SharePoint sites, growing like weeds, need governance

SharePoint sites can spread like weeds throughout a company, creating big legal risks. It's time to set some rules.

"Like the Wild West" -- that's how Dave Rettig, a senior manager in the strategy and technology alignment group at Raymond James Financial Inc., describes the firm's first implementation of SharePoint 2003. "It was a free-for-all. Everyone just sort of jumped in," Rettig says.

SharePoint is Microsoft Corp.'s software for collaboration, file sharing and Web publishing. "People saw it as just another file server," Rettig says, "and it ended up like someone's garage or attic."

So when SharePoint 2007 came out, a steering group that included Rettig decided to take some control. Instead of automatically upgrading, the group did so manually, porting just 10% of the earlier version's content to the new platform. It also required a "steward" and a backup person for each team's content site.

Security was another concern. Rettig categorized the financial services firm's 14,000 to 15,000 SharePoint subsites into three groups -- team sites, project sites and community sites -- each with different levels of security controls. In addition, the steering group created a specific site to lock down any content containing personally identifiable information, with oversight by the data security staff. "No one can get into that area without security knowing about it," Rettig says. If personally identifiable information is found outside of that boundary, either through an automated scanner or human detection, it's immediately flagged, deleted or moved.

Moreover, forms that enter the SharePoint system from the retail sales force are archived in an optical storage system, with built-in rules for regulatory compliance and security enforcement.

In terms of centralized control, "we keep an eye on storage capacity, and we have tools to see how activity is going on the site," Rettig says. "[But] we don't really have total command and control, and I don't think there are a lot of companies out there who do."

That's for sure, agrees Doug Miles, director of market intelligence at AIIM, an association focused on enterprise content management. In a June survey of 624 organizations, AIIM found that 55% were establishing SharePoint policies for team sites, but other forms of governance were lacking. Just 22% said they provided staff with guidance on content type and classification, and only 15% had formal document-retention policies and legal-discovery procedures. Despite this, nearly a quarter (23%) had rolled out SharePoint to their entire staffs.

"It's kind of 'throw it against the wall and see what sticks,' in terms of what they'll use it for, which seems to fly in the face of a lot of good IT practice," Miles says. "I'm not saying I'm a control freak, but I do err on the side of decently written policies." Miles also urges companies to define which types of content can show up on SharePoint and which types should be reserved for other places, such as human resources and document management systems.

Microsoft included security, document management and other control-related capabilities in the newer versions of SharePoint (2007 and 2010), but the general intent behind SharePoint -- free-form collaboration -- runs counter to the notion of control. And nearly everyone who works with the system is reluctant to quash that freedom.

"The way to get control is to design policies upfront, like what the site is designed to be used for and what content is intended to be on it," says Larry Briggi, a managing director in the technology practice at FTI Consulting Inc. in New York. "But if you stifle it too much, users won't be able to do everything they're supposed to and the system is less useful."

Greg Clark, a consultant at C3 Associates Inc., a Calgary, Alberta-based consultancy specializing in enterprise content management, says SharePoint governance needs to include records managers and the legal department, not just IT. "People just put SharePoint out there, and it goes viral -- suddenly you've got tens of thousands of sites," he warns. The trick is to manage SharePoint in a systematic way that's not so constrained that people don't want to use it.

E-discovery concerns

One area that must be addressed is e-discovery of information for court cases. "SharePoint will be the next new dumping ground for electronic documents," following e-mail and shared directories, Briggi says. "That's a good thing from a usage and convenience perspective, but the downside is that it becomes a new [legal] discovery source. And that's a little more challenging."

Briggi points out that SharePoint systems can have millions of documents and hundreds of record custodians, and there's rarely a single go-to person who knows everything about the SharePoint environment.

Plus, the usual mechanism for finding documents in SharePoint -- keyword searches -- won't necessarily identify all the content relevant to a particular case. Part of this hinges on having the right keywords, and if indexing is not turned on for specific sites, the data in those areas will not be searched. To overcome such challenges, FTI Consulting designed an approach that searches the site by individual custodian, regardless of keywords, and then transfers that content outside of SharePoint, where it can be preserved in a legally acceptable way, Briggi says.

But companies need to consider the e-discovery implications of SharePoint at the outset of a project, before they're suddenly hit with a discovery request during litigation, observers say.

Jessica Carroll, managing director of IT at the United States Golf Association, says her organization is working to integrate SharePoint 2007 into its e-discovery system. The association purposefully selected an e-discovery system that could be customized to reach into SharePoint so the organization could place documents on legal hold and comply with document retention regulations.

The USGA's SharePoint implementation has two audiences: The organization's 350 internal employees, plus the external committee members and regional golf associations it works with. USGA SharePoint sites are used to publish reference material and forms, share ideas and host discussions between the outside groups and staff.

Companies also need to pay attention to government regulations, particularly those requiring retention periods for different types of documents. Miles says SharePoint 2007 provides the ability to move documents to a records repository. But according to the AIIM survey, only 40% of SharePoint users have instituted long-term archiving policies. "They're actually exposing themselves [to legal risks] because e-discovery and archiving haven't caught up" to how people are using SharePoint, Miles says.

At the USGA, Carroll says that while SharePoint is used for document sharing and version control, materials that need to be retained or that have legal value will be kept in a conventional document management system.

Microsoft has added document management features to SharePoint, and although they fall short of the functionality in dedicated content management systems like Documentum, Open Text and FileNet, Miles says, SharePoint's tools are available at a much lower cost, making it possible to give document management capabilities to more users.

The AIIM survey found that some companies are using SharePoint as their very first content management system, while others are using it in tandem with a conventional document management system or as a front-end interface to an existing system.

"Everyone thinks [SharePoint] works out of the box as a document management system, but it doesn't," Miles says. For example, companies need to establish rules for maintaining consistency among corporate departments and ensure that the documents are managed according to the corporate records management plan throughout their life cycles, he says. "You don't want everyone creating different indexing schemes, for instance," Miles adds. "Those are issues that could come back and bite you later on."

For companies where individual departments create their own subsites, C3 Associates consultant Clark suggests setting up global guidelines for structural elements like folder taxonomies, metadata management and records retention.

Who's in charge?

AIIM's survey found that most SharePoint projects are run by the IT department -- sometimes with input from records managers and sometimes not. But in other cases, SharePoint is managed at the business unit level, leaving IT sidelined.

At the Georgia Aquarium, Vice President of IT Beach Clark set up a governance structure in which IT is the administrator for the entire SharePoint operation; it's responsible for setting up all subsites, and it responds to user requests for changes.

The aquarium has a public site for volunteers and an intranet for internal use. Departments tend to publish forms and other documents, whereas the corporate site publishes a newsletter and features a dashboard that reports on aquarium attendance and operational income. "We update those on a daily basis to help everyone maintain focus on achieving those two goals," Clark says.

Governance and user training were big factors when the Navy Reserve Forces Command implemented SharePoint last June. The command uses the system to share information and create standard workflows for processes such as requesting training or applying for a waiver of active duty. When rolling out SharePoint, the command developed a computer-based curriculum with a two-day module for a general overview and a five-day course for power users. "We wanted to make sure the audience was educated in the proper functionality of SharePoint to put some control on how it's used," says Capt. Matt Ragan.

The training covers security issues, such as the need to safeguard personal information, he says. The command also created a tool that asks users if documents they're uploading contain personally identifiable data and provides a link to information on dealing with such files. If a document does contain sensitive information, the user is required to protect it with a password, says Ragan.

In addition, documents with personally identifiable information are tagged so the command can find all such files and lock them down if necessary.

Security was also a "huge concern" for the USGA, particularly for internal sites that are shared by external and internal users, according to Carroll. The association addressed that issue by giving external users log-in access to the portal rather than access to the internal network. It did that with SharePoint's forms-based authentication tool, which provides the external users with log-in credentials separate from the internal Active Directory.

As use of SharePoint continues to grow, the issues of governance and control will evolve because people will continually come up with new ways to use it, according to Rettig. "We're still at it," he says. "We don't think we have it down, because humans change more than systems do."

Brandel is a Computerworld contributing writer. You can contact her at marybrandel@verizon.net.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon