Good governance is difficult to define and even harder to implement. Having a good governance plan in place for your IT team, however, is essential to achieving your organization’s goals and mission, while maintaining risk management and compliance best practices. In this blog post, you’ll learn:
- Practical definitions of what governance is, and what it isn’t
- What good governance means in the Age of Office 365
- Why and how to go beyond good governance to data protection
Check out the additional resources at the end for more practical advice on how to build a good governance plan that fits your organization’s needs.
Microsoft defines governance in a recent article as “the set of policies, roles, responsibilities, and processes that control how an organization’s business divisions and IT teams work together to achieve its goals.” The ISACA subgroup, IT Governance Institute (ITGI), narrows the focus in emphasizing the role of IT in their executive primer on governance, stating that governance is “the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.”
In a nutshell, governance is the practical application of processes and policies — especially those involving IT — towards meeting organizational goals. It isn’t compliance, or security planning, or technology evaluation and adoption — although these functions will be improved by good governance.
Governance is not one-size-fits-all, however. Any organization’s use of information technology will vary in line with its mission, values, and goals. Enterprise-scale organizations, due to the complexity of their infrastructure and size, will likely require more — and more detailed — governance as compared to smaller organizations.
Stated as simply as possible, governance is the process by which an organization can answer these three questions about information technology and its management.
- What are the decisions that need to be made?
- Who is accountable for making the decisions?
- How will the decisions be made?
Whether or not an organization has gone all-in on cloud-based technology like Office 365 with SharePoint Online, or you’re still on Exchange or SharePoint server on-premises, it’s always a good time to review your current governance plan and make sure it’s robust. Decision-making around cloud-based technologies will expose weak links in any current governance plan — and having no plan is not a sensible option for IT decisions with far-reaching implications on how teams collaborate and communicate.
When assessing whether to adopt cloud-based platforms and solutions like Office 365, good governance practices are vital. A good plan can:
- Clarify what to prioritize for adoption and deployment. By following best practices for governance — setting processes in place and assigning owners to define requirements with stakeholders — your organization can prioritize what’s most impactful and also what is most feasible, given the current resources available.
- Streamline the deployment of solutions. The clarity provided by a good governance plan will result in less wasted time and effort during deployment. Efficient deployment means your organization will start receiving the benefit of new technologies faster.
- Ensure cloud and SaaS adoption doesn’t add unacceptable levels of security risk. Since governance will bring all relevant teams together, security risks can be discussed and identified early in adoption discussions. Not all security risks will require mitigation — a good governance process will help identify those risks that do.
- Enable your organization to maximize its Return on Investment (ROI) while controlling its Total Cost of Ownership (TCO). By focusing on these three pillars of good governance – what decisions need to be made, who is accountable for making the decisions, how will the decisions be made — and applying them to the potential business value provided by a new technology, IT will be aligned with business goals and resource allocation.
If your organization has already adopted Office 365, a good IT governance plan can:
- Help you identify which components your organization needs, and which it doesn’t. For example, Office 365 Enterprise E3 currently includes the complete Microsoft Office suite – Word, Excel, PowerPoint, Outlook, OneNote, Publisher, SharePoint, OneDrive for Business, Skype and Access – plus Yammer, email, eDiscovery, and many other tools. Office 365 Business Premium comprises these core components as well. Does your organization need them all?
- Ensure your teams are prepared to make the switch to Office 365 a success. Will newly-adopted components be rolled out to a small group of “power users” first? What training and support will be needed for a successful roll-out? These questions could all be incorporated as part of governance planning for any IT deployment, not just Office 365 – but Office 365 adoption might drive your organization towards better governance.
- Reduce the risks from changes to team processes. Collaboration components like OneDrive for Business and SharePoint are secure and have many robust protections – but their protections can’t protect your organization from accidental deletions by a team member, sync errors, or malicious actions. A good governance plan will enable your organization to manage those risks at levels appropriate to your current resources.
Whether an organization needs an added layer of protection from some of the risks of data loss noted in the last bullet above is still a topic of discussion. At Spanning, we believe that your Office 365 data is critical to your organization’s success, and our more than 1,200 Office 365 tenants agree. Therefore, as part of your governance plan, your organization might wish to determine the value of data and discuss whether mitigation from the risks of loss is important to business continuity.
For example, is SharePoint used to for collaboration on strategic, long-term projects? Is OneDrive used to house contracts and executive reports? How long would it take to recover in the event some of that data was permanently deleted in error?
If good governance processes spotlight Office 365 data risks that need mitigation, it may be a good idea to consider a third-party backup solution to protect your data. You should consider solutions that are:
- Cloud-to-cloud, with robust enterprise-grade security. Any solution should be at minimum SOC 2 Type II certified and HIPAA compliant, and encrypt data at rest and in transit. Another key security aspect is to make sure your solution uses OAuth — where an admin grants the application the permissions it needs to perform backups and restores. Never use or store account credentials or service accounts in the cloud unless you absolutely must.
- Easy-to-use by design. You’ll want a solution that requires little to no training, and takes only minutes to install — if your data is important, losing time on training or installation keeps you at risk.
- Designed to enable end users to recover from their mistakes. Your IT teams exist to enable your organization’s end users to collaborate, communicate and innovate — and focus on what they do best, without worrying about technology. Your backup-and-restore solution should support this by enabling simple, secure, no training-required end user self-restores.
- Well-adopted and proven. Being early in the marketplace (as Spanning was) means a solution can evolve along with its users’ needs. You’ll also want to read upon the solution provider itself — is the company offering the solution financially stable, so your backups will be there for you in the future?
- A leader in more than one cloud-to-cloud backup-and-restore solution. This speaks to a sharp focus on innovation in the areas that matter to your organization and its data protection. Although your organization may not use G Suite, for example, leadership in cloud-to-cloud backup for G Suite indicates institutional expertise in data protection that can benefit your organizations.
What to do next
There are many resources, some including frameworks and checklists, available to help deepen your understanding of governance and to build or refine your plan. A few of the best are listed below.
- ISACA on Governance: https://www.isaca.org/Groups/Professional-English/governance-of-enterprise-it/Pages/Overview.aspx
- Gartner on IT Governance: http://slideplayer.com/slide/5843096/#
- MIT Sloan CISR on Governance: http://cisr.mit.edu/research/research-overview/classic-topics/it-governance/
- On making a smooth transition to Office 365: https://spanning.com/blog/5-ways-to-make-a-smooth-transition-to-office-365-for-enterprise/
*** This is a Security Bloggers Network syndicated blog from Spanning authored by Lori Witzel. Read the original post at: https://spanning.com/blog/what-is-good-governance-in-the-age-of-office-365/