Tag Archives: risks

SharePoint and Information Security

Interesting survey was recently published by Cryptozone on SharePoint security. The results are evidence of need and importance of information management governance and proper, upfront design of the information systems. It appears that in most of organizations, the responsibility for assigning of the access rights to SharePoint documents still belongs to IT Administrators, as it was indicated by 69% of respondents. At least this segment of users knew who was in charge; in contrast to 22% who did not even know who managed it. The problem with ceding of the responsibility for content protection entirely to IT is that IT primary focus is on maintenance and configuration of the technical infrastructure, but with limited knowledge and understanding of the content and its specific protection needs. IT cannot and should not make decisions on how particular type of information should be protected, and who should have access to it.

So who should be responsible for making such decisions? The answer seems to be intuitive – the business – but 43% of respondents said that they do not trust document authors to control who should read their documents. This would indicate that most of the users have low levels of awareness and understanding of the security needs. This seems to be confirmed by another set of responses that indicated that over 45% of users did copy sensitive and confidential information to unprotected USB memory sticks and emails. 55% of these respondents claimed that reason for this was the need for sending necessary information to users without access to SharePoint, with further 43% needing it for working at home. Over 30% of users were more concerned about getting the work done rather than security, and another 47% did not even think about security or did not care.

One of the contributing factors leading to taking documents out of SharePoint’s control, was the need to share it with third parties – over 56% of respondents said that their organizations did not have external portals to help with collaboration outside of the organization.

The bottom line is that this exposes the organizations to risks including legal risks and intellectual property theft. Therefore proper solution would be to give some thought before SharePoint is rolled out, answering questions on how the information is going to flow across the organization, how it is going to be accessed, how users will be segmented by their needs and how it is going to be protected. This should lead to development of information management governance, that would clearly describe roles and responsibilities across the organization, and ways how the information should be distributed and protected. Lastly, the most important step is to make the users aware of the security needs, training them on the policies and periodically reinforcing this knowledge.

Information management initiatives – who should be in charge after all?

In 2011 PMI and Forrester jointly published a report – “State of PMO”. Although the report was targeting specifically problems that Project Management Offices face, the interesting thing is that the findings are very much relevant to information management implementations. One of the measured factors in the study was the perception of value that PMO brings to organizations and its correlation to the organizational reporting lines. The surprising outcome of the report was that while organizations perceived the PMOs as of high value where they reported to CEO (38%) or CFO (36%), the approval rate dramatically dropped down when PMOs reported to CIO (22%) and VP IS/IT (15%).  This could lead to conclusion that the lines of business either:

  1. distrust IS/IT departments,
  2. perceive IS/IT as detached from the business and not addressing their real problems, or
  3. benefits from IT/IS initiatives are potentially intangible and/or never measured after projects are  completed

I do not have specific numbers for information management initiatives, but experience seems to confirm similar correlation. When information management projects are not driven by the business but rather by IT, they are often observed with distrust, little confidence and support. Indeed, some of the IT/IS information management initiatives focus on technology, with poor understanding of the business processes, goals and operations. If this is true, to improve the odds, they should be conceptualized and driven by the business groups rather than by IT.  Using Pareto principle, maybe 80% of focus should be on business transformation and knowledge management, and 20% on technology. Delivery should still reside within IS but the business should be firmly in the driver’s seat. The recent explosion in collaboration methods, are blurring the boundaries between the external and internal, business and social, stationary and mobile collaboration, bringing new opportunities and challenges. There is no doubt – the cloud computing is going to revolutionize the way how IS and IT departments work today. IT is becoming increasingly a commodity, and some jobs are quickly disappearing, although recent IDC study brought news that cloud services are going to generate 14 million new jobs by 2015. Too bad that they are going to be in some other, cheaper part of the world. This trend will also force redefinition of the role of the CIO – maybe putting ‘Information’ back into the title – changing the focus from the infrastructure and technology to identification, valuation, definition of metrics and the management of the information as any other enterprise asset. I believe that both – shifting of the responsibility for information management initiatives to the business, as well as recognizing that information is the asset will increase success rates of IM initiatives within organizations, leading to improved profits, reduced risks internally and better service to customers externally.

SharePoint – Records Center or In-Place Records Management?

Folder - records managementSharePoint 2010 brought some new capabilities but at the same time challenged the implementation teams with making some tough decisions. One of them is – how to implement records management. In MOSS 2007 – it was simple; the only possibility to achieve the functionality was through setting up Records Center site. In this case, for the content to be declared as a record, it had to be moved to separate storage area. SharePoint 2010 now offers In-Place Records Management – content that was declared as the record stays where it was originally, but the additional information management policies need to be applied to make sure it is immutable. Which solution is better? Which one should be chosen?

As expected there is no simple answer to this question – it depends. But once the decision is made, the organization needs to live with its consequences. The way back is costly and time consuming, it makes reversing the course usually unfeasible. So what are the pros and cons of either solution? The list below captures some of the key differences and their potential impact. Please note that some of the functionality was split to reflect the fact that business users and records managers are often driven by conflicting requirements – ease of filing, access, finding information and ability to collaborate for business users and ability to restrict access, protection and enforcing retention rules for records managers.

Feature In-place Records Center Comment
Retention Implemented through information management policies by content type. It might provide more flexibility in getting the rules more granular but at the cost of maintenance complexity. Simple – once record is placed in its bucket, it inherits its retention rules. Most of business users are not concerned by the retention; this is of primary interest to records managers. However what needs to be taken into account, if implementing in-place records management, the records lifespan might be longer than the hosting site. This creates potential problems with records preservation when the site needs to be disposed. This could lead to tendency to keep obsolete sites live, exposing the organization to legal and regulatory risks, and increased storage costs.
Security/Accessibility No ability to restrict access to records, the record maintains the same visibility across its lifecycle The content visibility and the ability to see its existence in search results can be restricted This could be a concern for records of sensitive nature especially in areas of HR, and Legal departments, or in case of mergers and acquisitions.
Findability of information – business user perspective Excellent, since records reside within their context in their corresponding libraries and folders Might be poor, since same content types reside in the same buckets. This category addresses primarily needs of business users – to locate quickly and easily the information. Since in case of in-place implementation, records are preserved at their source, it is easy to locate the information through its context. In case of the Records Center implementation, the key success factors are related to good governance policies, their implementation, as well as rich and good quality metadata.
Findability of records / eDiscovery – records manager perspective Usually good, though the search needs to span multiple sites Good since all records are located in Records Center, but eDiscovery will require search in both sites and in Records Center In case of Records Center good quality of metadata is important. eDiscovery of records in Records Center is fairly straightforward and quick, however since eDiscovery covers any content – declared as records or non-declared, it will not eliminate need of searching across all locations.
Ease of records management Complex since records are spread across various sites, libraries and folders Easy since records reside in central location with common sets of rules Managing records declared in-place might become messy. Strict governance and control of granularity of information management policies is required. The governance must include cases how to handle records if their survivability exceeds the site lifespan, as well as defining of who can un-declare or supersede records per site. Auditing of the records management and records reporting becomes more complex.
Ease of site management Complex – since sites contain both mutable and immutable content Simple – sites contain only documents that are not yet declared as records, or stubs to Records Center content Sites with in-place records management become more difficult to manage due to differences in how records and transitory documents are handled. Strict governance is required.
Ability to audit records More complex Simple Ability to audit records in in-place implementation depends on each sites audit policies implementation. There are no out of the box compliance reports available. Strict governance is required.
Administrative security By site administrators By records managers In in-place implementation, site administrators have ability to manage both transitory documents and records. This might not be desirable in case of organization in heavily regulated industries, where single responsibility for preservation of records resides with records managers.
Storage Transitory documents and records reside on the same storage medium Scalability could be easily ensured by placing records on separate storage medium In-place implementation might lead to increased storage requirements for both documents that are being actively collaborated and records that might be rarely accessed. Performance issues, security and organizational disaster recovery requirements must be taken into account (this is not the same as simple backups).
Declaring of Document Sets as records Yes No Current version of SharePoint does not allow for declaring Document Sets as records in Records Center


So how to determine which one is more suitable for given organization? There are several factors that will ultimately influence the decision, like:

–          Company culture – strict or more relaxed

–          How heavily regulated is the industry

–          What are the legal, regulatory and statutory requirements

–          Existing processes for handling records – is there already dedicated staff to manage records?

–          Business continuity planning requirements

–          Existing business processes – are document sets best suitable in the organization (this is weak point however, as I am sure that Microsoft is going to come with solution for Document Sets handling soon)

–          Information growth rate and proliferation of sites and sites collections

Decision on the method of records management implementation should not be taken lightly as it will have long term impacts on costs, change management, user adoption, governance, sites and records management, compliance and others. There is no easy way back.

Where is that tap?

Fortis records managementHere is the latest example of poor records keeping, and associated costs, as it happened last week in the area where I live – Ruptured Line not on maps: Fortis. In short – an excavator ruptured natural gas line, which resulted in evacuation of whole neighborhood, organizing and transporting residents to temporary locations, closed businesses, rerouting traffic, full presence of police, fire and rescue services. It took a while for Fortis – natural gas provider, to locate the leak and cut off the supply. Contractor was not at fault here – before digging, they checked with Fortis if there were any pipes in the area. After the fact, Fortis stated that the pipe was more than 40 years old and was not indicated on the map. I am afraid that in reality the pipe was on a map, as it was supplying gas to a building that does not exist anymore. Rather the problem was that Fortis was not able to locate the latest version of the map, and they based their excavations approval on outdated records.

The positive side of this event is that it should be fairly easy for Fortis to develop and approve business case for an improved records management system. One of the biggest problems facing implementation of information management projects is that they are always low priority, due to the intangibility of most of the benefits and risks. There is always something more important generating revenues. Documents and records management are mostly perceived as cost centers – until accidents like this happen. Fortunately in this case there was no further damage and nobody was injured. But definitely this is an opportunity to quantify the costs and risks in the business case and get the problem fixed. In this case – these will be the costs of the emergency services, evacuation, investigation, and problem rectifying and so on. Safety, Health and Environment risks will come on the top of priorities and let’s not forget about reputational risks – protecting the public trust, and the organization in litigation, would one follow. One door closes, another opens….

SharePoint 2010 and Department of Defense

As you might know, SharePoint 2010 does not have their records management solution certified with DoD 5015.2 standard. MOSS 2007 was certified, but with 2010 Microsoft decided not to go through the pains of getting their product tested and approved. There are multiple reasons behind this decision, but probably the most important is that certification requires substantial effort and time. Microsoft wants to focus on developing collaboration platform, leaving the more detailed compliance requirements to software partners.

But how important is this decision? In conversations with records management professionals I often hear the opinion- “who cares, DoD standard is military oriented with strict set of rules that most of organizations will never need”. They are right; probably most of organizations will never need that level of compliance. However, the point is somewhere else. The certification guarantees that the software product delivers all that the organization will ever need, and most probably delivers more – at least when it comes to the records management. The organization does not need to use all the features; however having such capabilities removes at least one of the concerns when selecting software product related to compliance.

For example – how executives in your organization would feel if they find out that SharePoint records management solution that you just implemented, does not guarantee irrecoverable destruction of records that passed their retention period? SharePoint out-of-the-box does not provide solution for expunging of records, after they are deleted. As you might know, there were several criminal cases where courts requested recovery of deleted files and specialized agencies were often successful in this task.  I am sure that some of the executives in government and large corporations would become quite nervous knowing that.

The bottom line is that SharePoint is a great solution for implementation of records management; however, the organizations need to take into account all the requirements across the organization. I mean all the requirements – not only those explicitly stated by records managers but also the implicit business needs. Some of these requirements will need to be fulfilled by adding additional, third party web parts or application services. This on the other hand, increases the total cost of ownership, so finding proper balance between requirements, planning and design is quite critical.

Lost cause in records management – convenience copies

I found some interesting facts in recent poll by AIIM “Records Management Strategies – plotting the changes”. As many as 48% of respondents said that although they were concerned of leaving convenience copies of disposed records at the end of their retention period, they did not have a solution in place to address it. It sounds like a paradox, from one side organizations spend millions to implement enterprise content management systems, and on the other hand they leave on the table the key benefits from implementation of such systems and processes. In another, related question, respondents said that their strongest business drivers for ECM, were related to compliance with legislation and industry regulations (45% and 35%), reduction of storage costs (42%), sharing of knowledge (36%) and improvement of litigation performance and reduction of associated costs (35%).  By leaving the convenience copies unattended, all the above drivers are not being addressed, often deluding organisation that they achieved their key objectives. Even if the ‘official records’ are disposed, the organizations are still not compliant with laws and regulations, the storage costs are not reduced, eDiscovery costs will be high as all information will have to be searched, and often the business decisions will be based on outdated information. The missing last step in information management strategy implementation undermines the organizational efforts. This might not be surprising as over 35% of respondents cited lack of board/C level commitment and lack of cross-departmental agreement on how to manage electronic records, as the key obstacle to implement information management strategies.

The lesson learned from this is that groups responsible for implementation of information management within organizations need to work continuously on marketing of ECM and building strong business cases based on hard, measurable benefits. Even if this is done, after the implementation, there must be ongoing effort to accurately monitor the key performance indicators and success criteria. The outputs of these measurements should reinforce the marketing messages, helping in getting required support.

Managing Risks in Information Management Programs

Information Management projects belong to most challenging in my opinion. One of the reasons is the degree of uncertainty related to current state of data, and usually duration of the program. Although there are discrete steps within ECM programs that are handled by specific projects, overall duration of the initiative is pretty long. This makes such initiatives sensitive to changing environment, political landscape changes within organization, changing external laws and regulations and so on.

Managing risks is key factor in achieving success in the program. Risks must be managed constantly, maybe not weekly, but definitely should be reviewed at least monthly. In my current organization we set up monthly Risk Review Board consisting of individuals representing various aspects of ECM program – including  business analysis, technology, architecture, change management and governance. During our meetings we focus on new risks that appear, prioritization and working out mitigation plans for 20% of them (according to Pareto law – 80% of biggest threats comes from 20% of risks). Risks are assigned to owners who need to manage them, and report back on their status.

We have to be transparent to the stakeholders communicating the biggest risks, although this needs to be done in a way that takes into account their level of tolerance. We do not want to create panic when it is not necessary. This is the point where program manager’s experience comes into play. If we are confident that we can handle these, we should provide brief statement about the risks showing confidence in handling them. Only risks that are outside of program manager’s influence,  requiring stakeholders stepping in to mitigate them, should be worked out in detail.  After all, this is similar to flying a plane. It is sufficient for the captain to say to passengers to fasten belts due to entering into turbulence area,  rather than getting into details that the autopilot has just stopped working.