IT governance is a big subject with some industry frameworks (such as COBIT or ITIL) available for organizations to follow, but put simply, governance is the process of managing and controlling key IT capability decisions to improve IT management, ensure compliance, reporting capabilities, and increase value from IT technology investments, helping to ensure that IT supports the strategic objectives and goals of the organization, while managing the risks and costs associated with IT efficiently over the long term.
IT governance enables an organization to:
- Demonstrate measurable results against broader business strategies and goals.
- Meet relevant legal and regulatory obligations, such as those set out in the GDPR (General Data Protection Regulation) or the Companies Act 2006.
- Assure stakeholders they can have confidence in your organization's IT services.
- Facilitate an increase in the return on IT investment; and
- Comply with certain corporate governance rules or requirements.
However, governance or the need for governance often comes too late or sometimes not at all. This is a story we hear regularly from clients who have grappled with Microsoft Teams and the need to use SharePoint, as these services become more integrated to daily operations to all users over time sometimes whether IT like it or not. Not allowing the use of these technologies puts you at a disadvantage, but who has the time, knowledge or experience to create, set-up and more importantly manage an in-depth closely coordinated governance methodology?
The ability for organisations to have truly pro-active (instead of re-active) IT capabilities takes time to plan and instigate, and this can be a challenge with how quickly technology is progressing - you'd be surprised how many large firms are still using SharePoint Classic on-premise servers or not leveraging Microsoft Team sites at all! But here at ClearPeople we like to embrace change and leverage new technologies to our advantage and always try to encourage our clients to do the same - helped by using Atlas, of course!.. As Atlas moves in-line with Microsoft, you can still use all standard M365 admin, security and governance tools and capabilities, as well as some unique cutting edge technologies which will aid you in your quest for strong governance, without taking up excess time, resources or restricting users.
'Atlas ConneX helps us keep things tidy and organised; being able to control, track, measure and asses our IT environment to ensure compliance with our approved rules and guidelines to ensure a secure, safe, accessible and usable 365 tenant'
We advise the IT governance in relation to Atlas focus on these primary areas
-
Permissions and permissions management, the 3 OOTB levels of Microsoft permissions and which permission levels do what (owner, member, visitor), M365 permissions in conjunction with Atlas technology, as well as SharePoint permissions
- This includes the sharing of files and content, site permissions inheritance, site permissions, item-level permissions (such as folders and files)
-
Site architecture and supporting technology (Azure, SharePoint, M365, Atlas)
- Azure Directory groups for managing permissions
- Including naming conventions for sites and consistent URLs, etc, as well as guidelines for which type of sites can or should be used
- Guidelines on workspace provisioning, checks, reporting and processes
- Ownership of sites
- Troubleshooting site issues
- External access and related security considerations (including internal permissions and guidelines around sensitive content)
- Keeping up to date with Atlas version upgrades and hotfixes
- Sensitivity labels
As we are speaking about IT governance particularly, not governance as a whole, we will not mention or discuss information governance relate to content, tagging, or content ownership, management or any related processes
Permissions
- We leverage Microsoft 3x permission levels in Atlas; Owner, member and visitor, but there's multiple ways of leveraging these for effective ongoing permissions management, such as dynamic AD Groups, nested groups or SharePoint Groups
- In recent years within the Microsoft ecosystem, permissions management has been a constant consideration for IT teams who need to manually add new joiners to particular AD Groups or workspace permissions, and also try to pay attention to the new sites and Teams which are created by users. With the liberalization of permissions ownership, by letting site owners manage their own site permissions, IT may not be aware of who is adding who to which team, and over time will lead to permissions sprawl where many individuals have access to workspaces they may either not need access to or shouldn't have access to in the first place.
-
Ensuring there is an understanding of the permissions model, who owns permissions, and how permissions are reviewed, assessed, and altered if necessary, is important to the overall governance process. User education against these permission guidelines is going to help inform on the correct recommended way of training, whilst also providing a background of why things are set-up the way they are.
- For example, we would advise that an 'everyone' or 'all' AD group is created for sites everyone should see, ensuring the group is dynamic and automatically pulls everyone into the homepage site permissions. The site owners should understand that this is automated, and IT should have knowledge and documentation in place which describes the process and reasoning, in case this needs to be altered or there are issues in the future.
-
If this process of adding individuals is manual, this opens up the possibility of people not being able to view the homepage due to not being included in the permissions, or, IT will need to regularly spend additional time adding new joiners into the permissions group
Site architecture
-
Atlas can use an array of workspace types; from 365 groups, Teams (also 365 groups) and SharePoint sites. All of which have different connotations and ways to manage permissions. We will likely use a combination of these workspace types depending on the site requirements, but it's essential that IT are onboard and aware with how to manage these sites, and the differences in technology which may impact ongoing permissions management.
- Please view our article on managing permissions for more info https://clearpeople.zendesk.com/hc/en-gb/articles/4408117095186
- This forms part of our Atlas IT Admin training sessions
-
This process is ok for phase 1 and launch, as there will be a finite amount of pre-agreed site and site types which is documented in our site map/menu map, although permissions models, structure and governance will still be needed – it's not possible and also not advised to add everyone to every workspace individually – this should be driven by AD Groups to group individuals, with dynamic rules in place if possible. However in future phases where we open out permissioning and provisioning to different groups, without the right governance rules and guidelines in place, things can quickly become convoluted as people pick the incorrect choices for their required workspaces or invite the wrong people.
- We have governance features in Atlas ConneX & ConneX Studio to control the risk of mistakes and sprawl of sites, but IT should still feed into this process as ultimately they are responsible for both sites and the wider site architecture.
- In 5 years time there could be hundreds of sites – it would bode very well if they were all correct and following the pre-agreed guidance and internal process. Also relating back to point 1 on permissions
- Public vs private sites is an option to have. Public means everyone in the organisation will have the ability to join the group, but they will readily be able to view the content from within that workspace. This is important for public 365 groups which do not have a visitor area OOTB, so any public 365 groups or Teams created, everyone will have edit permissions to the entire site and its contents. We will cover this further in our Atlas Admin Training
External access and related security considerations
-
- In your M365 environment there are global tenant-level settings for whousers are able to share with (I.e. external users, approved external users, or internal users only). We advise to review this setting to ensure that documents and files cannot be sent to random external email addresses. Here in ClearPeople, before we add an external users to a Team, or have the ability to call in and share with the external email address, that external email address has to be added to our Active Directory – which needs to be completed by IT. This way we have a process in place for requesting external user access and ability to ensure they authenticate with Microsoft and also our tenant, with their 'profile' in our active directory able to be reviewed and blocked, as well as be part of the security reporting which may be in place. External users will also need to authenticate with Microsoft to access any data in our tenant, which we can control and manage from our side.
Keeping up to date with Atlas version upgrades and hotfixes.
-
- ClearPeople regularly updates Atlas, both in terms of new versions with new features and improvements, along with 'hotfixes' to address issues with existing releases raised through our support portal. Keeping up to date to at least 0.1 version behind the current 'general availability' release is recommended. To manage this, some customers have a 'Non-production' environment to first deploy new versions and hotfixes into to ensure that they understand the changes made and can test before releasing into their Production environment. This is an optional and not a required approach. Deploying directly into your M365 tenancy is possible.
Sensitivity labels
- This is a more advanced option, but sensitivity labels applied to either container level (sites) or item level (documents) will pull in specific IT policies and apply necessary actions. It is advisable IT review what these are and how to set them up, in case they consider this function important in the future, as these will be able to produce and implement pre-determined rules, against specific workspaces or folders or items, and will help automate governance and reduce risks associated to sensitive data.
If you have any questions or queries on anything to do with governance, please get in touch with your ClearPeople or Atlas representative and we will be happy to help you.
More information
The following ClearPeople ZenDesk articles will help describe a lot of the available functionality which will help the governance outlined above.
What is Atlas ConneX? ConneX Overview
Managing permissions for ConneX
Managing permissions for Atlas workspace
Sensitivity Labels support for workspaces
Sensitivity Labels - Container Security Features
Use Sensitivity Labels as filters in search
Azure AD Dynamic Group Membership Support
Useful external links
A collaboration governance framework for Microsoft 365 | Microsoft Learn
The Microsoft 365 Maturity Model – Governance, Risk, and Compliance Competency | Microsoft Learn
https://www.cio.com/article/272051/governanceit-governance-definition-and-solutions.html
Comments
0 comments
Please sign in to leave a comment.