Build a Successful SharePoint Governance Plan -- Redmondmag.com

Build a Successful SharePoint Governance Plan

Coming up with a viable governance strategy is critical and requires a careful balancing act.

By Maggie Swearingen
09/03/2014

Attend any SharePoint conference and you'll see several sessions on the schedule highlighting the importance of SharePoint governance. Inevitably, speakers tell a story that resonates with the vast universe of organizations that use SharePoint. "We launched SharePoint, it grew like an out-of-control wildfire, and now, we need to put that fire out," is the typical refrain. So it goes, organization after organization -- SharePoint governance was an afterthought. SharePoint governance is the "solution" after the problem is already out-of-hand, rather than the mechanism designed to stop the problem from transpiring in the first place.

Nearly half of those responding to a survey last year by the Association for Information and Information Management (AIIM) said it has become easier to find SharePoint governance resources. At the same time, 30 percent still felt their organizations had "big issues" with governance and security in their SharePoint implementations.

The traditionally accepted top-down SharePoint governance model, however, is far less valuable in an era where it has evolved from a complex documents and records management platform, into a full-blown enterprise content management system complete with multi-dimensional social tools. The governance model, once simple -- though generally ignored by IT executives and SharePoint administrators -- now requires a careful balancing act.

The prevalent SharePoint pyramid (see Figure 1), where governance is tightly controlled at the top, and less controlled at the bottom, isn't an accurate depiction of the current struggles facing organizations with large SharePoint implementations including management of social collaboration, the bring your own device (BYOD) revolution and the common challenge of SharePoint site sprawl. A well-executed governance plan compares the various elements of governance and balances security with the current evolution of business mobility (see Figure 2).

**[Click on image for larger view.]** *Figure 1.* The traditional top-down SharePoint governance model. In an era where social content and collaboration is continually important, this approach is no longer as effective. Source: Microsoft

**[Click on image for larger view.]** *Figure 2.* Effective SharePoint governance requires governance committees find a balance between different types of SharePoint content, including social content, in order to manage it more efficiently.

Why Bother?
Governance plans are insurance. But, like changing insurance providers, governance is a pain. It consumes resources, those who presumably already have full-time responsibilities. Also, it requires vigilance, dedication and a general commitment to excellence -- all of which our organizations strive to embody, but at a macro-level. The trickle-down effect rarely reaches the SharePoint trenches. So why create all the fuss?

Consider the high-costs of implementing SharePoint -- some estimates suggest that an organization of 3,000 employees will spend more than $4 million in SharePoint-related costs over a three-year period. Combine that with the fact that many organizations are turning to SharePoint as their enterprise content management (ECM) platform, which houses mission-critical and sensitive data, and suddenly an insurance policy designed to protect and potentially improve your investment isn't a terrible idea.

Steps for Success
First, forget the phrase "successful SharePoint governance." Success implies completion -- and governance is never complete. "Governed SharePoint business improvement" is a more accurate description of the perpetual cycle of improvement in a SharePoint implementation supported by a solid SharePoint governance plan and an active governance committee.

Second, define measurable milestones for improvement. Without a clear declaration of what constitutes improvement, even the most well-intentioned governance plan will fall flat. Each policy and procedure outlined in a SharePoint governance plan should be a quantifiable milestone. For example, as SharePoint implementations become larger and less centralized, organizations struggle to "stop" business units from placing duplicate content in sub-site after sub-site. This is a specific problem that can be addressed with sound governance policies and socialization.

In this example, success in governance can be demonstrated by continually measuring and benchmarking the number of duplicate documents in the system. As the number goes down, it becomes evident that the SharePoint governance policy addressing this issue is successful.

Governance committees should continually document and measure metrics to demonstrate the extent to which their governing process is improving the overall SharePoint enterprise.

Third, create a governance committee empowered to actually govern. According to the 2014 IT Priorities Survey from Protiviti Inc., while IT Executives face significant competing priorities, nearly half of all organizations still rely on IT to deploy, configure and launch SharePoint. Information governance and management programs rank in the top five among the significant priorities for CIOs and fellow IT executives -- topped only by the significance of IT project management, virtualization and cloud computing. SharePoint governance is only one aspect of the larger information governance puzzle, but given organization's commitments to collaborative technologies such as SharePoint, its importance can't be over-stressed.

SharePoint governance committees, the voice of the SharePoint governance plan, are not only comprised of representatives from the business and IT sides of the organization, but also executives and organizational champions. Individuals, regardless of their position or role at an organization, who lead by example and are role models to their fellow colleagues, are invaluable assets in any SharePoint governance planning process.

Despite adherence to this mix-composition plan, many governance committees still fail in their quest to draft and effectively implement SharePoint governance. The problem is three-fold. One, these governance committees aren't recognized as legitimate policy-making bodies in the organization. They're generally considered project-based committees, not governing bodies. The distinction is critical. Project committees live in silos; governing bodies have the support and infrastructure in place to touch all aspects of the business. An effective governance committee depends on its ability to make and, perhaps more important, enforce decisions and policies around all aspects of SharePoint technology and information. Second, they're not given the resources, both financial and human, to socialize SharePoint governance via multiple channels. Last, participants aren't recognized as going above and beyond their typical job responsibilities to participate in an activity that's for the improvement of the entire organization.

"Often clients do some of the things the best practices guidance recommends despite not having a governance team, but it is hit or miss and the misses gradually erode at the integrity of the project and the system," says SharePoint MVP Doug Hemminger.

Most governance committees suffer from at least one of these flaws, and perhaps can compensate for the shortcomings that come with the imperfection of any business process, but any combination of these flaws can prove fatal to the best-intentioned committees.

The fourth step for success is to write appropriate, concise, thorough and useful content. Microsoft highlighted in a TechNet Library article the importance of a governance plan that distinguishes IT governance, application management and information management.

Governance plans will mature as an organization's SharePoint implementation matures. Likewise, governance plan content will have different points of emphasis at different organizations. For example, Office 365 and SharePoint online governance plans are less technical, but place a heavy emphasis on social content and other collaborative tools available in the online SharePoint environment. In such cases, technical governance is less significant because Microsoft bears the burden of many of the technical governance decisions that an organization with an on-premises SharePoint solution would otherwise have to resolve.

Governance plans should include the following core elements:

Operational Management
Technical Operations
Site and Security Administration
Content Administration
Personal and Social Administration

The extent to which each of the broad categories is defined will depend entirely on the maturity of an organization's SharePoint implementation.

Operational Management: Operational management defines not only the membership of the governance committee, but more important, its role and responsibility to the larger SharePoint community. It defines all the roles and related responsibilities necessary to run an effective SharePoint solution.

Technical Operations: Technical operations outline the basic technical structures, requirements and quotas for the SharePoint environment. It references existing documents defining SharePoint architecture or existing IT policies such as uptime and backup requirements. It also defines the authentication mechanisms by which users access the site -- if necessary, defining in detail the differences between internal and external users and the processes for provisioning and de-provisioning access for users.

Site and Security Administration: The aforementioned TechNet Library article also suggests, rightly so, different types of SharePoint sub-sites can, and likely should be governed in different ways. This makes for a potentially complex, but ultimately more thorough picture of content governance. Site and security administration articulates the use cases for different site templates in SharePoint. It also dictates the procedures for the following:

Site provisioning
Site de-provisioning
Site ownership and responsibilities associated with ownership
Permissions structures and best practices
Different use cases for Yammer groups vs. SharePoint sites

Content Administration: Content administration is typically the most difficult element to define for governance committees, largely because by the time governance is put in place, defining a vast wasteland of content is an overwhelming proposition. Information management is more easily addressed when the SharePoint implementation is rooted in a foundation of sound information architecture. Content administration covers a wide range of topics, including:

Defining the differences between business-critical and non-critical content
Creating guidelines for the use of metadata, content types and workflows
Determining review cycles for content, and policies enforcing archiving and deleting of content
Legal considerations regarding document and content retention, and the associated retention policies
Administration and use cases for lists, libraries, pages and different Web Parts

7 SharePoint Governance Tools

After creating a SharePoint governance strategy, make sure to choose a tool that matches your plan.
By Jeffrey Schwartz

With the rise in SharePoint, Office 365 and Yammer usage, the vast majority of organizations lack governance plans to ensure data is managed properly. And of the minority of organizations with governance strategies, many are outdated with the rise of cloud-based services.

"It's important that company-specific documents are properly governed and if there is any lifecycle of a site, page or document it needs to be managed," says Kunaal Kapoor, a vice president with BrightStarr, a global consulting and systems integration firm focused primarily on SharePoint and Office 365 implementations, noting the latter has led to greater attention to governance.

While the most important step is coming up with a plan, choosing the right tool is also imperative. Here are seven SharePoint governance tools to consider:

DocAve 6.0 | AvePoint Inc.
The recently released DocAve 6.0 SP4 now has added governance and compliance features. The latest version allows direct migration from SharePoint Server to Office 365 SharePoint Online without staging. This gives SharePoint administrators the ability to control SharePoint governance both on-premises and in SharePoint Online.

As more SharePoint users rely on social feeds, DocAve now archives newsfeeds and issues alerts to any detected governance or security policy violations. New auditing and usage tracking are aimed at providing information on how social networking is being used, particularly for those organizations looking to accelerate adoption.

The AvePoint Compliance Guardian is now available as a service with this new release. Hosted on the Microsoft Azure cloud, AvePoint touts its compliance as a service offering for organizations looking to track and control risk in all content running on SharePoint Sites, covering such requirements as risk, security and quality.

ChangeAuditor for SharePoint | Dell Software
Dell Software offers a number of tools targeted at helping organizations manage and enforce their governance plans. Among them is Site Administrator for SharePoint, Server Administrator for SharePoint and ChangeAuditor for SharePoint.

The latter is perhaps most noteworthy because it tracks all SharePoint events and stores them in a database, which generates reports on policy violations. It provides real-time alerts of activities that require immediate response, event timelines and tracks changes to security settings and permissions effecting server farms, site collections lists and documents.

Site Sheriff | HiSoftware Inc.
Ensuring data meant to be kept confidential doesn't leak out of the organization is a key emphasis of the new HiSoftware Site Sheriff for SharePoint. The software dynamically provides secure access and sharing of SharePoint content without requiring changes to permissions. It does so using document metadata and user properties and other business logic to create rules that only allow access to content sites and Web apps to which a user should be entitled.

SharePoint admins can also disable the copying of data, e-mail forwarding and offline synchronization of content by displaying information in the secure document viewer.

ControlPoint | Metalogix Software Corp.
Looking to extend its portfolio of SharePoint tools, Metalogix last year acquired the Axceler software business including the company's ControlPoint product, which helps organizations enforce their governance policies, as well as report on how employees are using SharePoint.

Steve Marsh, Metalogix Control Point product manager, says the growth of Office 365/SharePoint Online is upping the ante on the need to create and enforce governance policies. Exacerbating that is the fact that Microsoft now offers 1TB per user storage capacity in the SharePoint OneDrive for Business. "The fact that there's the potential for the content in the cloud to grow exponentially, we are seeing a lot of concern," Marsh says.

ControlPoint manages, delegates and automates permissions and governance policies and enforces them. It's also designed to audit administrator and user activities and monitor overall adoption. It's designed for both SharePoint and Office 365. The company recently released ControlPoint 5.3, which has an improved UI for granting and denying permissions.

Netwrix Auditor for SharePoint | Netwrix Corp.
Although Netwrix Corp. is known for its change and configuration auditing software for Microsoft Active Directory, the company recently added a tool that extends visibility of changes to SharePoint. The new Netwrix Auditor for SharePoint is designed to tighten security, consolidate compliance and report on root-cause analyses. Based on the company's flagship Netwrix Auditor, this release records changes made to SharePoint configurations, content and permissions.

Netwrix Auditor for SharePoint provides views of SharePoint farm configuration and security changes such as permission modifications and inheritance, group membership and updates, or additions to policies. It tracks SharePoint content including when sites, lists, libraries, folders, files and other content is created, deleted or changed. It also correlates changes in SharePoint with changes in other systems including Active Directory, SQL databases and Windows Server, among other platforms.

Sharegate Governance | Sharegate
Sharegate, a company focused on SharePoint migration, more recently has extended into SharePoint governance. When it comes to SharePoint governance, Sharegate is focused on four key areas: managing security settings, monitoring the lifecycle of content ensuring outdated information is removed, making sure SharePoint sites conform to an organization's standards, and ensuring you can manage the growth of your SharePoint environment.

The tool supports SharePoint 2010, 2013 and Office 365 and exports reports into Excel. It's designed to enforce an organization's governance rules.

SharePoint Security & Governance Solution | Stealthbits
Stealthbits SharePoint Security & Governance Solution emphasizes giving organizations to what extent sensitive data is in SharePoint outside of IT's control. The software takes three approaches toward helping organizations gain control of data assets, make sure sensitive data isn't exposed, and the lifecycle of data and content is managed.

An agentless scanning engine gathers inventory of an organization's entire SharePoint environment, exposing all data including sensitive information. It presents who has access to all data regardless of whether it's via local SharePoint groups or Active Directory. After it exposes who has ownership of data, administrators can identify which business users should approve access to the data and provide the appropriate correlation. It creates workflows that let business owners validate access.

Personal and Social Administration: Not too long ago, many SharePoint implementations completely deactivated all social and personal features. MySites weren't introduced to internal audiences, profiles were barely editable and were mostly populated via outdated Active Directory information, and the probability of an active discussion list was incredibly low. However, since the introduction of SharePoint 2013, Microsoft's acquisition of Yammer and the company's emphasis on Office 365, it's no longer possible for IT teams to turn a blind eye.

Indeed, according to the Computerworld 2013 State of the Enterprise survey, 73 percent said their companies have deployed or are currently deploying a wide range of collaboration technologies. In fact, more than 50 percent said they believe collaborative technologies give their companies a competitive edge, and the implementation of such tools is critical to the future success of the business.

All of this is to say that policies and procedures for personal and social use of SharePoint, and the wider suite of Office 365 applications, cannot be ignored.

Personal and social governance doesn't necessarily have to be complicated. From a social perspective, most organizations already have a published Social Media policy. That policy should be referenced regarding the use of any "social" tool, regardless of internal or external use. Additionally, the ubiquity of sites such as LinkedIn have inadvertently educated professionals worldwide on the perils of unprofessional social activity, and the benefits of thoughtful knowledge contribution in professional communities of practice.

Personal administration suggests a user will be allowed to manage some aspects of his profile, and store and share business documents in personal sites and libraries. Communicating quotas and storage limits for personal libraries will prove effective. Additionally, giving the some control over his own profile has significant benefits in communities where knowledge sharing and specialized skill sets are sought after.

True Governance

The proper level of governance, properly applied, can be the difference between success and failure.
By Lafe Low

Successfully rolling out SharePoint as a collaboration platform involves much more than the mere technical aspects of configuring, deploying and managing the software. Developing and implementing a management and governance program is essential to ensure you know who is accessing data in SharePoint and that you're meeting compliance objectives and requirements.

The first step to a successful governance strategy is to understand where to start. "It's a catch-all bucket," says noted SharePoint consultant and Microsoft MVP Robert Bogue. "People put everything in there. For me, governance is very specific. You do governance to eliminate risk or create opportunity."

Bogue, who's also an author of 22 books and frequent speaker on the pitfalls of rolling out SharePoint, is slated to discuss governance for the collaboration platform at the SharePoint Live! conference, which takes place the week of Nov. 18 in Orlando. SharePoint Live!, like Redmond magazine, is produced by parent company 1105 Media Inc. Bogue will give two sessions where he'll discuss how to overcome the obstacles to SharePoint user adoption and how to properly and effectively govern its use in the enterprise.

In a session called "No Governance as Usual," he will first define governance as a starting point. Bogue will discuss the meaning of governance and develop the skills to drive proper governance throughout your organization. While governance focuses on ensuring risk mitigation, compliance and data security, experts say getting business value out of SharePoint is also critical to a governance strategy.

To that end, Bogue's talk, "Bringing the Users with You -- SharePoint 2013 Adoption and Engagement," will cover the obstacles to user adoption and how to overcome those obstacles. "Adoption and engagement aren't just going to happen," says Bogue. "There's lot going on that will prevent that." He cites lack of established training and not seeing specific job functions they can accomplish with the new technology as the primary barriers. The session will cover how you can look to user engagement as a leading indicator of long-term success with SharePoint, eliminating the barriers to SharePoint adoption and driving users to embrace SharePoint.

Taking into consideration hybrid cloud environments with SharePoint Online and Office 365 also requires rethinking new and existing governance strategies. SharePoint MVP Ben Curry, architect and managing partner of Summit 7 Systems, will give a session at the SharePoint Live! conference called "Office 365 Information Architecture and Governance 101," which will cover using SharePoint as part of the Office 365 suite. The session will also explore the fundamental differences between governing an on-premises environment and a cloud offering like Office 365, restructuring content to fit into a cloud environment and managing the challenges of a hybrid cloud environment.

The full agenda for SharePoint Live!, part of the Live! 360 group of conferences, which includes SQL Server Live! and TechMentor, is available here.

Governance Implementation
Finally, buy a SharePoint governance tool (see "7 SharePoint Governance Tools,"). From an IT resourcing perspective it's unrealistic to expect that a human will oversee the majority of the policies and procedures defined in the SharePoint governance plan. There are sophisticated tools that will monitor and automate nearly all of the scenarios defined in the governance plan, making the actual implementation of the plan possible.

There are also smaller, less-sophisticated governance tools available that still have a very valid place in the marketplace. Not only do these tools put SharePoint governance automation in the realm of possibility for smaller organizations with tighter budgets, but they also generally have a less-steep learning curve and can be effectively utilized by even the most resource-stretched IT departments.

Featured

What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.