Governance overview (SharePoint Server 2010)
Applies to: SharePoint Server 2010
This article introduces governance as an essential part of a successful Microsoft SharePoint Server 2010 deployment and explains why both information architecture and IT services are key components of a governance plan.
The articles in this section emphasize the need for governance of SharePoint Server 2010 deployments. These articles also provide general guidance and examples of the Microsoft SharePoint Server activities and processes your organization should consider governing.
In this article:
About governance
What should be governed?
Who should determine governance policies?
How should governance be implemented?
Governance and customization
About governance
Governance is the set of policies, roles, responsibilities, and processes that guide, direct, and control how an organization's business divisions and IT teams cooperate to achieve business goals. A comprehensive governance plan can benefit your organization by:
Streamlining the deployment of products and technologies, such as SharePoint Server 2010.
Helping protect your enterprise from security threats or noncompliance liability.
Helping ensure the best return on your investment in technologies, for example, by enforcing best practices in content management or information architecture.
What should be governed?
Every organization has unique needs and goals that influence its approach to governance. For example, larger organizations will probably require more — and more detailed — governance than smaller organizations.
A successful SharePoint Server 2010 deployment requires the following elements:
Information architecture
The goal of information architecture is to create a system that helps users collect, store, retrieve, and use the information that is needed to achieve business objectives. A Web site’s information architecture determines how the information in that site — its Web pages, documents, lists, and data — is organized and presented to the site’s users.
A comprehensive assessment of your organization's information architecture can help you identify potential inefficiencies, such as the following:
Inconsistent use of metadata that can make it difficult to search for and compare related data or content.
Poorly designed and managed storage of content that can result in multiple versions of documents with no way to identify the authoritative version.
Poorly catalogued and managed storage of data that can cause decision-makers to find and rely on the wrong data.
Poorly designed navigation or poorly presented information that can make it difficult to find important sites and information.
IT Service hosting SharePoint Server
SharePoint Server 2010 includes many new features that should be addressed by a comprehensive governance plan. Some of these features are as follows:
A new service application architecture, built into Microsoft SharePoint Foundation 2010, that replaces the SSP model.
Backup and restore improvements.
Multitenancy, which creates a true hosting environment and makes it possible to share service resources across customers (tenants) while partitioning data based on site subscriptions.
Managed accounts that automate password changes.
Windows PowerShell, the new command-line interface and scripting language that was designed specifically for system administrators.
Unless you have a governance plan, the rapid and uncontrolled growth of individually managed Web servers running SharePoint Server can have unanticipated results. These include the following:
Isolated servers hosting a loosely organized group of sites that do not have a common search index, navigation, or security scheme. If you want to support self-service site creation, you should have a plan that covers content disposition and site archival.
Servers hosting applications that are not secure, which may compromise the integrity of your content.
Requests for technical support for local servers that are running SharePoint Server without the support team's knowledge.
Critical activities, such as regulatory compliance, that may be administered inconsistently across servers.
Regular maintenance activities, such as backing up and restoring data or installing product updates, that may not be performed correctly because of poor training or inconsistent server configuration.
Changes in site ownership that raise questions about content ownership or cause sites to be locked.
As the use of SharePoint Server 2010 increases in your enterprise, your IT department should implement a set of well-governed hosting services that makes SharePoint Server 2010 available and establishes control over its use and configuration.
For effective and manageable SharePoint Server 2010 solutions, your organization should consider governing one or more of the following additional areas:
Customization policy
SharePoint Server 2010 includes customizable features and capabilities that span multiple product areas, such as business intelligence, forms, workflow, and content management. Customization introduces risks to the stability, maintenance, and security of the SharePoint Server 2010 environment. To support customization while controlling its scope, you should develop a customization policy that addresses the following considerations:
Approved customization tools. For example, you should decide whether to allow the use of Microsoft SharePoint Designer 2010 and specify which site elements can be customized, and by whom.
Ways to manage source code, such as a source control system, and standards for documenting the code.
Development standards, such as coding best practices.
Testing and verification standards.
Required packaging and installation methods. You should control the use of sandboxing, which enables site owners to host custom solutions in a partially trusted context so they do not affect the rest of your SharePoint implementation.
The kinds of customizations supported. For example, you might want to allow the use of Web parts to integrate Microsoft Silverlight 3 applications together with SharePoint sites.
For more information about kinds of customizations and their potential risks, see Governance and customization. For more information about processes for managing customizations, see the white paper SharePoint Products and Technologies customization policy (https://go.microsoft.com/fwlink/p/?linkid=92311).
Branding
If you are designing an information architecture and a set of sites for use across an enterprise, consider including branding in your governance plan. A formal set of branding policies helps ensure that sites consistently use enterprise imagery, fonts, themes, and other design elements. For example, in SharePoint Server 2010, you can import a Microsoft PowerPoint 2010 theme directly into a SharePoint site, which automatically applies the theme to all subsites.
Training
Although SharePoint Server 2010 has an intuitive, Web-based interface and includes online help, using and especially administering sites based on SharePoint Server 2010 can be a challenge for some users. Additionally, the set of governance policies your IT and business divisions implement may require explanation. By training your user community appropriately, you can increase satisfaction with your implementation of SharePoint Server 2010 and reduce support costs.
Who should determine governance policies?
A successful deployment of SharePoint Server 2010 requires ongoing communication and partnership among business managers, IT professionals, and information workers. When you create a governance committee, you should include representatives from as many of the following groups and roles as possible:
Note
Your organization might not have an equivalent role, or might use a different title.
Executive stakeholders: Key executives should define the overall goals of the governance committee, provide it with authority, and periodically evaluate the success of the implemented practices and policies.
Financial stakeholders: Financial officers should ensure that governance rules and processes help increase the return on the enterprise's investment in SharePoint products and technologies.
IT leaders: IT leaders must help develop their service offerings and determine how to achieve their IT responsibilities (for example, improving security and maintaining reliability) while they support the features required by the business teams.
Business division leaders: Business leaders represent the teams that do the primary work of the enterprise and drive the architectural and functional requirements of the SharePoint Server 2010 deployment. They must work with information architects to determine the enterprise's information architecture and organizational taxonomy standards. Business leaders must also work with IT leaders to create service-level agreements and other support policies.
Information architects or taxonomists: Members of these groups have extensive experience in planning and designing information systems and taxonomies. Based on their analysis of the information needs of the audience, they develop plans that support organizational objectives and define site architecture and navigation.
Compliance officers: Governance includes making sure that an enterprise meets its regulatory and legal requirements and manages its corporate knowledge. If your enterprise has roles that are responsible for compliance or legal oversight, include representatives from those disciplines in your governance committee.
Development leaders: Leaders in your software development organization should help determine which customization tools are approved, how to verify code security, and other code-related best practices.
Information workers: The members of your organization who do the day-to-day work should help ensure that the SharePoint Server 2010 services and information architecture meet their needs.
Trainers: Instructional experts should be responsible for developing a training plan and conducting all appropriate training and education.
How should governance be implemented?
An effective governance plan anticipates the needs and goals of your organization's business divisions and IT teams. Because every enterprise is unique, you must determine the best way to implement a governance plan that is tailored to your environment.
Consider the following suggested stages of a governance implementation for your organization:
Determine initial principles and goals.
The governance committee should develop a governance vision, policies, and standards that can be measured to track compliance and to quantify the benefit to the enterprise. For example, the plan should identify service delivery requirements for both technical and business aspects of the SharePoint Server 2010 deployment.
Classify the business information/content.
Organize your information according to an existing taxonomy, or create a custom taxonomy that includes all content required to support your business solution. After your information is organized, design an information architecture to manage your enterprise content. Then, determine the most appropriate IT services to support the information architecture.
Develop an education strategy.
The human element is, after the governance plan itself, the most important ingredient in the success or failure of a SharePoint Server 2010 deployment. A comprehensive training plan should show how to use SharePoint Server 2010 according to the standards and practices that you are implementing and explain why those standards and practices are important. The plan should cover the kinds of training required for specific user groups and describe appropriate training tools. For example, your IT department might maintain a frequently asked questions (FAQ) page about its SharePoint Server 2010 service offerings, or your business division might provide online training that shows how to set up and use a new document management process.
Develop an ongoing plan.
Successful governance is an iterative process. The governance committee should meet regularly to consider incorporating new requirements in the governance plan, reevaluate and adjust governance principles, or resolve conflicts among business divisions for IT resources. The committee should provide regular reports to its executive sponsors to promote accountability and to help enforce compliance across the enterprise. Consider that, although this process seems complicated, its goals are to increase the return on your investment in SharePoint Server 2010, take full advantage of the usefulness of your SharePoint Server 2010 solution, and improve the productivity of your enterprise.
Governance and customization
The highly customizable design of SharePoint products enables you to provide the look, behavior, or functionality that meets your business needs. Customizations can introduce risk to your environment, whether that risk is to the environment’s performance, availability, or supportability. Conversely, a “no customizations” policy severely restricts your organization’s ability to take advantage of the SharePoint platform.
All customizations are not the same. You must decide carefully which kinds of customizations to allow in your environment. Account for the kind of customization and the skill level of the people doing the customizations so that you can ensure the performance, availability, and supportability that you must have for your environment. Your governance policy should balance a level of acceptable risk against the business needs for your organization.
What is considered a customization? All of the following are considered kinds of customizations in SharePoint products:
Configuration - using the SharePoint user interface or SharePoint Designer to configure SharePoint products.
Branding - changing logos, styles, colors, master pages and page layouts, and so on to create a custom look for your SharePoint sites.
Custom code - using developer tools to add or change functionality in SharePoint products or to interact with other applications. Risk can vary depending on kind of functionality and level of trust (full trust or sandboxed solution).
Some customizations have very little risk or impact on your environment. Others have the potential for much higher risk and impact. The following table provides examples of different kinds of customizations, the risk level associated with that kind of customization, and potential issues that you might face if you allow that kind of customization.
Risk level | Types of customizations and examples | Considerations/Impact |
---|---|---|
Unsupported/High |
Unsupported customizations such as direct changes to the database schema or modifying files on the file system. |
Do not allow. |
Moderate |
Creating applications that interact with or redirect actions in key pipelines, such as events, claims, and so on. |
|
Moderate to low |
Using a custom Web Part outside a sandbox environment, creating custom actions such as adding a menu item, or creating a custom site provisioning process. |
|
Low |
Using solutions in a sandbox environment. |
Short term performance issues; should be able to restrict via resource throttling and quotas. |
Very low to no risk |
Using functionality within the product or configurations, such as associating a workflow with a list or using an instance of a built in Web Part. |
Minor configuration or page errors that would have to be addressed. |
Note
For more information about customizations and upgrade, see Considerations for specific customizations.
Also, when you think through the customizations to allow in your environment, consider carefully whether a particular customization is necessary. If it recreates functionality that exists in the product (such as creating a Web Part that does the same thing as the Content Editor Web Part or the Content by Query Web Part), then that might be unnecessary work. Consider first whether the standard functionality can do what you want.