SharePoint Compliance is Boring but Mandatory

SharePoint Compliance is Boring but Mandatory

by

I'm with you, I like the fun stuff and the new gadgets like HoloLens. However, I still need to ensure my SharePoint is secure and check compliance to our rules and policies. SharePoint Compliance, what exactly does it mean and more importantly, how can I validate that it's being respected?

Recently, secretly tucked behind a OneDrive for Business announcement, was the new SharePoint Compliance Center coming to Office 365. Let's see what it reveals.

Compliance with or without SharePoint

Why Compliance? It can come from a number of reasons. Legal and regulatory requirements, organizational governance or internal and external threats are the main factors for it however. To make it easier on you, people are using all kinds of technology now to create content, and it's not always the same application used through the content's life cycle.

The reasons and types of SharePoint Compliance to look for

No matter how we look at it though, complying is crucial and in almost all situations mandatory, it's important to never forget to empower the users.

This means allowing them to use the tools they are used to, and helping them with notifications or if we need to block them from using a specific action, but allowing them to work. It’s not only in SharePoint, but in Exchange and whatever else comes to Office 365.

On the other hand, the Compliance Officer or the IT who plays that role in some situations also need to be able to run discoveries and take action if needed.

Ideally, the platform we choose to work with will allow us to both empower the users to work and stay compliant. But it'll also help the Compliance Officers and IT put holds or discover content as well as enforce any part of the content life cycle process they need in however way they need it.

That's why SharePoint or SharePoint with Office 365 as well as Exchange are on the top of my list. Ok, and I'm a little biased.

SharePoint Compliance currently at your disposal

A good way to get up to speed with compliance in SharePoint and Exchange, both On-Premises and on Office 365 is to watch this video from channel 9. My takeaway from the video is that there's a lot more in Exchange than there is for SharePoint at the moment.

But let's look at them quickly for SharePoint:

eDiscovery and Holds

Whether you are in SharePoint On-Premises or on Office 365, you can create a Site Collection using the template eDiscovery. Within, each subsite essentially is a case you can work on to find, hold and export content you need.

It uses Search to go through Exchange and SharePoint to find the content based on the criteria you entered. Once found, you can apply a Hold on it whether In-Place or somewhere else and export the data to give it to your legal team or whomever is asking.

IRM for Document Libraries

This is a topic I enjoy quite a bit. I always found the level of control you can have on content interesting. With On-Premises SharePoint, you'll need extra servers for RMS and a PKI for certificates however.

It allows you to set rules to forbid actions with content like printing, forwarding an email and much more. Office 365 has begun introducing more features to help enforce DLP, with that we saw new options in Document Libraries for Rights Management.

Record Center and In-Place Holds

The Record Center is a Site Collection Template that can be used as a centralized repository for records. Records being the content, frozen and unable to be edited stored for archiving purposes. This specific Site Template comes with a URL the admin can set up to be configured and used with every single Document Library's Send Top option.

In-Place Records is the ability to leave the document or item where it is at the source, but lock it and prevent anything from happening to it. This helps users continue to find and view the content easily, but give the Compliance Officer the assurance it hasn't been modified.

Auditing

Auditing in SharePoint isn't so straight forward, it needs to be turned on by Site Collection before you can see anything. Then, you'll have to go the Library Settings to choose what you want to Audit within it. After that, the information can be read by generating reports against the data collected.

In Office 365, as of February 2015, it's still impossible to audit people that have just viewed content. In a recent Office 365 Security issue, I mentioned how External Users had access to my entire Site Collection and unfortunately, I'll never know if they viewed any content.

Retention or Deletion Policies

Offering numerous options, Retention Policies can be set at the Content Type or Library level. They can be configured to do many things like deleting all drafts or moving a document to the record center and even completely deleting a file when certain conditions are met.

Though they're very powerful, in fact like many of these other features mentioned above, they do not provide a way to do all of this centrally or easily.

A Peek at the new Compliance Center for SharePoint

Almost 12 months since the SharePoint Conference where new features and the Compliance Center were announced, still nothing in our Office 365. Auditing still isn't available on viewing content and a few other things like Deletion Policies haven't made their way to our Compliance Center Console.

In fact, we still don't have a Compliance Center for SharePoint. At the moment, you still have to navigate to the Exchange Admin Center to find most of the existing features.

Hidden in a recent video on the new OneDrive for Mac client was a peek at what's to come to help manage content now on even more devices.

SharePoint Compliance Activity Report

We can see the auditing has gotten a nice upgrade with many more actions to monitor and help us get the information we need. There are also new tabs and options we can see as well as some reports focused on OneDrive for Business were mentioned.

However, all of this is nice and we've seen some of it a year ago. Though it seems we are a lot closer to it this time around, I am anxious to see it live in my own SharePoint Compliance Center when available.

Do you think it'll be enough to satisfy most of our Compliance needs in providing a "Unified" experience across the whole suite with Exchange, Lync and SharePoint?

Benjamin Niaulin
Benjamin Niaulin @bniaulin

Well known as the SharePoint Geek, Benjamin has been helping people all around the globe reach their goals by simplifying SharePoint solutions. You haven't met Benjamin yet? Look for him at SharePoint conferences and events!