Part 3: Building your Governance Plan – A Deeper Dive

As discussed in Part 2:  Building a Governance Plan that works for YOU, the most successful Governance plans are those that achieve the right blend of control vs freedom to meet your business requirements without inhibiting productivity.  In this installment, we will examine the details of building out your Governance Plan in a way that meets your business requirements while striking the balance that ensures a successful adoption.

Understand your Business Content

By now you should have formed your Governance Committee.  Representatives on that team have in-depth knowledge of your business, its processes and collateral.  The next step is defining your Information Architecture and that requires an understanding of your Business content, how it needs to be organized, presented, secured, managed, who the content owners are and any regulatory compliance or Information Rights Management needs that surround it.

For each department or team in the organization, you will identify the types of content they work with in their day to day activities.  This includes content that they produce and share with others and content that others share with them.   Throughout these discussions you will begin to lay out the structure of your sites and a picture of what types of permissions and access will be permitted or required based on answers to questions like the following:

Question

What does it tell you?

Is this content shared with other users outside of this department or team?  This can include internal users and users external to the company.

 

Content that is not accessed outside the department or team can live in an internal department or team site.  Content that needs to be available to users outside of the department or team will call for different placement.

 

Does this content have unique security needs?

 

If this content requires limited access, it will need to live in a site that has restricted access.

 

Is this content under regulatory control?   If so, what are the restrictions placed on it?

 

This will indicate the level of security and potentially the availability needs for this content as well as any other controls that need to be placed on it.

 

If this content is accessed by an unauthorized user, will it hurt my business?  Could this content be part of an eDiscovery and what is the legal lifetime it needs to be retained for?

 

This provides further indication of where this content might live and what type of controls it may need, including Information Rights Management needs; Expiration, and Restrictions on Print or Email for example.

 

If this content isn’t available, can my business run?

 

This will help you define the Service Level Agreement necessary around this content to ensure that business critical content is highly available.

It is helpful to establish a baseline plan for taxonomy and tagging during your Information Architecture Discovery discussions.  Taxonomies are used to classify or “Tag” your organization’s content.   Identify your most critical content; and at a minimum address these 2 important questions:  “What is the Risk of Corporate Exposure?” and “What are the Availability Requirements?”  For instance, it may be enough to begin by identifying “internal”, “need to know – external” and “public” content.  Even this little piece of information allows you to begin to identify what sites this content can live in, who owns the content, permissions around it and whether it should fall under Information Rights Management Policies.

Information gathered in these discussions allows you to determine the Availability and Security needs for all business content as well as its Classification.   Now that you have gone through this cataloging exercise, you can identify which site types this content will live in; specifically where it can live and where it must not live.

Microsoft has published a guideline for determining Governance Levels needed based on site type.   While this is helpful to use as a guide, it is not always enough.  For instance, though My Sites are typically lightly governed, your Governance Plan will specify the types of content that should not be shared in those sites.

Governance_by_Site_Type_Graphic.png

Service Level Agreements

Quite often you will find a direct correlation between the level of Governance needed and the SLA (Service Level Agreement) needs around availability.  For instance, Personal Sites and Community Sites typically require less Governance, and have lower availability needs, whereas Department Sites with information critical to running the business, as well as the Intranet Home pages that communicate critical information across the organization will have tighter Governance and a more secure SLA that guarantees higher availability.  Content shared outside of your organization with business partners or vendors may have a more stringent SLA as well due to the need for that communication mechanism to be of higher availability.

IT Governance provides the details needed to guarantee the Service Level Agreements identified for your different business content are met.   Topics that are typically covered are:

  • Policies around problem resolution through a support team i.e. Helpdesk
  • Backup and Restore policies and Disaster Recovery Plans – these differ according to the SLAs you offer for each site type.
  • Update Schedules and Code Deployment processes – Code Review, Test, Signoff
  • Quotas
  • Life Cycle Policies – How will you handle stale or inactive sites?

Site Management Policies

Each Site will have a Site Owner who is responsible and accountable for all content published in their site.   Site Management Policies should be established that specify how tightly controlled the site or site collection is and indicates the rights given to the Site Owner.  For instance:

  • Can they grant permissions to other users?
  • Can they create and delete Subsites?
  • Can they add apps? – Is there an approval process and if so who governs that?
  • Can they create pages, lists, libraries, site columns, content types?
  • Can they create SharePoint groups and are they required to be based on Active Directory groups?
  • Can they modify permissions of their sites or is approval required?

Site Customizations

SharePoint is a highly customizable platform and the number of 3rd party applications that can be used to augment the out of the box functionality grows every day.  In addition, tools like SharePoint Designer and Visual Studio can be used to build customizations and deploy them to your sites and site collections; this can include Branding and custom Master Pages, or full-fledged custom code.  Further, code can be placed directly in SharePoint pages, and the list of ways to customize your sites goes on.

Your Governance Plan should include details on which types of customizations you will support in your organization, any approval processes required and relevant Change Management Policies.  For instance, where are these customizations developed and tested prior to deployment in your production environment?  A schedule can also be included for Production Update windows that support these activities.

In Summary

There are a fair number of topics that should be covered in your Governance Plan, but not all of these topics require paragraphs of information.  The best and most adopted Governance Plans are concise, to the point and under 3 pages long.  It’s important to remember that unless you can think of a reason why something should be governed, it likely shouldn’t be governed.  Contact us for help with your governance plan!

Tune in next for Part 4:  Training, Adoption & Measuring the Success of your Governance Plan.

Leave a Reply

Your email address will not be published. Required fields are marked *