Minimizing Corporate Risk with SharePoint 2010 through Compliance Best Practices
Last week, I led a session at SPTechCon entitled “Minimizing Corporate Risk with SharePoint 2010 through Compliance Best Practices”. In it, I tried to lay out best practices for dealing with “inappropriate” content placed in your SharePoint 2010 environment. I explained that “inappropriate” could mean many different things (from meaningless to offensive to confidential). In the session, I laid out some best practices (shown below). Pay particular attention to #7 where I tried to present a process for managing executive expectations around “inappropriateness” like disaster recovery.
I enjoyed leading the sessions and hope that many of the items below are both obvious and already in place in your SharePoint environments.
} #1 – Inventory
◦ Old BI adage: “You can’t measure what you don’t see”
◦ For SharePoint, “you can’t monitor environments you don’t know exist”
◦ Always, always have an accurate inventory of all SharePoint environments
} #2 – Security
◦ “What you don’t know won’t hurt me”
◦ Have a well-documented security model (for all sites, especially those with sensitive content) so “exposure” is always known
} #3 – Education
◦ Have detailed documentation (maybe a component of an overall governance strategy) and/or training to educate contributors around intent, inappropriateness, and repercussions
} #4 – Monitoring (native)
◦ Leverage audit/logging/search reports to look for “inappropriate terms” [reactive]
} #5 – Monitoring (3rd party)
◦ Purchase 3rd party solution (e.g. HiSoftware Compliance Sheriff) that offer a much robust, proactive, actionable solution
} #6 – Retention Policy
◦ If you have the discipline to define the usefulness of your content then you should be able to define the depreciation of that usefulness
◦ Retention policies are especially useful in your e-discovery strategy
} #7 – Think about this stuff BEFORE it bites you
◦ Don’t let your CEO/boss hear about this first
◦ If you are coming from the IT side, think of this like disaster recovery. Start with a spreadsheet:
} one column represents an “inappropriate” event
} next column represents risk to the employee
} next column represents risk to the company
} next column represents maximum allowable response time (think SLA)