Mind the Gap: Using SharePoint for Compliance Tracking

Posted on December 23, 2008
Posted By: Kevin McDonald
There is a notion that compliance activities operate across a continuum from simply meeting the needs of auditors to a culture of compliance. Creating a culture of compliance is at the top of the pyramid for compliance activity objectives. How closely an organization aligns with the goals of the compliance activity is key to understanding the maturity of the compliance efforts.

A compliance culture implies that the organization understands the standards and the organization takes proactive steps in order to meet or exceed them. More importantly, the organization can prove this compliance empirically with documentation.

In practice, organizations subject to standards compliance have high operational tempos. The vast majority of staff and funding is dedicated to managing operational concerns. During times when revenues are high and costs are stable, compliance activities should have appropriate staff levels and funding. During periods where revenues are down and costs are up, compliance budgets can be threatened and this puts organization effectiveness at risk.

Budgets are especially dear in the case of the utilities industry, where modernization efforts for control systems can take decades and a ten-year-old system may be relatively new by industry standards.

Compliance Tools

In this environment, compliance tools and automation are the keys to success. Any efforts that can be repeated in future assessments reduce the overall cost. This frees up the Compliance Manager to pursue more strategic goals in raising cultural awareness of compliance efforts. In addition, the less painful compliance activities are, the more likely they will be performed. In usability studies, this is called transactional friction reduction. Eliminate some of the pain of each transaction and the percentage of successful transactions goes up.


All compliance standards call for documented policies and procedures. Having the controls in place is only part of the equation. The organization must also have documented proof that the control is operational.

The basic compliance step of storing all compliance documents in a repository reduces retrieval costs. A librarian function can files hard copies of documents local to each entity. Of course, this sort of system can quickly breakdown without continuous effort and distributed sites are more likely to fail spot audits due to the reduced influence of central site administration.

Simple Directory Approach

Another approach that works well stores document images on a file server. The images can be categorized be organized by location, and then each of the applicable standards can have its own section. Typical imaging systems support basic indexing by topic and documents can be quickly retrieved.

Digging into each document to find out when it was refreshed reduces efficiency and increases manual operations. The structure of imaging systems may not be adequate to determine if required documents are missing. If the system is a scanner attached to a file server, there still may be a lot of work required to maintain system integrity.

If there is any employee turnover, the integrity of the compliance library can become corrupted and there may be no clear starting point to build the next compliance round.

SharePoint Document Libraries

SharePoint has been since its inception a web enabled document-sharing tool. The main site can serve as a focal point and model for sub-sites based upon functional groups like physical security or plant operations.

The search function is built-in so documents can be quickly retrieved using key words or meta data like long descriptions. Content can be delivered to the site from multiple sources. They can be digitized and uploaded, emailed or keyed in directly through smart forms.

Email Alerts. In addition, the email alert features of SharePoint can be leveraged to reduce the effort required to ensure all of the documents have been updated and that all affected are working with the latest revision.

Shared Document Libraries. If you are responsible for scheduling and reviewing self-assessments, you can email a document link that can be opened and then saved back to the centralized document library after the team has completed the assessment.

It can also save different versions so if an edit overwrites a crucial section, the retrieval can be performed by the SharePoint administrator without engaging the IT staff.

Calendar and Outlook Integration. SharePoint has Calendar pages to maintain important team schedules. This is completely integrated with Outlook so team members can merge the team schedule with their desktop calendar for a composite view.

SharePoint can originate and receive email as well. Alerts can be customized to only send alerts if particular documents are changed or more global settings allow alerts if any new document is saved to a directory. This is particularly useful for tracking new regulations as they are uploaded to a team site library.

Learning Management. Audit guides and compliance standards are at your fingertips. Training and audit guides can be loaded for reference purposes. You can even setup audit calendars and perform outlook integration tasks to share the calendar with other teammates responsible for compliance.

PowerPoint Prowess. If PowerPoint plays a part in briefing management and staff on requirements and standards, a separate PowerPoint repository can be created on SharePoint to store slides for easy access. When a presenter is ready to build a new show, they can choose slides directly from the repository.

This also lends itself to centralized storage of the latest and greatest versions of slides. If the slide is updated on the central site, you will not have to track down Bob in Omaha to get him to send you the latest from his laptop.

Task Tracking. Task assignments and project management tools are also built in. If you are running Microsoft Project Server, this is built using the same technology so there are shared features that can be used to tie projects to Office to SharePoint.

Excel Services. Excel services allow the administrator to upload and link a spreadsheet to graphics and bar charts on the site. If the spreadsheet is updated, the SharePoint site can be triggered to show the updates.

Key Performance Indicators. This is another useful feature. Dashboard analysis of the number of documents uploaded, compared to the total expected. Percentage completion of various tasks reported in Excel format and other numeric triggers can quickly provide a snapshot of the progress of the compliance campaign. Most of these features work right out of the box with the application of a site editing tool call Webparts. Webparts are preformatted web widget pages that can be mashed up on a SharePoint site by clicking and dragging.

Organize for Productivity. The editing features of SharePoint are worth the price of admission. Several complex sites are prebuilt and can be deployed from a template library. Document sites, team sites, Wiki sites, PowerPoint repositories are all a few clicks away. Once the main central installation is completed, new sites can be quickly created and customized to fit a variety of applications.

If you have a geographic or organizational unit that needs its own site, it is there with a click of the button. What's more, disparate sites can be linked and external websites as well can be added as on a link section. This makes it very easy to organize internal content sites along with external organization and regulatory sites so the compliance manager can get to everything they need in a few mouse clicks.

InfoPath and Document Workflow. This is one of the most powerful features of SharePoint. MOSS 2007 Enterprise edition supports a feature call InfoPath Forms Workflow. A form can be created using InfoPath 2007 and uploaded to the SharePoint site. InfoPath supports workflow functions such as task assignment and approval.

Imagine attaching an audit report to an InfoPath form, saving it and having it automatically forward to the Audit committee for review. Once they review, each member can approve the form, all of the workflow tasks are automatically saved, and date stamped for an audit trail. Documentation when a task is done and by whom, could not be easier.

Browser Enabled Forms. Earlier versions of InfoPath required a client to be licensed and added to each desktop in order to work with forms. The MOSS 2007 Enterprise edition supports this function out of the box using the web server to display the form into HTML pages. The client only needs a compatible browser such as Internet Explorer in order to view and approve the forms.

Note this feature is not supported on MOSS 2007 Standard Edition. Standard Edition must be upgraded to Enterprise Edition or InfoPath 2007 must be deployed to each workstation that needs to use the form.

Records Management. True to form, SharePoint has gotten more and more sophisticated with time. The Records Management function is a repository of repositories. It can accept different SharePoint site content and Exchange Email content to form a time based repository for records retention.

For example, if you are in a retail market and are required by law to retain certain emails, the Exchange -- SharePoint system can be setup to retain email in a secure repository for precising the period required. After the retention period expires, the system can automatically purge the content. This can reduce some of the workload required to support compliance activities.

Launch Crew. A caveat, installing MOSS 2007 can be quite complex. If it is not already supported by your organization, it may be beneficial to bring in at least at the beginning some trained IT professionals to implement it in your environment.

Security also needs to be considered. If the compliance repository refers to security vulnerabilities or other diagrams regarding enterprise architecture, prudence dictates extreme care should be taken that only authorized individuals can access this information.

External Hosting

SharePoint hosting is typically deployed using either virtual server technology or simply creating a new web instance on a shared MOSS installation. The site administrators may have the technical capability to view documents stored on your externally hosted site. This should be a registered as a concern in contract negotiations as well as with internal site administrators.

This can be mitigated by hosting the application on dedicated servers and requiring appropriate background checks on the external provider employees and contractors. In addition, any internet access to the data should be protected by strong encryption controls.

Controlling Access Offline. Information Rights Management is the Microsoft product that attaches a digital envelope to Word and Excel documents with the viewers' rights embedded in the document. This can eliminate the need for adobe formatting and reduce additional workload on administration.

IRM has some limitations but does allow specific read only, no cut-and-paste security to be applied to individual documents. The documents can only be worked on specific computers with the correct certificate loaded. This may reduce some risk of sensitive documents falling into the wrong hands.

Whatever the size of your organization, the administrative burden of compliance can exert the same pressure on a small company as well as a large organization. The ability to automate at least a portion of the tasks can relieve some of the administrative burden and allow the organization to concentrate more on the spirit of compliance than the mechanics. This is in effect, supporting the culture of compliance.

Authored By:
Kevin T. McDonald, CISSP, CISA, PMP is Senior NERC Cyber Security Analyst for ICF International of Fairfax, Virginia. He is project manager for several CIP Compliance Initiatives and has written and spoken widely on the topic. He can be reached at kmcdonald@icfi.com or (479) 422-0146.

Other Posts by: Kevin McDonald

Related Posts



December, 30 2008

OJ Garcia says

For anyone interested in networking with compliance professionals, please join the Linkedin.com group NERC Compliance Professionals by using the following link:


or login into: www.linkedin.com search for group: NERC Compliance Professionals

or, please send me your email address and be glad to approve your membership.

OJG oogg99@gmail.com

September, 11 2014

king koko says

À la suite de la magnifique incomparable, il est absolument pas étonnant que Omega est choisi pour examiner la responsabilité en vue de chronométrage à vos Jeux Olympiques. Autre que persévérer pour devenir extraordinairement bien-aimé dans toutes les fonctions sportives et de la marine unique, les replique montres Omega vous offrir aussi merveilleux efficacité pour les acheteurs fortunés. Alors qu'ils sont au prix considérablement, vous pourriez avoir à apprendre qui vous consacrez tout simplement tout ce que vous obtiendrez.

Add your comments:

Please log in to leave a comment!
back to top

Receive Energy Central eNews & Updates


How Utilities Can Mitigate Collections Risk

Tuesday Sep 30, 2014 - 1:00 PM Eastern - Virtual Event

For any utility, managing collections risk effectively is vital to the business. At the center of this, is the customer who’s satisfaction level is impacted by bill payment requests, shut-offs and reconnects. How can utilities operate with less risk, adhere more...

Is Your Utility Part of Your Customer's "Digital Life?"

Thursday Oct 2, 2014 - 12:00 PM Eastern - Virtual Event

Utilities play an important role in a customer's life and yet they have not made the leap to be part of their customer's "digital life" - with an average of only 15% receiving their utility bills electronically. more...

Navigating the crossroads of compliance and security

Tuesday Oct 7, 2014 - 12:00 PM Eastern - Virtual Event

We've all heard the industry lament that being compliant isn't being secure and being secure isn't being compliant when it comes to our T&D assets. Volumes have been penned on how to weather and respond to NERC CIP regulations, and more...

Getting a U.S. Energy Policy Right

Thursday Oct 16, 2014 - 12:00 PM Eastern - Virtual Event

Join us for a live presentation and webinar by Mike Morris, former chairman, president and CEO of American Electric Power (AEP). Moderated by Marty Rosenberg, editor-in-chief of EnergyBiz. more...

Utilities Executive Forum and Roundtable: October 7 - 9, 2014

Tuesday Oct 7, 2014 - Thursday Oct 9, 2014 - Ponte Vedra Beach , Florida - USA

Allow us to be your host for a gathering of senior utility executives featuring industry experts from Ferranti Computer Systems, Microsoft and Avanade discussing current challenges and trends in the Utility and Energy industry. We will be providing attendees an more...

2014 Utility Analytics Week

Wednesday Oct 22, 2014 - Friday Oct 24, 2014 - Newport Beach, CA

Join us for our Third Annual Utility Analytics Week event where you will hear and learn about the hottest topics in analytics today. The analytics revolution is pushing utilities to respond to real time needs arising in the industry as more...

Smart Cities 2014

Monday Nov 3, 2014 - Wednesday Nov 5, 2014 - San Diego, CA - United States

SmartCities is an Energy Central event established to educate utilities on the steps and paths to collaboratively develop smart cites in their region. At this event attendees will establish early relationships with key stakeholders; discover collaboration strategies that have been more...

2014 Knowledge Executive Summit

Monday Nov 10, 2014 - Wednesday Nov 12, 2014 - NewPort Beach, CA

Connect with an exclusive gathering of over 100 elite CIOs, VP's of Customer Service and VP's of Operations to network and share knowledge around the most critical issues and opportunities facing utility executives. Enjoy a breathtaking resort setting along the more...


Get your event listing in front of more than 100,000 industry professionals by posting on EnergyCentral's Event Center.

Sponsored Content