Navigate the sea of compliance laws and security what ifs
Editor's Note: Information in this buyer's guide comes from vendor representatives and resources and is meant to jump-start, not replace, your own research; also, it is not necessarily comprehensive, as some products might have been left out due to the writer's oversight.
SharePoint can be used for a variety of functions, including as a document management solution, an organization-wide intranet, a project management tool, and even as an external-facing website. But at its core, SharePoint is an information storehouse, logically segmenting your data and enabling efficient collaboration, thereby reducing fear of miscommunication, inconsistent versions, and lost documents.
Storing data on a SharePoint site makes sense for many organizations. It reduces the load the local network handles and makes collaborating on documents much easier. Plus, it offers customizability in terms of restricting and managing access to individuals at varying levels within the company.
However, there is a downside. The Internet is only as secure as the systems that protect it, and threats grow and evolve every day. In today's Internet age, where 10 million people were victims of identity theft in 2008 (according to Javelin Strategy & Research Center), many governmental agencies have pushed for compliance laws to prevent future attacks. And according to the Privacy Rights Clearing House data, which documents significant data breaches, wide-scale security breaches occur almost every day in the United States (and since 2005, 354,537,108 records have been lost or stolen).
Evolution of Compliance Laws
Compliance laws are a good thing, in principle. They protect individuals and businesses, and force organizations to take seriously the threat of data theft before it's too late. However, each ounce of prevention in compliance comes at a cost. According to a Financial Executives International study, the average cost of Sarbanes-Oxley (SOX) compliance in 2007 for large-scale enterprises was $1.7 million.
Like it or not, SOX is here, forcing all public companies to keep industrious financial records. A number of other laws exist for specific industries, such as the financial and medical industries (Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act, respectively), where businesses have a special responsibility to protect personal information of customers. Finally, all companies need to be aware of the possibility of e-discovery, when a lawsuit requires a company to sift through all available electronic data (on that company's dime) for some form of data that holds weight in the case. Lastly, there are specific statewide compliance laws that every organization should be aware of. Together, these laws and standards make ignorance out of the question, even for smaller organizations, and force all companies to take compliance very seriously.
Native Tools on SharePoint and Their Limitations
Fortunately, native compliance tools do exist on SharePoint. While they do not cover the same scope as third-party solutions, they may offer sufficient compliance protection for some organizations. First, SharePoint lets you configure user permissions, letting you prevent unauthorized access that could lead to data loss or theft. SharePoint also has basic reports to audit site collections.
Some of the things that SharePoint's native tools can't do include: audit data at levels other than the site collection level, prevent data from being uploaded beforehand, audit sites based on more robust criteria such as time frame, and track all site changes and deletions.
What to Look for in Third-Party Solutions
It's important to note that while each third-party solution in this buyer's guide seeks to solve the same common SharePoint difficulties, each works quite differently and it'll vary by organization what solution is best. For instance, some of the more suite-like products, such as AvePoint's DocAve Auditor and Vyapin's Admin Report Kit, offer auditing/reporting, migration, and backup and recovery. Other products, such as Muhimbi's SharePoint Audit Suite, offer similar capabilities to SharePoint's native tools, but expand on the capabilities, offering more in-depth auditing. Netwrix's SharePoint Change Reporter, meanwhile, offers change tracking but doesn't focus on reporting.
In addition to auditing for compliance, you'll also find that some of the products that focus more heavily on reporting, such as Nintex Reporting, also offer business efficiencies through this reporting. The same types of reports that aid in compliance can help the business to remain efficient through visibility into the organizational structure.
In other words, individual compliance needs will vary extensively depending on the individual organization. Some organizations will have constantly-changing user documents and spreadsheets that contain key information, so tracking changes to these documents on a step-by-step level is essential for measuring compliance. Other companies will have stores of sales and contractual data continually being uploaded to the SharePoint site, so controlling, tracking, and restricting new files uploaded to the site would be very important. Whatever your need, there is likely a solution in place, but it's important to understand the differences.
Customization is Always an Option
Finally, bear in mind that as SharePoint is a very flexible tool, you may decide to have a developer custom-tailor reports that best serve your compliance needs. While this may not be the most efficient model (in terms of cost and time), it may be valuable if you feel that your company's needs are radically different from most. My best advice would be to carefully review your company's compliance needs with a security expert, and then discuss these needs with the vendors in this space to see how their solutions stack up.
In the meantime, I encourage you to review the buyer's guide table, which will shed insight on the capabilities of each offering and provide you with a head start.