Maximizing Opportunities in the SharePoint Environment: Conducting Assessments and Resolving Challenges

PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 1

OverviewThe majority of Fortune 500 companies use the Microsoft SharePoint intranet platform for workforce collaboration and content management. Yet few make regular assessments of the SharePoint environment part of their audit plans. Surprisingly, while 79 percent of those surveyed at Microsoft’s 2014 SharePoint Conference in Las Vegas said their organizations stored sensitive data in a SharePoint environment, only 18 percent said they prevented access through the use of technical controls. Moreover, 36 percent of respondents said that their business conducted no SharePoint audits.

While there are no specific compliance drivers making SharePoint a top-of-mind concern for companies, there are still potential risks that the system’s use could pose to the business, particularly with regard to data integrity and security. And by not examining how workers use SharePoint, organizations cannot determine whether they are getting the most from their investments.

A SharePoint assessment allows organizations to identify potential risks in their environment, optimize SharePoint configuration and performance, and determine whether additional user training on the system and education about potential risks are needed. Although any organization using SharePoint should review its environment on a regular basis, there are a number of conditions that signal an assessment should happen sooner rather than later. These early indicators of need include:

• Auditing and compliance are ongoing and major concerns for the organization. Again, while no specific compliance mandates apply to SharePoint yet, governance and auditing authorities are starting to focus specific attention on the platform.

• The organization has faced data security issues, including unauthorized access and breaches.

• Projects (e.g., SharePoint upgrades, implementations, expansions or redesigns) are not meeting their goals, and internal communications are a point of frustration.

• Users are complaining about their experience with the system. This indicates that information architec-ture, search configuration and site navigation need to be reconsidered.

• The organization is planning to migrate from another enterprise content management (ECM) platform or consolidate multiple systems in SharePoint. These situations are perfect opportunities to plan for change or assess the impact to an existing SharePoint platform.

2 • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • PROTIVITI

SCOPING THE SHAREPOINT ASSESSMENT

To help organizations assess their SharePoint environments, Protiviti has developed a flexible, comprehensive review process. We start by collaborating with organizations and their project teams to identify an appropriate scope for the assessment. The end result of the process is a final report with prioritized recommendations specifically tailored to our client’s environment.

Protiviti offers assessments around five key areas of an organization’s SharePoint environment:

• Performance Health Check: Analyzing and optimizing SharePoint system performance.

• Governance Planning: Understanding how to govern SharePoint (i.e., ensure all legal, technical, opera-tional and functional concerns are represented) using people, processes and policies.

• Information Architecture Scorecard: Ensuring that information in SharePoint is presented intuitively and is easy for users to search and retrieve.

• Privacy and Security Review: Validating that information and access risks are under control.

• Usability Review: Engaging the user community to understand and identify opportunities for improved adoption of SharePoint in the organization.

SharePointAssessment

PerformanceHealth Check

InformationArchitecture

Scorecard

Privacy &SecurityReview

GovernancePlanning

UsabilityReview

Engage the user communityto understand and identifyopportunities for improved

adoption

Analyze systemperformance, identifyissues and optimize

Ensure that informationis presented intuitively

and is easy to search/retrieve

Understand howpeople, processes and

policies are utilizedto govern SharePoint

Validate that risksrelated to information

and access areproperly controlled

Figure 1: The five key areas of a SharePoint assessment

While Protiviti recommends that all of these areas be covered in a single audit, organizations can tailor the audit scope to meet their specific needs and goals. Additional details on each of the five assessment areas are provided below, along with further explanation of how the Protiviti SharePoint Assessment process works.

PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 3

Performance Health Check

To get the most from their IT investments, organizations need to conduct regular maintenance of their sys-tems – just like a tune-up for a car. Protiviti provides experienced infrastructure analysts trained to examine all aspects of SharePoint implementation, including farm (i.e., environment) configuration, site collections, data-base configurations and log reviews. Assessing these aspects as part of a formal “Performance Health Check” can provide insight into adjustments that need to be made to mitigate identified issues and improve the reli-ability of the SharePoint environment. (Note: “Reliability” means both traditional reliability, such as system uptime and data integrity, and user confidence that the system is stable and consistently available.)

SharePoint Infrastructure Design Site Maps

Workflow Diagram

Figure 2: Examples of documentation used during a SharePoint Performance Health Check

Governance Planning

Organizations should view SharePoint as a business platform that offers a variety of line-of-business services to users. Therefore, it is important to provide a clear set of guidelines for use and administration of SharePoint – that is, a formal governance plan.

Protiviti’s governance team develops a cross-functional representation of SharePoint stakeholders to ensure that all legal, technical, operational and functional concerns are represented. The team can then recommend next steps for updating the governance plan to help improve user adoption of SharePoint. It also can provide strategies for records management, which can be a significant challenge for organizations that use SharePoint.

4 • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • PROTIVITI

Information Architecture Scorecard

The information architecture that supports the SharePoint environment has a direct impact on a user’s impression of the platform and is therefore critical to user adoption and measurable achievement of the desired business outcomes. Protiviti provides trained analysts to assess your organization’s SharePoint implementation and examine how well metadata, navigation, content types, and search are leveraged to support the organization’s goals for business process improvement.

An Information Architecture Scorecard (see Figure 3) – one of the final deliverables of the Protiviti SharePoint Assessment process – is used to highlight, by topic, specific ways to improve the user experience. Protiviti analysts use these findings to identify underutilized features in SharePoint and to outline practical recommendations for aligning the system’s information architecture with the solution’s business case.

Residual Risk Information Architecture Assessment Usability Performance

Site Columns

Content Types

Enterprise Keywords/Managed Metadata

Custom Lists/Libraries

Search

Navigation

Governance Plans

Strategy Document

End User Focus

Mobile-Friendly Display

(Add-On) Web Analytics

(Add-On) Accessibility Requirements

(Add-On) SEO

High Medium Low

Figure 3: Example of an Information Architecture Scorecard used to assess the SharePoint environment

PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 5

Privacy and Security Review

SharePoint is a business platform; therefore, it typically contains data subject to a wide range of security require-ments. A review of security configurations within SharePoint can determine how safe data is within the system. Assessment methodology should focus on ensuring that users have appropriate access to documentation while simultaneously restricting access to only the data necessary for the day-to-day job functions of users.

Note that a Privacy and Security Review of SharePoint is limited to an assessment of the SharePoint environ-ment; to ensure network safety, a more comprehensive IT security audit should also be conducted.

Architecture Design Roadmap

Figure 4: Ports and Protocol Flow

6 • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • PROTIVITI

Usability Review

SharePoint is a web-based platform and, like any web experience, should be designed with end users and usability in mind. Consistent navigation across all sites will help users feel comfortable in the SharePoint environment; they should be able to access desired sites quickly, no matter where they are in the environment.

When conducting a Usability Review as part of a SharePoint assessment, Protiviti’s analysts will interview users. Their feedback on SharePoint usability will help to identify opportunities to improve user adoption, increase collaboration and enhance business processes. A navigation report, as shown in the example for Figure 5, is also helpful in assessing SharePoint usability.

Figure 5: Google Analytics Navigation Report

PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 7

A CUSTOMIZED APPROACH TO SHAREPOINT AUDITS

As noted earlier, the SharePoint audit process begins by identifying key areas of the SharePoint environment to assess. Protiviti recommends that organizations assess all five key areas outlined in this document – at the very least, for the initial audit of their SharePoint environment. Depending on the scope of the audit, the next step is to create interview agendas that address each of the selected areas.

Protiviti’s analysts, who are trained in SharePoint Audit Methodology, then meet with end users and key stakeholders to conduct in-depth interviews. Once the interviews are complete, a review and analysis period commences, resulting in a scoped Assessment Report that includes observations, recommendations and next steps for improving the SharePoint environment.

Assessment Area Selection

5 core assessment

areas

Select areas &

subtopics

Assessment Areas

1. Performance Health Check• Farm configuration• Site collections• Database configuration• Log reviews

2. IA Scorecard• Managed metadata• Search and navigation• Mobile

3. Governance Planning

4. Privacy and Data Security Review

5. Usability Review

Assessment Framework

Review Analyze

• Collect and review relevant material

• Interview team members about processes and challenges

• Gather targeted historical data for analysis

• Utilize tools and diagnostics for analysis

• Grade individual subpractices for each assessment area

• Synthesize results

Assessment Report

Observations Strengths and gaps

Recommenda-tions

• Action items • Priority • Quick wins

• Impact analysis • Effort/order of magnitude

Next Steps • Grouped by theme and plotted on a time horizon

Figure 6: Basic steps in the Protiviti SharePoint Assessment process

8 • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • PROTIVITI

Core Deliverables

While the final deliverables for each engagement will vary according to a client’s needs, each Protiviti Share-Point Assessment will typically include three components:

• Overall audit report

• Associated recommendations section (see example below)

• Information Architecture Scorecard (see Figure 3)

Recommendations are presented based on their overall impact and the effort required to implement and include cross-references to the overall audit report. The Information Architecture Scorecard is a companion document used to show areas where improving the user experience and/or user interface in the SharePoint environment would have the most impact.

Recommendations

1. Update the Current SharePoint Version• The farm is currently running Microsoft SharePoint Server 2010 with

the December 2012 Cumulative Update (CU). There are newer updates available.

• The latest CU is for June 2013, and there is also a more recent Service Pack 2 (SP2); however, we recommend a two-month waiting period before installing new updates. This gives the SharePoint community, as well as Microsoft, time to find and correct any problems that may be present with the update.

• We recommend the April 2013 update be installed.

2. Logging• SharePoint logs should be put on a separate drive from the operating

system, but because the server only has a single drive, this is not currently possible. Consider adding a second drive.

• Event throttling is at default settings of Information for event level and Medium for trace level, which logs more information than is necessary on a normal basis, and it adds to the load on the servers.

• Modify the level of logging for all categories to Warning for the event level and Monitorable for the trace level to decrease the amount of detail logged.

3. Email Configuration• Outbound email is configured normally for the farm.• Incoming email is not configured for the farm, and the SMTP service is

not installed. This is optional and only needs to be configured if you decide to use features such as receiving email to post directly to a list.

High Medium Low

Effo

rt

ImpactLow

Low

High

Hig

h

Figure 7: Example of post-audit recommendations for improving the SharePoint environment

These documents, when taken together, provide a list of meaningful and actionable next steps to improve the overall reliability, efficacy and security of an organization’s SharePoint environment.

PROTIVITI • MAXIMIZING OPPORTUNITIES IN THE SHAREPOINT ENVIRONMENT • 9

SUMMARY

SharePoint, like any business-critical technology infrastructure, should be viewed as a “living” platform that needs to be monitored regularly to ensure optimal performance and reduce risk. Protiviti recommends that organizations conduct SharePoint audits at least every three years after initial assessment of their environment.

We also suggest that organizations be proactive about performing SharePoint assessments. New compliance demands related to SharePoint may be on the horizon; regardless, businesses are wise to identify data security risks in any aspect of their operations. And given the investment required to implement SharePoint, organiza-tions simply cannot afford to allow the system to be underutilized and fail to eliminate unnecessary roadblocks that prevent users from fully embracing the technology.

ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, tech-nology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.

Ranked 57 on the 2016 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

About SharePoint Solutions

Protiviti’s SharePoint Business Consulting Group offers strategic consulting and technical implementation expertise to help clients unlock the full business potential of Microsoft SharePoint. Protiviti’s SharePoint team has years of experience in all aspects of SharePoint implementation, so we understand how to guide our clients through the strategic steps of the SharePoint Maturity Model.

Unlike typical software consultants, Protiviti focuses on the business user’s experience and long-term enterprise vision. Steeped in Protiviti’s risk consulting and internal audit practices, we also help clients build SharePoint workflows and establish policies that align with their evolving governance and risk management programs.

To learn more about SharePoint Solutions, please visit sharepoint.protiviti.com. For additional information about the issues reviewed here or Protiviti’s services, please contact:

Rob Hustick Thomas Crowe+1.540.450.1782 +1.952.249.2243rob.hustick@protiviti.com thomas.crowe@protiviti.com

© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0516-103059Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

* Protiviti Member Firm

THE AMERICAS

UNITED STATES

AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston

Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento

Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro São Paulo

CANADA

Kitchener-WaterlooToronto

ASIA-PACIFIC

AUSTRALIA

BrisbaneCanberraMelbourneSydney

CHINA

BeijingHong KongShanghaiShenzhen

INDIA*

BangaloreHyderabadKolkata MumbaiNew Delhi

JAPAN

Osaka Tokyo

SINGAPORE

Singapore

CHILE*

Santiago

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE/MIDDLE EAST/AFRICA

FRANCE

Paris

GERMANY

Frankfurt Munich

ITALY

Milan Rome Turin

THE NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

SOUTH AFRICA*

Johannesburg

QATAR*

Doha

SAUDI ARABIA*

Riyadh

UNITED ARAB EMIRATES*

Abu Dhabi Dubai