I’d like to welcome you to my new blog with a tale of the consequences one organization suffered after years of Sharepoint use without a Governance Plan in place.
Over most of 2018 a team of six of us raced the clock to migrate two large on-prem Sharepoint instances from Sharepoint 2003 (nope, not joking here) and 2010 to Office365. In moving these environments for the 4500 users of one of the largest home nursing providers in New York state, we uncovered many consistent problems as we scrutinized the thousands of sites that had been built over a 10-15 year span.
Governance pros and anyone rolling out Sharepoint/Office365 already know that Sharepoint without a set of established, wise, customized, and above-all enforced rules of usage will get unwieldy fast. Size, consistency, security, redundancy, and the number of ill-informed, home-spun solutions are all likely to spin out of control sooner than anyone in IT is prepared to solve and support. Like they did for our client. They had never documented nor discussed a Governance Plan. The environment had been handed to its user community with no controls in place, loose security oversight, and minimal training.
But there’s nothing like an upgrade and migration to uncloak the dirty little secret of what’s really been going on without the protection of enforced Sharepoint governance.
Here’s a look at what we uncovered, some of our customer’s Lessons Learned:
Security Auditing - No one had been minding the shop, and so hundreds of this organization’s sites were riddled with unique permissions, right down to the individual document level. An inordinate number of people with permissions on items or lists were no longer even employed by the relevant group or even still at the company.
How does a service provider like ours promise to correctly and thoroughly migrate all the permissions in a large but ungoverned Sharepoint environment?
The best way forward was to abandon the entire prior permission landscape. We handled that by having our customer clearly define new site owners, and then clearly communicate their directives and the expectations placed on them. We had them each create their own security matrix for their sites, since they knew their users better than anyone else. We built training videos and stand-up training sessions to convey Best Practices and how Sharepoint Online’s controls work. And this all had to be bolstered by the IT department’s plan to conduct regular security audits and checkups with the site owners.
Site Ownership –Since dozens of the incumbent site owners were no longer even employees, too few employees were accountable for limiting how sensitive information might make its way around the company. So when it was time to migrate, an inordinate number of sites had to have research done on them to vet the relevance of the content, the relevant users and owners, and who should be placed in charge of it going forward. This is costly to any migration schedule.
Site Creation Standards – Default Sharepoint permission schemes that were overlooked gave ill-informed users an opening to meet their most minor requirements by creating a new site. And thanks to inadequate training, word of mouth turned creating new sites into a standard way of storing any files that didn’t seem to have an appropriate document library yet. As a result, the number of single-library, and even single-document sites had sprawled beyond belief, like lava from a volcano. Rest assured, streamlining it all into a sensical taxonomy weighed on our timeline, as well.
For this client, the right Governance Plan policy was to put site creation strictly in the hands of IT, who now have a request-and-approval process in place, with some tough guidelines as to what new content or users deserve their own new site.
Inadequate Training – Not so much a Governance issue (or is it?!), but nonetheless married to the other problems above. Quite naturally people tend to get creative when handed a tool they haven’t been taught how to use. That creativity gets tough to manage over time: even more so when it’s time to move the content elsewhere. It’s best to be proactive in establishing the best new “normal” behavior that keeps the whole environment safe. Vary the available training resources, and be sure to publicize them well.
These issues were and will always be tightly related, and preventable. The consistency and reliability from a decent Governance Plan will pay dividend after dividend. Be vigilant in setting your whole organization up for success.
- Recent Posts:
A true story of how the lack of a Sharepoint governance plan left an organization with nearly unmigratable environments when it came time to upgrade to Office365. The Lytic Group found a way to save the day.