Real world SharePoint information governance a case study - published

Real-World SharePoint Information Governance A Case Study

Antonio MaioEmail: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2

© 2016 Protiviti Consulting Private Ltd. An Equal Opportunity Employer.

Information Governance

Information Governance means setting out the structures, people, policies, procedures and controls necessary to manage information and support an organization's immediate and future requirements

-Wikipedia


Standards for Managing and Using InformationImmediate and Future Requirements

• Define Roles & Responsibilities• Document End User Needs• Regulatory Compliance Requirements• Legal Department Requirements

(Records, eDiscovery, legal hold)

• Risk Management & Mitigation• Administrative Needs• Environmental Needs• Operational Needs

and on and on…


Define Information Architecture/Structures

(Includes Metadata Taxonomy)

Confidential

Developing a SharePoint Governance Plan Key Areas to Focus

Define Security Groups, Permissions & Roles for Assigning Permissions

Define Roles, Responsibilities, Authority

Determine Training Needs; Plan to Educate User

Community

Define Rules for Site Creation, Management, Decommissioning


So you have a plan!

Now what?


Governance is really aboutOrganizational Change


Planning, Thought, Creativity

Hard Work


OIL AND GASInformation Governance Case Study

1


Client Profile: Oil and Gas Industry Houston based 3500 Employees Fortune 70 Company Heavily Regulated: PHMSA, DOE, DOT Most Sensitive Information:

Human Resources Data Salaries, Bonuses, Stock Grants


Information Governance Journey Going thru Enterprise-wide SharePoint 2013 migration

Building department based site collections

Security was top of mind They equated good security with good information governance Other drivers: records management, versioning, roles

Executive Sponsorship: VP of Information Services Enterprise Migration to SharePoint 2013 Information Governance Process


Information Governance Journey

Governance Committee – Define Vision & Goals Establish a SharePoint Governance committee or working group Define leadership and ownership of the overall ECM vision for the organization Establish a meeting cadence & define a vision, with goals & objectives Define a charter with committee responsibilities

Roles & Responsibilities• Define the roles & responsibilities related to the design, administration & adoption of

the ECM environment• Including executive, technical/administrative and business leadership roles • Direct usage and growth of SharePoint within the organization


Site Architecture, Configuration & Processes Define overall SharePoint site structure for the organization Include site owner responsibilities Site monitoring, decommissioning and management processes

Operational and IT Administration Identify operational & IT management processes Include maintenance, disaster recovery, backup and storage needs Define permissions required for each IT role

Content Management & Regulatory Compliance Define & identify processes for content management Records management, retention, archiving Requirements to meet regulatory compliance standards within SharePoint

Social Collaboration Define usage of personal sites, newsfeeds, blogs, and social collaboration tools like

Yammer



Security & Controls Define security and monitoring controls Include farm level controls, user authentication, authorization/permissions, security

policies, identity management, automated monitoring/alerts, access to content, etc.

Training Identify immediate and ongoing SharePoint training needs for diverse audiences Include end users, power users, site owners, administrators Include specialty areas like Business Intelligence, Responsive Design and building

Workflow processes.

User Adoption Define & identify needs for increasing SharePoint user adoption Include topics like good user experience design, a robust information architecture and

clear role/ responsibility definition



Using a SharePoint Information Governance site, OneNote and the Protiviti Information Governance Template, allows stakeholders to actively participate in developing the information governance plan.Information Governance Site & Notebook


Develop goals & objectives, vision, form the governance committee, develop governance committee charter with responsibilities + tactical meeting details.

Information Governance Site & Notebook


Identify roles and responsibilities, environmental structure, server configuration and operational concerns, authentication & analyze support structure, etc…Information Governance Site & Notebook


Identify roles and responsibilities, environmental structure, server configuration and operational concerns, authentication & analyze support structure, etc…Success Criteria and Outcomes Timing was critical

Occurred during Enterprise-Wide SharePoint Migration Business departments are already engaged

Heavy IT involvement when implementing the plan Provide training, implement controls, automate through workflows, work with

business groups, regular security reviews Organizational change occurred one department at a time – manageable Centralized permission management and site creation

Planning Process was very interactive SharePoint Site & OneNote allows us to develop the plan during committee

meetings

Defined data owners for each department Defined permission monitoring and regular re-certification process Defined/communicated responsibilities


Still had to produce that document!

Information Governance Plan


FINANCIAL SERVICESInformation Governance Case Study

2


Client Profile: Financial Services New York based 4000 Employees Fortune 700 Company SEC Regulated Most Sensitive Information:

Material Non-Public Information (MNPI)Information is material if there is a substantial likelihood that a reasonable investor would consider it important in deciding whether to buy, hold or sell a security.Information is non-public if it has not been publicly disclosed.


Information Governance Journey Failed an SEC Audit related to access control on file

shares and sites, specifically for MNPI data

2200 Fileshares and 1600 SharePoint Sites Permissions management was delegated to business users

Already had a SharePoint Governance Plan Didn’t apply to those file shares and sites

Executive Sponsorship: Head of Compliance Remediate the security issues Take measures to prevent issues in the future

…and do it all within 3 months


Step 1: Identify Data Owners Gathered list of File Shares and Sites

Reporting to determine obvious ownership Result: 400 file shares or sites claimed (approx. 200 file shares, 200 sites) Ensure always have 2 data owners for each

Work directly with data owners to review and certify permissions Get documented confirmation of review/certification

What about the remaining 2000 file shares, 1400 sites?


SharePoint Site to Claim Ownership

Make it Easy!

Calculated Column, Content Editor

Web Part &JavaScript to

Auto-Populate Claim Form

Make it Easy!

Views to Review ‘My Validations’

(claims I’ve submitted)

Make it Easy!Use the right language for

your business users.Provide an FAQ

10,018Ownership

Claims(7400 in first 5 days)


Step 2: Identify MNPI

Cannot be automated

Make it part of the claim form: Does this site contain MNPI? No default answer, but provide options: Yes, No, Uncertain

If there is any doubt, assume it does contain MNPI

Material Non-Public Information (MNPI)Information is material if there is a substantial likelihood that a reasonable investor would consider it important in deciding whether to buy, hold or sell a security.Information is non-public if it has not been publicly disclosed.


Step 3: Review and Certify Permissions Data owners must review permissions and either:

Certify they are correct (provide email that they certify) Make changes and then certify Request help to make changes and then certify

Give them a deadline Check up regularly Make sure have some senior pressure to get it done

Document the process heavily


Step 4: Shutdown Sites Not Claimed/Certified

Pick a date - Give plenty of warning!

File shares are easy – add a deny permission

Site Collections are easy – implement the lock feature

Sites/Subsites are not easy – remove all permissions recursively


Step 4: Shutdown Sites Not Claimed/Certified

Scripted the SharePoint permission removal process with PowerShell As part of the script, documented permissions before removing them

Be Prepared for Backlash Will help to define data owners Define a process by which you can restore permissions if needed –

give business an SLA (sites will be restored within 6 hrs, 12 hrs, etc.) Script process to restore permissions Document what you restore


Step 5: Implement Governance System Implement a third party application to centralize requests for

access to information File shares and Sites Approvals requested of individual’s manager and data owner Access granted automatically once approvals received

Perform permission recertification every 6 months Automate notifications & reminders to data owners going forward of

recertification activities

All access requested/granted/denied is monitored and logged


Success Criteria and Outcomes Top level support

Mandate from Head of Compliance to get it done! All file shares and sites remediated, except 76 file shares

and 90 sites

Process driven by InfoSec team Supported by SharePoint Administration team

Started with Data owners Organizational change started from data owners Defined permission monitoring and regular re-

certification process Defined/communicated responsibilities


Closing Going through an Information Governance plan process is

important…Organizational change is critical!

Consider how organizational change happens in your organization

Consider data ownership as a method of kick starting the process

Consider a permission monitoring and regular permission recertification process

Thank You!

Antonio MaioEmail: [email protected]: www.trustsharepoint.comSlide share: http://www.slideshare.net/AntonioMaio2Twitter: @AntonioMaio2


Appendix – Claim Site JavaScript

[javascript]< script type="text/javascript" src="../../Javascript/jquery-1.3.2.min.js"></script>< script type="text/javascript">

// Get al the field names from the formfields = init_fields();// Get all querystring parameters from the URLvar queryStr= getQueryParameters();

// Is the parameter "FileShareID" defined - if so then auto-assign the value from the URL to the field on the formif(queryStr[‘FileShareID’]!=undefined){ var properVal = decodeURI(queryStr[‘FileShareID’]); $(fields[‘FileShareID’]).find(‘input’).val(properVal);}// Is the parameter "ShareName" defined - if so then auto-assign the value from the URL to the field on the formif(queryStr[‘ShareName’]!=undefined){ var properVal = decodeURI(queryStr[‘ShareName’]); $(fields[‘ShareName’]).find(‘input’).val(properVal);}

// Is the parameter "UNCPath" defined - if so then auto-assign the value from the URL to the field on the formif(queryStr[‘UNCPath’]!=undefined){ var properVal = decodeURI(queryStr[‘UNCPath’]); $(fields[‘UNCPath’]).find(‘input’).val(properVal);}

// Retrieve all of the parameters passed on the URLfunction getQueryParameters(){ qObj = {}; var urlSearch = window.location.search; if(urlSearch.length>0) { var qpart = urlSearch.substring(1).split(‘&’); $.each(qpart,function(i,item) { var splitAgain = item.split(‘=’); qObj[splitAgain[0]] = splitAgain[1]; }); } return qObj;}// Retrieve all the internal field names on the formfunction init_fields(){ var res = {}; $("td.ms-formbody").each(function() { if($(this).html().indexOf(‘FieldInternalName="’)<0) return; var start = $(this).html().indexOf(‘FieldInternalName="’)+19; var stopp = $(this).html().indexOf(‘FieldType="’)-7; var nm = $(this).html().substring(start,stopp); res[nm] = this.parentNode; }); return res;}< /script>[/javascript]

• Select the list• From the Ribbon click on Form Web Parts• Select Default New Form • Click on Add a Web Part• Select Media and Content• Add the Content Editor• Edit the Content Editor web part and give it a link to the

JavaScript file• Place the following JavaScript in the Site Assets library

Real world SharePoint information governance a case study - published

Software

Transcript of Real world SharePoint information governance a case study - published