Coding Compliance ComponentsWriting Custom Policies for Auditing, Expiration and More

Jason Morrill

Program Manager

Windows SharePoint Services

Agenda

• Information Management Policies• Records Management and the

Records Center• Additional records and compliance features

– Reporting– Email

Information Management Policies

• Standard definition and enforcement of business rules for content– Target both regulations and business needs– Automated for the information worker

• Examples of policies– Expiration– Content format– Document identifiers

• Differentiated along– Types of content– Places where content lives

“Enabling an enterprise to define, instrument, and managepolicies for how they use and retain information”

Retention and Expiration

• Specify how long to keep content– Based on time period (Last modified+ 5 years)– Set programmatically

• Specify an action to take when the event occurs– Delete– Run custom code– Start a workflow

Labels and Barcodes

• Enforce a particular string in a document– Base the string on a document property– “Confidential – Managed By: {ProjectManager}”

• Add a barcode to the document– Pluggable interface for defining the format– Search for document using barcode

• Enforced in the Office Clients

Auditing

• Events audited out of the box

– Insert, Edit, View of an item– Workflow actions– Content Type or list schema

change– Change audit settings– Check In/Out– Copy/Move– Delete/Restore deleted item– Event log deletion– Search queries– Security group changes– ACL changes

• Plug in 3rd party events– New event definitions– Special class for workflows

Custom Information Management Policies

• Examples of new policy features you can build– Digital signature-based document integrity– Document “Hygiene”– Convert to Fixed Format

• Tied to a content type and centrally managed• Parts of a custom policy

– Feature definition– Custom user experience for management (ASCX)– Implement Ipolicy interface

• Policy timer job– Long running job manages updating items when policy changes

• Client OM– Access and act on policies in the client applications

Policy Framework

The Goals Of Records Management

Reduce costs of retrieving information for legal discovery

Reduce risk of non-compliance and legal liability

Retain vital records for business continuity

The Process of Records Management

Records Warehouse

Organize,Maintain, &Dispose

Records Manager

Search,Hold, &Triage

Lawyers &ParalegalsKnowledge Worker /

Records Custodian

Collect

Our Records Center

Search,Hold, &Triage

Lawyers &Paralegals

Knowledge Worker /Records Custodian

Collect RecordsCenter

Policy Enforcement

“Vault” Behaviors

SM

TP

& S

OA

P O

FI

Windows SharePointServices

Hold

Organize,Maintain, &Dispose

Records Manager

Our Records Center

Organize,Maintain, &Dispose

Search,Hold, &Triage

Lawyers &Paralegals

Exchange

Send To

SharePointDocuments

Mail

KnowledgeWorker

DesktopItems

“Ship” To

Nondigitalrecords

RecordsCustodian

3rd-partyimaging

Official FileRecordsCenter

Policy Enforcement

“Vault” Behaviors

SM

TP

& S

OA

P O

FI

Windows SharePointServices

Hold

Records Manager

Management in place vs. Records Center

• Policy features work in all SharePoint document repositories– Use permissions and workflows for in place records

management

• Retention requirements frequently outlive business value– Original document container no longer useful– Reduce amount of content exposed to end users

• Legal hold special to Records Center– Suspension of policy is possible outside record center– Difficult to sufficiently enforce administration outside a

records repository

Records Center

Legal Hold

Records Center Extensibility

• Custom Router– Process content on ingestion

• Conversions• De-duplication

– Route to 3rd party repositories

• Submit new record types with SOAP API– Preserve existing categorization of content– Include audit events

• Hold– OM for adding/removing items to a hold– Programmatic queries for items on a particular hold– Extend Hold use of “Search & Process”

• New actions on search results

• Custom Disposition Actions– Code to set an expiration event– Code to handle an expiration event

Audit Reports

Org. Health And Compliance Reports

E-mail Integration

• Managed Folders– Administrator defined expiration and quotas– Helps users organize their e-mail in a company compliant

way – Helps get rid of the excess in a timely manner

• Direct links to the Record Center from within Outlook– Helps users archive mail and attachments that are

“corporate records” and apply the appropriate metadata as they become records

Managed E-mail Folders

Extensibility throughout

• SDK Code available: Enterprise Content Management Starter Kit

• Solution Builders– Vertical solutions– File plans, reports– Custom litigation hold UI– Custom record center

submission– Workflows for expiration, vital

records review, etc

• Application Builders– New policy features– Add-ins to our OOB policy

features– Record repository integration

• Integration w/external storage• De-duplication