Site sprawl. Let’s be honest – eventually most tenants will have it.
What is modern governance and how can it be applied to Office 365 tenants so the sprawl is manageable? This post will showcase some specific, practical ways to implement a modern governance in your environment. Even if you already have a governance plan in your organization, perhaps it’s time to modernize it! Good governance needs to be flexible and adaptable due to the cadence of change in Office 365 as well as changes within an organization. Because of this, there’s almost always opportunity for incremental improvements and adjustments to your governance plan to reflect current state.
The steps you take will depend on your organization’s stance on how sites are provisioned in the first place. Do you:
A… tightly control the provisioning process ensuring site requests go through some form of gatekeeper or approval before they’re provisioned?
B… allow information workers to provision their own and follow-up after-the-fact to ensure regulatory, compliance, risk, and training aspects are covered?
C… use some combination of the two?
This post will cover option C, for this reason… the demands on organizations today to quickly respond to opportunities and challenges often makes the traditional approach taken by IT Administrators and Information Management teams (option A) untenable. There is tremendous pressure to loosen the reigns on who can provision a site and allow information workers to decide when and which type of site to provision, however many organizations are hesitant to allow free reign on-site provisioning without having at least some controls in place.
As a result, our focus needs to shift to balancing the needs of the information worker with maintaining the appropriate level of control for our organization. How do we strike that balance? It’s a challenging position to be sure, however, modern governance is the key to making it possible.
There are 3 practical ways to implement modern governance:
- Control site provisioning
- Notify key teams
- Implement tenant-wide controls
Read on for more details.
Control Site Provisioning
Have an automated site provisioning process
Although you can certainly provision sites manually, depending on the size of your organization, this may not be a practical nor scalable approach. Automating the process provides consistency with site templates and allows for controls to be implemented along with it. There are several ways to automate the provisioning process - I’ve recently blogged about one method using Site Designs and Site Scripts for a simple Project Hub (Building a Modern Flat Project Hub using Site Designs).
If you have access to a developer in your organization and you require more advanced site templates, you can also use the PnP Site Provisioning engine to create a site template. In addition, there are numerous sessions from the recent Microsoft Ignite conference covering site provisioning techniques:
- From start to finish: How to create your modern SharePoint site provisioning solution
- Customizing Modern SharePoint Sites: Branding, Site Scripts and Site Designs
Have site owner agreement/guidance in place
Make sure you have guidance on what it means to be a site owner in your organization and include them as links on each site. This may include things like:
- how to control your own site access by adding and removing members as required
- how to engage site members with news articles
- what does it mean to be part of a Hub?
- what to consider before closing down your site
Refer to a recent post from my blog, Standardizing Site Guidelines using Modern Search in SharePoint Online, where I show how to centrally manage your organization’s site guidelines to be shared across multiple sites.
Notify Key Teams
- Notify information management team of new sites
- Notify training/adoption team of new sites
The information management team will have a vested interest in learning what type of content will be generated in the new site… is it transitory content? is it content needing to eventually end up in a more controlled document center? is there sensitive data that needs to be protected? do you have to share the content with external users? Depending on your organization, there may be restrictions on what content can even be stored in SharePoint. Due to this, the Information Management team will want to follow-up with business teams before they start adding content to their new site.
Every organization should have their “document circle of life” set down and communicated to information workers to describe the path documents will take in their organization. It should answer questions like: where should you work on a draft document, where should it go if you need to share it with your team, extended team, or with the entire organization?
This is a critical mandate of the Information Management team and should be part of the message they communicate to all teams across an organization.
Similarly, the training/adoption team will want to touch base with site owners to determine if training is required and ensure they know the support channels to reach out to for help when needed.
To facilitate this, the site provisioning process could trigger a Microsoft Flow to send an email to the above 2 teams notifying them each time a new site is provisioned. You could even add a task on each of the teams’ Planner boards to ensure it doesn’t get forgotten!
Implement Tenant-wide Controls
There are many security and protection controls in Office 365. Your licensing will dictate, in part, which ones are available to you. Protecting data from the moment it’s created is a tenet of Content Services. Here’s a list of some tenant-wide controls to consider implementing to ensure any new sites provisioned, and the content within, will be protected:
- Determine a sensitivity classification scheme using unified labels for your Office 365 Group sites which will drive retention and protection controls for any site with that classification (Announced at Ignite with targeted release December 2018)
Example: a classification scheme of Public, General, Confidential, Top Secret. If a site is classified as Top Secret, apply controls to retain for 2 years, to prevent copying, to apply a watermark, to encrypt all documents, to apply a DLP policy so content can’t be shared externally, etc.
- Publish global retention policies for tenant
Example: create a retention policy published to all OneDrive for Business sites to delete content after 3 years of inactivity
- Publish standard retention labels across tenant
Define retention labels for your tenant and publish them to your collaboration Group sites. Communicate what the labels mean to information workers so they know when to use them if/when required.
- Implement Data Loss Prevention (DLP) policies for tenant
Based on sensitive information types (credit card numbers, social insurance numbers, customer numbers, etc.), implement DLP policies to ensure sensitive content won’t be shared where it shouldn’t.
- Implement Group Expiration Policies for Office 365 group-backed sites
To ensure stale Group sites don’t stick around forever, this feature will prompt site owners to optionally delete them. Information Management teams will want to be notified in advance however (in case there is content with business value contained within) and organizations are having to build preemptive solutions to do this. A recent announcement at Ignite 2018 was to consider site activity to auto-extend Groups since up to this point in time, site activity was not a factor.
The fact these controls are tenant-wide means any new site will have these controls automatically applied to them – a very good thing.
Site sprawl is something most tenants will likely face sooner or later. Therefore, we need to figure out a way to implement controls to mitigate the risk they may introduce across your enterprise.
Although the techniques in this post do not guarantee 100% compliance in your organization, it’s measured, pragmatic, scalable, and progressive. Use manual controls to fill the gaps you identify and, as features in Office 365 continue to advance and improve, replace the manual controls with automated ones to eliminate the gaps.
Thanks for reading.
Did you enjoy Joanne’s blog? Read Valo’s newest eBook written by Joanne C. Klein to learn all about Modern Site Architecture!
You’ll need to get the gang together for this type of project. Want to make it go as smooth as possible? Collaborate like never before with Valo Teamwork. Your gateway to simplified communication and planning.