Post on 16-Jan-2017
Maximizing Opportunities in the SharePoint Environment: Conducting Assessments and Resolving Challenges
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 1
OverviewThe majority of Fortune 500 companies use the Microsoft SharePoint intranet platform for workforce collaboration and content management. Yet few make regular assessments of the SharePoint environment part of their audit plans. Surprisingly, while 79 percent of those surveyed at Microsoft’s 2014 SharePoint Conference in Las Vegas said their organizations stored sensitive data in a SharePoint environment, only 18 percent said they prevented access through the use of technical controls. Moreover, 36 percent of respondents said that their business conducted no SharePoint audits.
While there are no specific compliance drivers making SharePoint a top-of-mind concern for companies, there are still potential risks that the system’s use could pose to the business, particularly with regard to data integrity and security. And by not examining how workers use SharePoint, organizations cannot determine whether they are getting the most from their investments.
A SharePoint assessment allows organizations to identify potential risks in their environment, optimize SharePoint configuration and performance, and determine whether additional user training on the system and education about potential risks are needed. Although any organization using SharePoint should review its environment on a regular basis, there are a number of conditions that signal an assessment should happen sooner rather than later. These early indicators of need include:
• Auditing and compliance are ongoing and major concerns for the organization. Again, while no specific compliance mandates apply to SharePoint yet, governance and auditing authorities are starting to focus specific attention on the platform.
• The organization has faced data security issues, including unauthorized access and breaches.
• Projects (e.g., SharePoint upgrades, implementations, expansions or redesigns) are not meeting their goals, and internal communications are a point of frustration.
• Users are complaining about their experience with the system. This indicates that information architec-ture, search configuration and site navigation need to be reconsidered.
• The organization is planning to migrate from another enterprise content management (ECM) platform or consolidate multiple systems in SharePoint. These situations are perfect opportunities to plan for change or assess the impact to an existing SharePoint platform.
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 2
SCOPING THE SHAREPOINT ASSESSMENT
To help organizations assess their SharePoint environments, Protiviti has developed a flexible, comprehensive review process. We start by collaborating with organizations and their project teams to identify an appropriate scope for the assessment. The end result of the process is a final report with prioritized recommendations specifically tailored to our client’s environment.
Protiviti offers assessments around five key areas of an organization’s SharePoint environment:
• Performance Health Check: Analyzing and optimizing SharePoint system performance.
• Governance Planning: Understanding how to govern SharePoint (i.e., ensure all legal, technical, opera-tional and functional concerns are represented) using people, processes and policies.
• Information Architecture Scorecard: Ensuring that information in SharePoint is presented intuitively and is easy for users to search and retrieve.
• Privacy and Security Review: Validating that information and access risks are under control.
• Usability Review: Engaging the user community to understand and identify opportunities for improved adoption of SharePoint in the organization.
SharePointAssessment
PerformanceHealth Check
InformationArchitecture
Scorecard
Privacy &SecurityReview
GovernancePlanning
UsabilityReview
Engage the user communityto understand and identifyopportunities for improved
adoption
Analyze systemperformance, identifyissues and optimize
Ensure that informationis presented intuitively
and is easy to search/retrieve
Understand howpeople, processes and
policies are utilizedto govern SharePoint
Validate that risksrelated to information
and access areproperly controlled
Figure 1: The five key areas of a SharePoint assessment
While Protiviti recommends that all of these areas be covered in a single audit, organizations can tailor the audit scope to meet their specific needs and goals. Additional details on each of the five assessment areas are provided below, along with further explanation of how the Protiviti SharePoint Assessment process works.
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 3
Performance Health Check
To get the most from their IT investments, organizations need to conduct regular maintenance of their sys-tems – just like a tune-up for a car. Protiviti provides experienced infrastructure analysts trained to examine all aspects of SharePoint implementation, including farm (i.e., environment) configuration, site collections, data-base configurations and log reviews. Assessing these aspects as part of a formal “Performance Health Check” can provide insight into adjustments that need to be made to mitigate identified issues and improve the reli-ability of the SharePoint environment. (Note: “Reliability” means both traditional reliability, such as system uptime and data integrity, and user confidence that the system is stable and consistently available.)
SharePoint Infrastructure Design Site Maps
Workflow Diagram
Figure 2: Examples of documentation used during a SharePoint Performance Health Check
Governance Planning
Organizations should view SharePoint as a business platform that offers a variety of line-of-business services to users. Therefore, it is important to provide a clear set of guidelines for use and administration of SharePoint – that is, a formal governance plan.
Protiviti’s governance team develops a cross-functional representation of SharePoint stakeholders to ensure that all legal, technical, operational and functional concerns are represented. The team can then recommend next steps for updating the governance plan to help improve user adoption of SharePoint. It also can provide strategies for records management, which can be a significant challenge for organizations that use SharePoint.
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 4
Information Architecture Scorecard
The information architecture that supports the SharePoint environment has a direct impact on a user’s impression of the platform and is therefore critical to user adoption and measurable achievement of the desired business outcomes. Protiviti provides trained analysts to assess your organization’s SharePoint implementation and examine how well metadata, navigation, content types, and search are leveraged to support the organization’s goals for business process improvement.
An Information Architecture Scorecard (see Figure 3) – one of the final deliverables of the Protiviti SharePoint Assessment process – is used to highlight, by topic, specific ways to improve the user experience. Protiviti analysts use these findings to identify underutilized features in SharePoint and to outline practical recommendations for aligning the system’s information architecture with the solution’s business case.
Residual Risk Information Architecture Assessment Usability Performance
Site Columns
Content Types
Enterprise Keywords/Managed Metadata
Custom Lists/Libraries
Search
Navigation
Governance Plans
Strategy Document
End User Focus
Mobile-Friendly Display
(Add-On) Web Analytics
(Add-On) Accessibility Requirements
(Add-On) SEO
High Medium Low
Figure 3: Example of an Information Architecture Scorecard used to assess the SharePoint environment
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 5
Privacy and Security Review
SharePoint is a business platform; therefore, it typically contains data subject to a wide range of security require-ments. A review of security configurations within SharePoint can determine how safe data is within the system. Assessment methodology should focus on ensuring that users have appropriate access to documentation while simultaneously restricting access to only the data necessary for the day-to-day job functions of users.
Note that a Privacy and Security Review of SharePoint is limited to an assessment of the SharePoint environ-ment; to ensure network safety, a more comprehensive IT security audit should also be conducted.
Architecture Design Roadmap
Figure 4: Ports and Protocol Flow
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 6
Usability Review
SharePoint is a web-based platform and, like any web experience, should be designed with end users and usability in mind. Consistent navigation across all sites will help users feel comfortable in the SharePoint environment; they should be able to access desired sites quickly, no matter where they are in the environment.
When conducting a Usability Review as part of a SharePoint assessment, Protiviti’s analysts will interview users. Their feedback on SharePoint usability will help to identify opportunities to improve user adoption, increase collaboration and enhance business processes. A navigation report, as shown in the example for Figure 5, is also helpful in assessing SharePoint usability.
Figure 5: Google Analytics Navigation Report
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 7
A CUSTOMIZED APPROACH TO SHAREPOINT AUDITS
As noted earlier, the SharePoint audit process begins by identifying key areas of the SharePoint environment to assess. Protiviti recommends that organizations assess all five key areas outlined in this document – at the very least, for the initial audit of their SharePoint environment. Depending on the scope of the audit, the next step is to create interview agendas that address each of the selected areas.
Protiviti’s analysts, who are trained in SharePoint Audit Methodology, then meet with end users and key stakeholders to conduct in-depth interviews. Once the interviews are complete, a review and analysis period commences, resulting in a scoped Assessment Report that includes observations, recommendations and next steps for improving the SharePoint environment.
Assessment Area Selection
5 core assessment
areas
Select areas &
subtopics
Assessment Areas
1. Performance Health Check• Farm configuration• Site collections• Database configuration• Log reviews
2. IA Scorecard• Managed metadata• Search and navigation• Mobile
3. Governance Planning
4. Privacy and Data Security Review
5. Usability Review
Assessment Framework
Review Analyze
• Collect and review relevant material
• Interview team members about processes and challenges
• Gather targeted historical data for analysis
• Utilize tools and diagnostics for analysis
• Grade individual subpractices for each assessment area
• Synthesize results
Assessment Report
Observations Strengths and gaps
Recommenda-tions
• Action items • Priority • Quick wins
• Impact analysis • Effort/order of magnitude
Next Steps • Grouped by theme and plotted on a time horizon
Figure 6: Basic steps in the Protiviti SharePoint Assessment process
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 8
Core Deliverables
While the final deliverables for each engagement will vary according to a client’s needs, each Protiviti Share-Point Assessment will typically include three components:
• Overall audit report
• Associated recommendations section (see example below)
• Information Architecture Scorecard (see Figure 3)
Recommendations are presented based on their overall impact and the effort required to implement and include cross-references to the overall audit report. The Information Architecture Scorecard is a companion document used to show areas where improving the user experience and/or user interface in the SharePoint environment would have the most impact.
Recommendations
1. Update the Current SharePoint Version• The farm is currently running Microsoft SharePoint Server 2010 with
the December 2012 Cumulative Update (CU). There are newer updates available.
• The latest CU is for June 2013, and there is also a more recent Service Pack 2 (SP2); however, we recommend a two-month waiting period before installing new updates. This gives the SharePoint community, as well as Microsoft, time to find and correct any problems that may be present with the update.
• We recommend the April 2013 update be installed.
2. Logging• SharePoint logs should be put on a separate drive from the operating
system, but because the server only has a single drive, this is not currently possible. Consider adding a second drive.
• Event throttling is at default settings of Information for event level and Medium for trace level, which logs more information than is necessary on a normal basis, and it adds to the load on the servers.
• Modify the level of logging for all categories to Warning for the event level and Monitorable for the trace level to decrease the amount of detail logged.
3. Email Configuration• Outbound email is configured normally for the farm.• Incoming email is not configured for the farm, and the SMTP service is
not installed. This is optional and only needs to be configured if you decide to use features such as receiving email to post directly to a list.
High Medium Low
Effo
rt
ImpactLow
Low
High
Hig
h
Figure 7: Example of post-audit recommendations for improving the SharePoint environment
These documents, when taken together, provide a list of meaningful and actionable next steps to improve the overall reliability, efficacy and security of an organization’s SharePoint environment.
PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 9
SUMMARY
SharePoint, like any business-critical technology infrastructure, should be viewed as a “living” platform that needs to be monitored regularly to ensure optimal performance and reduce risk. Protiviti recommends that organizations conduct SharePoint audits at least every three years after initial assessment of their environment.
We also suggest that organizations be proactive about performing SharePoint assessments. New compliance demands related to SharePoint may be on the horizon; regardless, businesses are wise to identify data security risks in any aspect of their operations. And given the investment required to implement SharePoint, organiza-tions simply cannot afford to allow the system to be underutilized and fail to eliminate unnecessary roadblocks that prevent users from fully embracing the technology.
ABOUT PROTIVITI
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, tech-nology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
About SharePoint Solutions
Protiviti’s SharePoint Business Consulting Group offers strategic consulting and technical implementation expertise to help clients unlock the full business potential of Microsoft SharePoint. Protiviti’s SharePoint team has years of experience in all aspects of SharePoint implementation, so we understand how to guide our clients through the strategic steps of the SharePoint Maturity Model.
Unlike typical software consultants, Protiviti focuses on the business user’s experience and long-term enterprise vision. Steeped in Protiviti’s risk consulting and internal audit practices, we also help clients build SharePoint workflows and establish policies that align with their evolving governance and risk management programs.
To learn more about SharePoint Solutions, please visit sharepoint.protiviti.com. For additional information about the issues reviewed here or Protiviti’s services, please contact:
Mike Steadman Thomas Crowe+1.913.685.6226 +1.952.249.2243mike.steadman@protiviti.com thomas.crowe@protiviti.com
© 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. PRO-0315-103059Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
ASIA-PACIFIC
AUSTRALIA
BrisbaneCanberraMelbournePerthSydney
CHINA
BeijingHong KongShanghaiShenzhen
INDIA*
BangaloreMumbaiNew Delhi
JAPAN
Osaka Tokyo
SINGAPORE
Singapore
* Protiviti Member Firm
THE AMERICAS
UNITED STATES
AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston
Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento
Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro São Paulo
CANADA
Kitchener-WaterlooToronto
CHILE*
Santiago
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas SOUTH AFRICA*
Johannesburg
EUROPE/MIDDLE EAST/AFRICA
FRANCE
Paris
GERMANY
Frankfurt Munich
ITALY
Milan Rome Turin
THE NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
UNITED ARAB EMIRATES*
Abu Dhabi Dubai