Introduction (SharePoint Development and Governance Using COBIT 4.1)
Applies to: SharePoint Server 2010
The following is an excerpt from the book "SharePoint® Deployment and Governance Using COBIT® 4.1: A Practical Approach", which can be purchased at www.isaca.org book store.
When Microsoft® started developing the third version of SharePoint®, it is doubtful that it realized the global impact it would have on business. That effort eventually became known as SharePoint 2007 and has become a Microsoft “big bet” and one of the most successful software products ever developed.
SharePoint 2007 reached US $1 billion in sales and more than 100 million users in just 18 months. This runaway success caught everyone, including Microsoft, by surprise. Those reading this book are probably part of this ever-growing user base. With the release of SharePoint 2010 and their cloud-based offering of SharePoint called Business Productivity Online Suite (BPOS), Microsoft delivers additional functionality that will open new possibilities to use SharePoint as an application development platform that will push enterprises to adopt SharePoint for applications and wider adoption both in house and as a hosted solution.
So why has this happened? Why has SharePoint become such a smash hit? We believe that SharePoint is a runaway success because it is the best, most cost-effective platform for helping people work more efficiently and productively, regardless of their location, time zone or brand of computer. A browser and a connection to a SharePoint server is all that is needed to get started. Many users have realized an investment payback measured in weeks; not many other investments can boast that kind of return.
SharePoint is like a Swiss army knife, loaded with functionality and possibilities. A partial list of SharePoint’s “out-of-the-box” capabilities includes:
Document management—Manages files with versioning and check-in, check-out capabilities
Collaboration—A web site for every topic imaginable, allowing users to securely manage lists of related information called Web Parts
Enterprise search—Enables searches across SharePoint, file shares, Exchange Server public folders and external databases
Content management—Supports development of professional and scalable public-facing web sites. A look at www.hawaiianairlines.com will give an idea of what can be done with content management built into SharePoint 2007.
Forms and workflow management—Replaces paper forms, manual processes and the e-mail “paper” chase with automated electronic forms, digital signatures and complex workflow capabilities
Business intelligence—Enables creation of electronic dashboards, including Excel running on the server, allowing simplified monitoring of key performance indicators
Deep e-mail integration—Enables notification to key staff if files are modified, new data are posted or a workflow task is assigned
SharePoint delivers all of these capabilities in a web-based, flexible platform at a fraction of the cost that specialized vendors would charge for any one of these items. With the extensibility from a rich variety of add-on products and the flexibility of the .NET platform and Visual Studio® (meaning there is an army of software developers with required experience in place), it is easy to understand why SharePoint has had such a meteoric rise in sales and adoption.
The SharePoint Effect
Although SharePoint has been widely embraced by businesses, its launch has often been accompanied by a wave of frustration and false starts as enterprises struggle toward its deployment and use. We believe these challenges may result from a lack of governance.
We often see “worst practices” and unpredictable results when SharePoint is unleashed on an enterprise without setting up proper governance policies. We call this the “SharePoint effect,” which is often characterized by some or all of the following:
Runaway growth as SharePoint users hijack control, creating high-profile sites, adding content accessible to hundreds or thousands of users, and setting permissions and rights without enterprise planning, strategy or support
Never-ending streams of enhancement requests that go unanswered
Lack of clarity on who is storing what in SharePoint
Inability to track or audit who has accessed items stored in SharePoint lists and document libraries
Inability to gain consensus from the business on goals and priorities for SharePoint
Irrelevant or outdated content
Lack of document life-cycle policies, including mandated archiving and destruction requirements
Shared Services and the SharePoint Effect
Many enterprises have mistakenly launched SharePoint as a shared service, allowing the business to use it as it sees fit, without proper governance or controls. These deployments usually go viral and growth occurs “underground,” out of sight from the staff responsible for keeping SharePoint running. This approach is usually accompanied by unpredictable spikes in growth and use that outpaces any planning that may have been done prior to deployment.
When the SharePoint effect is at full force, the following can be expected:
Team sites spring up across the enterprise and operate independently, without any central direction or guidance
Stale content litters “ghost towns”—sites that were once thriving areas for groups, now suddenly abandoned
Steep declines in performance and supportability
Support calls to IT for unknown third-party tools installed by end users
Some reading this are probably smiling through gritted teeth, having lived through these experiences firsthand. The combination of uncontrolled growth, lack of shared vision and the ad hoc adoption of third-party tools usually causes SharePoint deployments to underperform and miss expectations.
Simply stated, SharePoint governance is a framework of guidelines to create processes and controls that avoid or limit the impact of risks encountered when deploying SharePoint. As SharePoint expands and becomes increasingly pervasive and important to the enterprise, the need to govern it (meaning, control it and manage the risks associated with it) increases dramatically. Some of risks encountered without proper governance include:
Increased security threats—SharePoint allows the user to add and publish content easily. This content is indexed, allowing users to search on most of the content that SharePoint manages, including the text within files stored anywhere in the farm (Microsoft Office® SharePoint server). The increased risk that arises from being able to post any file or content and then search on any word in any posting, document or file managed in SharePoint can be easily imagined. Pulling corporate data into key performance indicators compounds the risk, as does audience growth to include users outside of the enterprise.
Wasted resources—Improperly deployed or managed SharePoint sites can reduce response time, increase support costs, outpace support team capabilities and waste employee time.
Silos of information—SharePoint can be used to build new silos of information and decrease collaboration and information sharing if not used properly. Just posting content into SharePoint does not ensure collaboration. We have witnessed how SharePoint can become its own maze of silos and a nest of sites and hidden content. When looking for information, we have often heard, “It is posted in SharePoint,” and have had to wander through sites to find the information we were seeking.
Catastrophic business failure—As SharePoint grows in importance to the enterprise, improper back-up and business resumption planning can be catastrophic to the business in the event of a loss of SharePoint availability.
We believe that a properly governed SharePoint deployment can be one of the best IT investments an enterprise can make. We also believe that an improperly governed deployment can represent one of its greatest risks.Enterprises that have deployed or are planning on deploying SharePoint will likely be faced with some or all of the following issues and expectations:
The enterprise expects SharePoint will support and transform organizational practices and methodologies.
SharePoint will become pervasive within the enterprise and the reliance upon internal or third-party resources to provide, maintain and ensure the viability of it will become mission-critical.
The costs of IT resources within the enterprise, as well as intangible costs, will rise due to growing dependence upon SharePoint and increasing end-user demands.
This SharePoint governance framework will help manage these expectations while continuing to deliver value to the business.
Reason for the Guide
We have been watching the SharePoint market mature and it is dismaying to observe the lack of comprehensive governance guidelines. All of the SharePoint governance efforts that we have reviewed have been ad hoc and loosely structured around organically developed best practices. Universally, the existing frameworks have been aimed at the IT team rather than the business. These frameworks have been posted in various blogs around the web. Our SharePoint customers have reviewed many of these and have consistently been disappointed because of their lack of breadth or use of a standards-based framework.
We have attended professional associations and trade shows for IT auditors expecting to find a standards-based SharePoint governance framework and have been astounded by the lack of attention and recognition of the importance of SharePoint. We have never found a SharePoint governance framework that would satisfy IT auditors and let business lead.
Even worse, while some IT audit professionals are vaguely aware of SharePoint, few realize the depth of its market penetration and number of business users who rely upon it. Many of the most important assets of these enterprises are stored within SharePoint and it is critically important to establish world-class governance standards for SharePoint and to adhere to these standards quickly.
Borrowing from a software development perspective and an auditor’s sensibility, we created this framework as a practical bridge between the world of IT audit and control and the world of SharePoint development, deployment and management. We represent both sides of this coin and have blended years of real-world SharePoint deployment experience with auditing best practices and international standards to build the practical governance framework presented within this text.
Guiding SharePoint Governance Axiom
This governance framework is based upon the following guiding principles:
SharePoint requires controls and repeatable processes to ensure its orderly deployment, operation and maintenance.
A team of senior business and technical users is required to set policies, procedures and guide the ongoing deployment.
Management reviews should be built into governance policies and procedures.
Business needs should lead technical decisions, not the other way around.
IT resources, including staff and systems, should be leveraged and integrated into SharePoint.
The framework should be built upon internationally recognized governance standards.
The framework should be applicable at any stage of deployment or maintenance.
Based upon the goals stated previously, the following axiom was created to guide the development of this governance framework:
A world-class SharePoint governance framework is a comprehensive set of activities, policies and processes that leverages industry-standard methods and best practices to respond to the needs of the internal enterprise, while satisfying requirements of external regulatory and compliance initiatives. World-class SharePoint governance ensures that the enterprise is getting the most from its IT investment, while demonstrating to the world that management has taken the proper steps to ensure the integrity, confidentiality and availability of its information resources. The governance framework should be easy to understand, follow and implement.
After an exhaustive review of existing governance standards and the goals stated previously, CobiT 4.1 was selected as the foundation for the governance framework.
What Is CobiT?
CobiT is an internationally accepted standard for the governance of information and related software management systems. It offers a framework to govern planning, deployment, control and maintenance of IT systems and applications and ensures that industry-standard best practices and methodologies are applied to meet the needs of business enterprise. The initial release of CobiT was created by the ISACA under the Information Systems Audit and Control Foundation® (ISACF®) in 1996 as an IT process and control framework that linked to general business requirements and system controls. The IT Governance Institute, which was founded by ISACA in 1998, released CobiT® 3rd Edition in 2000, CobiT® 4.0 in 2005 and CobiT® 4.1 in 2007. A series of CobiT mapping papers, produced by ISACA, includes mappings to ITIL, ISO, COSO, PMBOK and many other standardized frameworks widely accepted in the IT community throughout the world.
CobiT 4.1 defines a set of principles, called domains, that are used to guide governance of information and related software management systems. There is a chronological order from Plan and Organise to Monitor and Evaluate; however, the framework supports iterative looping back to any domain at any time. CobiT consists of the following four domains:
Plan and Organise
Acquire and Implement
Deliver and Support
Monitor and Evaluate
A diagram showing the relationship among the domains is in figure 1.
Drilling deeper, CobiT 4.1 defines 34 IT processes, which are divided among the four domains. Processes are high-level directives that form the goals for each domain. For example, the Plan and Organise phase includes ten IT processes:
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
To recap, CobiT is organized into domains, IT processes and control objectives that have been developed to help business lead and IT manage the risks associated with an information management initiative. A comprehensive list of CobiT processes mapped against the governance methodology in this publication can be found in appendix E.
As certified IT auditors and SharePoint deployment specialists, we have learned what businesses want and need from a governance framework for SharePoint in “the real world.” The CobiT control framework fulfills these needs by:
Aligning IT and business objectives
Defining control objectives that management can use
Identifying major IT resources and how to best utilize them
Using generally accepted industry-standard process models to organize IT activities
Ensuring that performance is defined and measured within an enterprise
The Benefits of Governance Using COBIT
CobiT was selected because of the benefits it delivers to the enterprise. These benefits include:
Leveraging an internationally accepted IT governance framework that is regularly reviewed and updated by a wide array of business, operational, audit and security experts
Better alignment of needs and IT capabilities
Better interaction and communication between IT and business using CobiT guidelines so that IT understands business objectives and business understands what IT does
Better results during audits since CobiT is accepted by third parties
Better definition of ownership and responsibilities since these are based upon a process orientation
Involving all stakeholders on the “same page” referencing a common defining framework
Advantages of the CobiT Framework
The advantages realized from CobiT adoption include:
Deriving maximum value and optimal support from the IT investment
Leveraging resources to their best and highest use
Ensuring that IT risks are managed, monitored and controlled
Providing a universally recognizable framework for both internal and external IT system auditors
Reducing effort and disruption of IT audits since processes and procedures governing SharePoint are presented to the auditors in a manner and form that they can understand and readily recognize as compliant
The CobiT framework is applicable regardless of the size of the enterprise or the complexity of the SharePoint initiative. When applying CobiT to the control and governance of SharePoint, the focus of the initiative assumes a perspective of monitoring and performance that addresses requirements for the entire enterprise, not just the IT domain. CobiT ensures that IT and management are aligned and risks are managed. Using CobiT as the fundamental framework for the initiative encourages and supports a culture of continuous improvement, fostering sustainable processes and methodologies.Sustainable processes and methodologies fostered by CobiT include:
Integrating IT and enterprise governance
Ensuring enterprise-based accountability for IT initiatives
Defining and maintaining complementary relationships among organizational structures
Drafting and clearly communicating policies, standards and processes for IT governance and control
Effecting cultural change (commitment at all levels in the enterprise—from the board to the “shop floor”)
Defining and promoting a process and culture of continuous improvement
Developing and implementing optimum monitoring and reporting structures
Mindbites and a Preview
Throughout the text, we have included insights called mindbites (rather than “soundbites”) that tie conceptually similar guiding principles to actual experiences with SharePoint deployments undertaken without the benefit of SharePoint governance or certain real-world experiences that illustrate a concept. These insights examine why the application of good governance merits attention across many contexts.
The upcoming chapters explore the need for governance at a deeper level and describe how CobiT can be used to develop a practical framework that will generate greater return on investment, wider adoption and decreased risks. Finally, prescriptive advice will be provided on how to apply governance to SharePoint deployment.
This text will guide you from early planning through production deployment of SharePoint 2007 and SharePoint 2010, on premises or in the cloud, using CobiT 4.1 in a practical way. Differences between SharePoint 2007 and SharePoint 2010 are highlighted, as appropriate, and a final chapter explores how to apply these governance controls and objectives for a cloud-based SharePoint 2010 deployment. We hope you find this guide useful and practical and welcome any comments via e-mail firstname.lastname@example.org.