‘My Validations’ (claims I’ve submitted) Make it Easy! Use the right language for your business users. Provide an FAQ 10,018 Ownership Claims (7400 in first 5 days)
  24. 24. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Step 2: Identify MNPI  Cannot be automated  Make it part of the claim form:  Does this site contain MNPI?  No default answer, but provide options: Yes, No, Uncertain  If there is any doubt, assume it does contain MNPI Material Non-Public Information (MNPI) Information is material if there is a substantial likelihood that a reasonable investor would consider it important in deciding whether to buy, hold or sell a security. Information is non-public if it has not been publicly disclosed.
  25. 25. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Step 3: Review and Certify Permissions  Data owners must review permissions and either:  Certify they are correct (provide email that they certify)  Make changes and then certify  Request help to make changes and then certify  Give them a deadline  Check up regularly  Make sure have some senior pressure to get it done  Document the process heavily
  26. 26. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Step 4: Shutdown Sites Not Claimed/Certified  Pick a date - Give plenty of warning!  File shares are easy – add a deny permission  Site Collections are easy – implement the lock feature  Sites/Subsites are not easy – remove all permissions recursively
  27. 27. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Step 4: Shutdown Sites Not Claimed/Certified  Scripted the SharePoint permission removal process with PowerShell  As part of the script, documented permissions before removing them  Be Prepared for Backlash  Will help to define data owners  Define a process by which you can restore permissions if needed – give business an SLA (sites will be restored within 6 hrs, 12 hrs, etc.)  Script process to restore permissions  Document what you restore
  28. 28. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Step 5: Implement Governance System  Implement a third party application to centralize requests for access to information  File shares and Sites  Approvals requested of individual’s manager and data owner  Access granted automatically once approvals received  Perform permission recertification every 6 months  Automate notifications & reminders to data owners going forward of recertification activities  All access requested/granted/denied is monitored and logged
  29. 29. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Success Criteria and Outcomes  Top level support  Mandate from Head of Compliance to get it done!  All file shares and sites remediated, except 76 file shares and 90 sites  Process driven by InfoSec team  Supported by SharePoint Administration team  Started with Data owners  Organizational change started from data owners  Defined permission monitoring and regular re- certification process  Defined/communicated responsibilities
  30. 30. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Closing  Going through an Information Governance plan process is important …Organizational change is critical!  Consider how organizational change happens in your organization  Consider data ownership as a method of kick starting the process  Consider a permission monitoring and regular permission recertification process
  31. 31. Thank You! Antonio Maio Email: Antonio.maio@protiviti.com Blog: www.trustsharepoint.com Slide share: http://www.slideshare.net/AntonioMaio2 Twitter: @AntonioMaio2
  32. 32. © 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer. Appendix – Claim Site JavaScript [javascript] < script type="text/javascript" src="../../Javascript/jquery-1.3.2.min.js"></script> < script type="text/javascript"> // Get al the field names from the form fields = init_fields(); // Get all querystring parameters from the URL var queryStr= getQueryParameters(); // Is the parameter "FileShareID" defined - if so then auto-assign the value from the URL to the field on the form if(queryStr[‘FileShareID’]!=undefined) { var properVal = decodeURI(queryStr[‘FileShareID’]); $(fields[‘FileShareID’]).find(‘input’).val(properVal); } // Is the parameter "ShareName" defined - if so then auto-assign the value from the URL to the field on the form if(queryStr[‘ShareName’]!=undefined) { var properVal = decodeURI(queryStr[‘ShareName’]); $(fields[‘ShareName’]).find(‘input’).val(properVal); } // Is the parameter "UNCPath" defined - if so then auto-assign the value from the URL to the field on the form if(queryStr[‘UNCPath’]!=undefined) { var properVal = decodeURI(queryStr[‘UNCPath’]); $(fields[‘UNCPath’]).find(‘input’).val(properVal); } // Retrieve all of the parameters passed on the URL function getQueryParameters() { qObj = {}; var urlSearch = window.location.search; if(urlSearch.length>0) { var qpart = urlSearch.substring(1).split(‘&’); $.each(qpart,function(i,item) { var splitAgain = item.split(‘=’); qObj[splitAgain[0]] = splitAgain[1]; }); } return qObj; } // Retrieve all the internal field names on the form function init_fields() { var res = {}; $("td.ms-formbody").each(function() { if($(this).html().indexOf(‘FieldInternalName="’)<0) return; var start = $(this).html().indexOf(‘FieldInternalName="’)+19; var stopp = $(this).html().indexOf(‘FieldType="’)-7; var nm = $(this).html().substring(start,stopp); res[nm] = this.parentNode; }); return res; } < /script> [/javascript] • Select the list • From the Ribbon click on Form Web Parts • Select Default New Form • Click on Add a Web Part • Select Media and Content • Add the Content Editor • Edit the Content Editor web part and give it a link to the JavaScript file • Place the following JavaScript in the Site Assets library

×