Anyone who has ever put together a SharePoint governance plan knows firsthand how much work the process involves. So what do you do if you discover that nobody is taking your policies seriously?
Ideally, you should get management to sign off on your SharePoint governance document before you begin to put the policies into effect. Without management’s blessing and support, you don’t have a prayer of maintaining order.
If your users don’t like the policies, then some of them will inevitably try to go over your head in an effort to either circumvent the policy or have it repealed. That’s why it is so important to get management on board before the SharePoint governance policy goes into effect. You need to know that management will back you up when these types of uprisings occur.
Automate what you can
One way of ensuring that users adhere to your policies is to automate policy compliance. In many cases, it is possible to create SharePoint workflows that automate otherwise manual processes. This automation can help to ensure that tasks are performed in accordance with an approved method. Of course, the scope of a SharePoint workflow is limited. You will be able to automate some tasks, but you won’t be able to automate everything.
The only way that you can be completely sure of whether or not your policies are being adhered to is to perform audits. But a thorough audit can take a long time to complete, and most network administrators simply don’t have the time for such tasks.
If comprehensive audits are too time-consuming then you might consider doing random spot checks instead. Although not as thorough as an audit, occasional spot checks can help you to pinpoint policy violations that may otherwise go unnoticed.
Simplify the language
I’ve worked in several different levels of management within IT, so I have heard every excuse in the book. One of the most common excuses that users try to make when they are caught violating a policy is that they did not understand the policy. Therefore, it is important to nip that particular excuse in the bud from the start.
At one of the companies I used to work for, employees had to sign a form stating that they had read and understand the various IT-related policies. In fact, the form had to be signed before the employee was even issued a username and password. This technique wasn’t completely effective, though.
Over time it became apparent that some employees were signing the form even though they honestly did not understand what the policies were. Even though I was the one who wrote the policies, I wondered if I had been unclear about something, so I took the time to review the policies to see if anything could be clarified.
When I did, I found out that when I had submitted the policies to the HR department, HR forwarded it to the company’s legal department. What I didn’t know was that the legal department had essentially rewritten the policies to make them legally defensible. The result was that my once-simple document was now chocked full of legal jargon.
In the end, my solution was to write a plain English summary of the policies. It took a bit of effort to get the legal department to agree to the summary, but ultimately we worked together to create a summary that average users could understand.
Enforce the policies in a consistent manner
One of the most important things that you can do in regard to enforcing your policy is to make sure that everyone is aware of the consequences of policy violations. Next, make sure that policies are enforced in a consistent manner.
To give you an idea of why this is so important, consider this situation: The person who was in charge of creating the policies for a particular company wrote a document that included an excessive number of rules and penalties. His idea was that he wouldn’t actually enforce most of the rules, but he wanted to have the rules in place in case someone were to really abuse the system.
One day an employee was terminated for violating one of the more obscure rules in the policy. That employee sued the company on the basis of discrimination, citing that he had been singled out because the policies had been enforced in an arbitrary manner. The court upheld the company’s right to terminate the employee, but the former employee appealed the decision and received a substantial judgment against the company.
With that in mind, there are a few guidelines to consider following when it comes to policy enforcement:
Recognize that some violations are more serious than others. It’s easy to create a clause stating that anyone caught violating a policy will be terminated. Unfortunately, such a clause doesn’t really allow you any flexibility for dealing with minor infractions without risking being accused of favoritism or discrimination. Therefore, you should take the time to make sure that the punishment fits the crime, and document what constitutes a minor infraction and what the consequences of that type of violation are.
Formalize any exceptions to the rules. In an ideal world, the same rules apply to everyone. In the real world, though, this type of equality isn’t always practical. Imagine, for example, that you have a policy stating that anyone disclosing confidential financial information to someone outside of the company will be immediately terminated. That probably sounds like a good rule, right? The problem is that if the company’s CFO was required to turn over financial information to a government auditor then the CFO would technically have violated the policy.
It’s easy to say that the CFO wasn’t actually violating a policy because he was doing his job, but you have to keep in mind what could happen if the company is ever accused of enforcing policies arbitrarily. The easiest way to get a handle on this situation is to build exceptions into the policy.
Instead of saying “Any employee caught disclosing financial information will be terminated,” say something like “Any employee caught disclosing financial information will be terminated, unless that disclosure is required by law or is necessary for conducting business, and the disclosure has been approved by executive management.” I’m not a lawyer, and my wording would need to be formalized, but you get the idea.
Keep the rules to a minimum. It’s better to create the minimum number of rules but to fully enforce each rule that is created. Using this approach helps to eliminate confusion on the part of employees, and it helps to ensure that disciplinary action is performed in a consistent manner.
If users are rebelling against your current SharePoint governance plan, and you have not been enforcing that plan up until now, you may not be able to do a lot right now. Before you take any action, it is a good idea to consult your company’s legal department about what your options are.
In those situations, your best course of action may be to develop a new governance plan and let employees know that it will be strictly enforced. Another approach is to officially inform employees that starting on a certain date the existing policy will be enforced. Either way, you can begin to regain control of your SharePoint installation.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, is a Microsoft MVP for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. For more information visit www.brienposey.com.
This was first published in October 2010