While working with clients recently responsible for compliance requirements for SharePoint, I was surprised by the lack of communication between SharePoint administrators and compliance officers. I realized quickly that administrators were coming to AvePoint for guidance because they were not getting the help and direction they needed internally.
Here are three steps that a SharePoint Administrator can take to prepare for conversations with compliance officers about SharePoint. Taking these steps now will reap great benefits in the long run to improve the environment and reduce risk.
1. Speak the Compliance Language
Your compliance officer may not know SharePoint very well, but you do. You need to bridge the gap from technical SharePoint functionality to typical compliance regulations. Doing a proper evaluation of the problem is critical to solving this puzzle. Take the time to assess your environment, users, and user habits to give you the data points you need to begin to address their requirements. Here are a few questions you should ask:
- What are the moving pieces? Do intranets, extranets, public sites, file shares, and email relate to a compliance project in SharePoint? Can you estimate how big of a risk each of these pose?
- With whom are they sharing? Do you know which individuals outside of your organization have access to your content?
Your compliance team is concerned with regulations, audits, and risk—not with the technical particulars of any given system. Be ready to discuss MySites, the Newsfeed, and other content stored in the User Profile Service in addition to Lists and Libraries. It is a good idea to gather information about how compliance projects have progressed in other enterprise systems such as email, file systems, and instant messaging to get a sense of how it may work with SharePoint.
2. Administration of Permissions in SharePoint
A fundamental tenant of compliance is that users should have appropriate access to information and are blocked from information that is inappropriate for them. When applied to SharePoint, this means having a strong permissions policy.
Now that we have information from step one on who the users are and what the content is, being able to define and successfully configure permissions is possible.
The next phase is developing systematic and repeatable processes of planning, execution, and auditing. This means that once a permissions policy has been developed, an administrator needs to show successful deployment and be able to report regularly on the status of the environment—including who has permissions to particular pieces of content, and also what actions users have performed on what content.
Then you must tackle the difficulties that come with collecting and building reports with audit data and permission hierarchies in SharePoint. This can take the form of native or third-party solutions, but the important thing is to gather this data in order to track usage and permission changes.
There are some more advanced functionality and requirements that may come into play in your SharePoint environment, including external sharing, temporary permissions, and ongoing permissions recertification. There are excellent resources available to get you started with planning.
3. Do Your Research
As with any enterprise platform, there is only so much that can be done using out-of-the-box features. It’s important to consider other Data Loss Prevention and Governance, Risk Management & Compliance solutions to address any requirements that out-of-the-box features in SharePoint cannot address. Based on the data discovered and requirements established in earlier steps, you can begin evaluating third-party solutions that can identify and remediate those compliance risks.
Compliance is a complex and challenging subject to tackle in SharePoint. However, you can start to validate active management of compliance risk in your environment by being proactive.
With small steps, you can ensure you understand the compliance landscape, advance proper permissions and reporting, and identify native and third-party solutions to fill any other compliance-related needs in your SharePoint environment.
Edmund X. White - Edmund X. White is a Senior Technical Solutions Professional at AvePoint working with enterprise accounts to support business initiatives with SharePoint. He has a strong background in delivering enterprise solutions and services in the SharePoint space since 2007, as well as broad experience in supporting Microsoft technologies across the enterprise.