Mind the Gap: Using SharePoint for Compliance Tracking

Posted on December 23, 2008
Posted By: Kevin McDonald
 
There is a notion that compliance activities operate across a continuum from simply meeting the needs of auditors to a culture of compliance. Creating a culture of compliance is at the top of the pyramid for compliance activity objectives. How closely an organization aligns with the goals of the compliance activity is key to understanding the maturity of the compliance efforts.

A compliance culture implies that the organization understands the standards and the organization takes proactive steps in order to meet or exceed them. More importantly, the organization can prove this compliance empirically with documentation.

In practice, organizations subject to standards compliance have high operational tempos. The vast majority of staff and funding is dedicated to managing operational concerns. During times when revenues are high and costs are stable, compliance activities should have appropriate staff levels and funding. During periods where revenues are down and costs are up, compliance budgets can be threatened and this puts organization effectiveness at risk.

Budgets are especially dear in the case of the utilities industry, where modernization efforts for control systems can take decades and a ten-year-old system may be relatively new by industry standards.

Compliance Tools

In this environment, compliance tools and automation are the keys to success. Any efforts that can be repeated in future assessments reduce the overall cost. This frees up the Compliance Manager to pursue more strategic goals in raising cultural awareness of compliance efforts. In addition, the less painful compliance activities are, the more likely they will be performed. In usability studies, this is called transactional friction reduction. Eliminate some of the pain of each transaction and the percentage of successful transactions goes up.

Repositories

All compliance standards call for documented policies and procedures. Having the controls in place is only part of the equation. The organization must also have documented proof that the control is operational.

The basic compliance step of storing all compliance documents in a repository reduces retrieval costs. A librarian function can files hard copies of documents local to each entity. Of course, this sort of system can quickly breakdown without continuous effort and distributed sites are more likely to fail spot audits due to the reduced influence of central site administration.

Simple Directory Approach

Another approach that works well stores document images on a file server. The images can be categorized be organized by location, and then each of the applicable standards can have its own section. Typical imaging systems support basic indexing by topic and documents can be quickly retrieved.

Digging into each document to find out when it was refreshed reduces efficiency and increases manual operations. The structure of imaging systems may not be adequate to determine if required documents are missing. If the system is a scanner attached to a file server, there still may be a lot of work required to maintain system integrity.

If there is any employee turnover, the integrity of the compliance library can become corrupted and there may be no clear starting point to build the next compliance round.

SharePoint Document Libraries

SharePoint has been since its inception a web enabled document-sharing tool. The main site can serve as a focal point and model for sub-sites based upon functional groups like physical security or plant operations.

The search function is built-in so documents can be quickly retrieved using key words or meta data like long descriptions. Content can be delivered to the site from multiple sources. They can be digitized and uploaded, emailed or keyed in directly through smart forms.

Email Alerts. In addition, the email alert features of SharePoint can be leveraged to reduce the effort required to ensure all of the documents have been updated and that all affected are working with the latest revision.

Shared Document Libraries. If you are responsible for scheduling and reviewing self-assessments, you can email a document link that can be opened and then saved back to the centralized document library after the team has completed the assessment.

It can also save different versions so if an edit overwrites a crucial section, the retrieval can be performed by the SharePoint administrator without engaging the IT staff.

Calendar and Outlook Integration. SharePoint has Calendar pages to maintain important team schedules. This is completely integrated with Outlook so team members can merge the team schedule with their desktop calendar for a composite view.

SharePoint can originate and receive email as well. Alerts can be customized to only send alerts if particular documents are changed or more global settings allow alerts if any new document is saved to a directory. This is particularly useful for tracking new regulations as they are uploaded to a team site library.

Learning Management. Audit guides and compliance standards are at your fingertips. Training and audit guides can be loaded for reference purposes. You can even setup audit calendars and perform outlook integration tasks to share the calendar with other teammates responsible for compliance.

PowerPoint Prowess. If PowerPoint plays a part in briefing management and staff on requirements and standards, a separate PowerPoint repository can be created on SharePoint to store slides for easy access. When a presenter is ready to build a new show, they can choose slides directly from the repository.

This also lends itself to centralized storage of the latest and greatest versions of slides. If the slide is updated on the central site, you will not have to track down Bob in Omaha to get him to send you the latest from his laptop.

Task Tracking. Task assignments and project management tools are also built in. If you are running Microsoft Project Server, this is built using the same technology so there are shared features that can be used to tie projects to Office to SharePoint.

Excel Services. Excel services allow the administrator to upload and link a spreadsheet to graphics and bar charts on the site. If the spreadsheet is updated, the SharePoint site can be triggered to show the updates.

Key Performance Indicators. This is another useful feature. Dashboard analysis of the number of documents uploaded, compared to the total expected. Percentage completion of various tasks reported in Excel format and other numeric triggers can quickly provide a snapshot of the progress of the compliance campaign. Most of these features work right out of the box with the application of a site editing tool call Webparts. Webparts are preformatted web widget pages that can be mashed up on a SharePoint site by clicking and dragging.

Organize for Productivity. The editing features of SharePoint are worth the price of admission. Several complex sites are prebuilt and can be deployed from a template library. Document sites, team sites, Wiki sites, PowerPoint repositories are all a few clicks away. Once the main central installation is completed, new sites can be quickly created and customized to fit a variety of applications.

If you have a geographic or organizational unit that needs its own site, it is there with a click of the button. What's more, disparate sites can be linked and external websites as well can be added as on a link section. This makes it very easy to organize internal content sites along with external organization and regulatory sites so the compliance manager can get to everything they need in a few mouse clicks.

InfoPath and Document Workflow. This is one of the most powerful features of SharePoint. MOSS 2007 Enterprise edition supports a feature call InfoPath Forms Workflow. A form can be created using InfoPath 2007 and uploaded to the SharePoint site. InfoPath supports workflow functions such as task assignment and approval.

Imagine attaching an audit report to an InfoPath form, saving it and having it automatically forward to the Audit committee for review. Once they review, each member can approve the form, all of the workflow tasks are automatically saved, and date stamped for an audit trail. Documentation when a task is done and by whom, could not be easier.

Browser Enabled Forms. Earlier versions of InfoPath required a client to be licensed and added to each desktop in order to work with forms. The MOSS 2007 Enterprise edition supports this function out of the box using the web server to display the form into HTML pages. The client only needs a compatible browser such as Internet Explorer in order to view and approve the forms.

Note this feature is not supported on MOSS 2007 Standard Edition. Standard Edition must be upgraded to Enterprise Edition or InfoPath 2007 must be deployed to each workstation that needs to use the form.

Records Management. True to form, SharePoint has gotten more and more sophisticated with time. The Records Management function is a repository of repositories. It can accept different SharePoint site content and Exchange Email content to form a time based repository for records retention.

For example, if you are in a retail market and are required by law to retain certain emails, the Exchange -- SharePoint system can be setup to retain email in a secure repository for precising the period required. After the retention period expires, the system can automatically purge the content. This can reduce some of the workload required to support compliance activities.

Launch Crew. A caveat, installing MOSS 2007 can be quite complex. If it is not already supported by your organization, it may be beneficial to bring in at least at the beginning some trained IT professionals to implement it in your environment.

Security also needs to be considered. If the compliance repository refers to security vulnerabilities or other diagrams regarding enterprise architecture, prudence dictates extreme care should be taken that only authorized individuals can access this information.

External Hosting

SharePoint hosting is typically deployed using either virtual server technology or simply creating a new web instance on a shared MOSS installation. The site administrators may have the technical capability to view documents stored on your externally hosted site. This should be a registered as a concern in contract negotiations as well as with internal site administrators.

This can be mitigated by hosting the application on dedicated servers and requiring appropriate background checks on the external provider employees and contractors. In addition, any internet access to the data should be protected by strong encryption controls.

Controlling Access Offline. Information Rights Management is the Microsoft product that attaches a digital envelope to Word and Excel documents with the viewers' rights embedded in the document. This can eliminate the need for adobe formatting and reduce additional workload on administration.

IRM has some limitations but does allow specific read only, no cut-and-paste security to be applied to individual documents. The documents can only be worked on specific computers with the correct certificate loaded. This may reduce some risk of sensitive documents falling into the wrong hands.

Whatever the size of your organization, the administrative burden of compliance can exert the same pressure on a small company as well as a large organization. The ability to automate at least a portion of the tasks can relieve some of the administrative burden and allow the organization to concentrate more on the spirit of compliance than the mechanics. This is in effect, supporting the culture of compliance.

 
 
Authored By:
Kevin T. McDonald, CISSP, CISA, PMP is Senior NERC Cyber Security Analyst for ICF International of Fairfax, Virginia. He is project manager for several CIP Compliance Initiatives and has written and spoken widely on the topic. He can be reached at kmcdonald@icfi.com or (479) 422-0146.
 

Other Posts by: Kevin McDonald

Related Posts

 
 

Comments

December, 30 2008

OJ Garcia says

For anyone interested in networking with compliance professionals, please join the Linkedin.com group NERC Compliance Professionals by using the following link:

http://www.linkedin.com/groups?gid=886947&trk=hb_side_g

or login into: www.linkedin.com search for group: NERC Compliance Professionals

or, please send me your email address and be glad to approve your membership.

OJG oogg99@gmail.com

Add your comments:

Please log in to leave a comment!
back to top

Receive Energy Central eNews & Updates












 

2014 Energy Market Perspective Webinar

Thursday Jul 31, 2014 - 2:00 PM Eastern - Virtual Event

Please join Black & Veatch as we review our Mid-Year 2014 Energy Market Outlook and Industry Trends in a free, one-hour webinar. This webinar will discuss our insights into the near and long-term energy market, providing an outlook for the more...

13th Annual Outage Management for Power Plants Conference

Tuesday Jul 29, 2014 - Thursday Jul 31, 2014 - New Orleans, LA - United States

 more...

Gas and Electric Law and Policy: The Shifting Regulatory and Market Landscape

Tuesday Jul 29, 2014 - Washington, DC, District of Columbia - USA

POSTPONED TO FALL 2014 At the request of several public officials and because the current date falls on the planned final week of Congressional session before the August recess, we have decided to postpone the conference until the Fall. We more...

FREE POSTINGS!

Get your event listing in front of more than 100,000 industry professionals by posting on EnergyCentral's Event Center.



Sponsored Content