Most SharePoint environments have grown organically and as a result SharePoint sites have become digital landfills with no monitoring, reporting and or enforcement. Its not that IT departments don’t want to do the right thing, they simply can’t in most cases due to lack of staff and tools. In addition, no control plan and executive support to execute and manage the control plan ongoing. Unfortunately, until there is a serious breach or lawsuit most executives are oblivious regarding the risks and the steps required to correct the situation. For my 12 step plan for moving to the cloud, read Migrating to Office 365 – 12 steps that will help you get there.
In Part 3, you were tasked with updating and reporting on all the site collection owners. Completing Part 3 the site collections ownership has been updated to include the business area executive, primary and secondary owners to reestablish security and data policy compliance, billing and audit requirements.
In Part 4, you will focus on a detailed data classification and mapping exercise that will enable your organization to enforce its data and security policy. For example, migrating data to the appropriate platform (Cloud / On premise) based on your policy. Transitory data that isn’t classified confidential or non-public can be moved to the cloud. Data that is confidential will be kept on premise. In addition, cleaning up permissions before the migration is recommended as most environments have not been setup and managed by untrained site owners. It’s common to find permissions issues ranging from numerous sites owners, lack of group usage and broken permissions at all levels of the sites and sub sites.
Sounds like a lot of work doesn’t it? It is and many skip it and risk data loss and law suits from exposing client information and or other non-public information. As one of my colleagues said to me once “Pain me know or pain me later”.
The following are the tasks that must be carried out:
- Data Mapping – This exercise focuses on mapping the data in SharePoint to the new information architecture. It’s critical that this step occurs and that a high degree of communication and sign off occurs with the business users. To carry out this activity you will require a tool (e.g. NextLabs Enforcer) that scans your site collections and tags data based on your data policy. Work closely with your vender of choice as they will be able to provide you with the support and guidance required. Most scanners have options for scanning based on PCI for example. To determine what you must scan for speak with your Security Manager – request the Control Plan and Data policy documents. These documents will provide you with the information required to run scans and classify data. Keep in mind you’re not conducting an exhaustive classification exercise, that would take much to long in many cases due to the sheer amount of data that exists in many organizations and lack of resources. What your aiming for is traceability back to your Data policy so you can demonstrate compliance to an Auditor. Note that some may choose to simply migrate to Office 365 and then utilize Microsoft Compliance Center in Office 365. The key outcome of this exercise is an itemized listing of sites that must remain on premise and or data removed from SharePoint sites to remain compliant and a updated control plan (e.g. how to handle non-compliance such as notifying site owners and removing PCI data from cloud).
- Security Model – Your security will provide guidance to SharePoint Admins and Site Owners for applying and enforcing security for site collections and the data that resides within them. Microsoft offer some guidance with a series of documents. I highly recommend keeping this model very simple (and building in measures, enforcement and reporting) as most likely your organization won’t invest much in site security. Here are some simple guideline and feel free to adjust them to your needs:
- Utilize SharePoint Site Groups as the standard.
- For data requiring different permissions (e.g. confidential vs public) utilize another site or create a library and break permission inheritance.
- Allow site owners to manage all groups except Site Collection Admins and Site Owners.
- Provide online how to videos – quick 1-2 minute how to.
- Provide your help desk with support scripts.
- Make site owner SharePoint training a yearly mandatory exercise.
- Automate the deletion of users that have left the company.
- Create procedures for audits and the work involved. Provide links to the site owners for the procedures.
- Updated control plan that details how security will be configured, training required, reported on and enforced by tools, policy and staff.
- Security cleanup – Here you will report on the current state of security for each site collection. This involves running reports on the site collection security and itemizing each entry and correcting if required. Sounds exhaustive? Yes, it is but in regulated industries you must provide such reports to Auditors to demonstrate compliance. There are many scripts available that can help you with this step such as https://gallery.technet.microsoft.com/office/SharePoint-20132010-68415a22. As with any such resource and time intensive process utilize common sense. You have site collections that your SharePoint admin knows are a mess, focus on those first – think 80/20. The outcome of this exercise is a plan that addresses the highest risk site collections, how to address audit exercises and a plan for enforcing ongoing that is endorsed by the executive sponsor.
- Multi factor authentication – create user training, policy and procedures for applying, monitoring and enforcing.
- Ongoing scanning – since you have deployed tools to scan you should (MUST) consider implementing scanning on your destination environments so that you can enforce data policy. For office 365, utilize Microsoft Compliance Center and for on premise utilize Enforcer.
- Vulnerability Assessment – conduct ongoing at least once every 1-2 years.
- Control plan – detailing the upkeep roles (e.g. data custodians, provisioning, exception handling etc., monitoring (e.g. site security and data scanning), and enforcement so organization meets audit requirements. Finally, document any risks that have not been addressed and assign ownership to an executive sponsor whose mandate is complying with data and security policies.
Note that as you address your data and security needs, auditors do not like SharePoint (My Audit training in NJ 2008 was valuable, it gave me insight into how auditors think and how companies handle them) Why? Its distributed security model (e.g. Think AD which is centrally managed with rigor vs SharePoint sites which is in many cases a free for all) and lack of enforcement and structure. If you can demonstrate that your enforcing security and data policy to the best of your ability (e.g. executive support and funding) your ahead of the game.
Found this blog helpful or have suggestions? Contact me firstname.lastname@example.org