The US Department of Veteran’s Affairs (VA) provides benefits and services to more than 20 million veterans and over 350,000 agency employees worldwide through a range of Web pages and Web-enabled applications.

With a brief to provide universally accessible online services, while safeguarding protected health and other personally identifiable information, the VA has taken an aggressive approach to data privacy.

The VA is keen to promote best-in-class privacy practices and its evolving approach is a good model for how all government agencies can embrace new technologies, balancing the need to protect sensitive information against the benefits of collaboration, sharing information and the need for public services transparency.

With 663 privacy officers and a Privacy Service staff of nine, the VA takes its compliance responsibilities seriously. To support its staff in managing risk across 1,000 sites, some of which are public facing, it has taken steps to automate compliance and collaboration relating to content in its SharePoint 2010 system. The department faced compliance challenges arising from its huge and diverse contributor base and the massive expansion of its content.

Following a successful pilot of HiSoftware Compliance Sheriff, the VA signed a three-year contract for the HiSoftware solution to meet a requirement for a practical privacy program that achieves compliance and regulatory conformance while supporting the evolving business needs of the agency. The VA’s aim is to deliver a privacy program that makes it easier for users to ‘do the right thing’.

There are three key components to this project:

1. Set up a SharePoint 2010 ‘Model Farm’ to demonstrate a best practices approach for privacy and Section 508 accessibility compliance across government. This will model business requirements underpinned by a comprehensive review of who uses SharePoint within the organization and how they use it. Perhaps they used it to send emails collaborate on documents, share calendars – or they may use all three applications and more. The ‘Model Farm’ will also model compliance requirements by exploring all the privacy regulations and how they may be best addressed. Finally it will model the technical requirements that determine how Compliance Sheriff, SharePoint 2010 and other Microsoft technologies can work together to automate compliance enforcement. The hope is that this will provide a best practice resource for securing SharePoint content across government.
2. Add two new SharePoint 2010 sites
3. Expand existing MOSS sites for continuous improvements, automated notification and continued scanning of existing sites.

HiSoftware Compliance Sheriff delivers a balance between data management and protection with a platform that:

• Honors data privacy and security policies, laws and regulations
• Enables enforcement
• Minimizes risk of data loss or misuse
• Minimizes potential impact of data loss or theft
• Generates proof of effectiveness and execution of data protection policies and measures compliance

View the IAPP presentation: US Department of Veterans Affairs’ Battle to Protect Privacy

Read more about the VA’s battle to protect privacy.

But what if the online degree course you wanted to study wasn’t available in an accessible format that you required? Perhaps you’ve been in that situation or if not, imagine how that would feel.

Fortunately, Web accessibility is federally mandated for public colleges and universities through Sections 508 and 504 of the Rehabilitation Act of 1973 to prevent this type of situation. However, not all universities are checking against Web accessibility validation, remediation and automated monitoring which means accessibility is not guaranteed. These checks are useful to ensure equal access to online information and services as well as preventing any discrimination issues.

Recently, we’ve added Penn State, Purdue University Calumet and University of Texas Brownsville to our roster of higher education clients. Higher education is certainly an area looking toward widespread Web accessibility and with these three new clients it re-emphasizes this market trend.

Penn State, for example, is committed to providing an accessible online presence and learning environment for its entire faculty, staff and students.  By automating accessibility monitoring with HiSoftware, the University knows that its websites are being audited for accessibility compliance to address any issues and make sure it is equally available to all of its constituents.

No student wishing to complete an online course should be prohibited because of inaccessibility. Checking and monitoring for Web accessibility is a simple solution to ensure equal opportunities.

Read more about compliance solutions for higher education.

• Compliance and security is a team sport. There are many levels of SharePoint security. Because of this, it needs to be handled through a true team effort within your organization as well as utilizing the expertise of third parties.

• The SharePoint Security Team should include:
  • The Farm Administrators
  • The Site Collection Administrations
  • The Site Administrators
  • Content Owner & Department Manager
  • Compliance & Security Team
  • Help Desk

• The team needs to have responsibility for compliance, security and SharePoint domains.
  • Compliance –This includes regulations, internal policies and best practices within the organization.
  • Security – Both the physical and network security, as well as theft.
  • SharePoint –Points to consider include site proliferation, user adoption and governance.

• SharePoint is the bane of the compliance officer’s existence. Even though organizations have secure systems with lots of security technology – firewalls, anti-virus protection for example – SharePoint is still the bane of the compliance officer. While SharePoint is inside a secure environment, the problem is what is happening to the content within SharePoint that raises the concern and risk.

If you’d like to listen to the recording to hear more about these issues click here.  You’ll also find out more about how Axceler and HiSoftware are working together.

BT’s Knowledge Management and Collaboration (KMC) programme has formal BT Board approval and has an agreed strategy setting out the priorities and timelines. The KMC programme has a governance model so the implementation is effective, well managed and you can see how the different boards fit together and their responsibilities.

The KMC steering group had senior representatives from across all the business units in BT with IT partners. I was a member of the KMC steering group and led teams on several projects including standards, training, support and content management.

BT’s first priority has been on sharing knowledge more easily. Employees can use choose SharePoint 2010′s People Finder to search for employees from an index list on the global navigation bar at the top of every page on the BT Intranet.

This links to MyProfile which is like the existing Directory but has more flexibility. Employees can add more information about themselves to help people searching to check more easily they have the right person because of their interests and experience. By clicking on ‘Browse in organisation chart’ you can move from MyProfile to MySite and can see how your role fits within BT and relates to other people.

MySite has several tabs including one for Whereabouts so people can see what you are doing. This information is automatically downloaded from your Outlook calendar. Another tab, Overview, enables people to see topics and skills you can help others with.

MySite content shows to people with the right permissions what you have published in SharePoint 2010. This helps people to find others who have a shared interest without any extra effort needed by you.

Employees using SharePoint 2010 for the first time will go to the Welcome page for SharePoint 2010. BT does not mention the technology in the title but what its purpose is. There is a lot of information shown but new users say this is what they need at this stage and gives them a good first-time experience.

You can request to publish on a TeamSite for project work or document sharing. It will extend to other needs as SharePoint 2010 replaces existing publishing tools and the activity they help people to do.

There is a help site that supports anyone using SharePoint 2010 for any purpose, not just publishing.

Download the SharePoint Content Checklist I worked on in conjunction with HiSoftware which outlines a simple 5 step content strategy aligned to every stage of your SharePoint 2010 deployment.

It makes sense to focus on content at this stage, too, putting in place policies that encourage secure collaboration. The ideal is to drive high rates of adoption while securing the content going into the new system.

Enterprises that have an intranet governance framework, with a clear strategy and defined roles for those managing the system, have a head start. Companies that don’t have a strategy have an opportunity to develop one to provide a clear structure.

SharePoint 2010 implementation tends to go through five phases.

1. The selection of SharePoint 2010 is the first stage, during which organizations should be looking to create a content governance strategy and prepare for content migration.
2. Once this is carried out, the second phase is to ensure security and compliance of the content. Third party solutions can automate this process, checking content as it is published for data protection and security compliance and accessibility, as starting points. Enterprises will want to add to this, requirements that content is dated, the owner of the content is noted, that duplicate content is not uploaded and that content is compliant with branding and metadata guidance for search and discovery.
3. With all these checks in place, enterprises will enter the third stage of preparing to migrate content into the new system. It is useful to create a further checklist around migrating content successfully from other publishing systems to SharePoint 2010. This should include identifying existing content, which may be held in multiple format and locations, setting out where the content that needs to be migrated into the new system will be published, implementing permissions for employees to access, create or contribute to content. Metadata mandates need to be set up and a folksonomy should be established at this stage, if one is required. For large blocks of content, of over 1,000 pages, say, it is worth evaluating tools that automate migration.
4. Phase 4, implementation is where communication becomes key. Employees and all other stakeholders need to know what is going on with the content they use for their job and are confident that it is current.
5. Once SharePoint 2010 is in and running, most of the hard work is done but phase 5, post-deployment, is equally critical. During this phase, when SharePoint 2010 has become very much business as usual, it is essential to keep content strategy under review and to update it regularly, to keep a close eye on usage and ROI and to maintain compliance.

Having a detailed SharePoint 2012 checklist to help define your intranet governance framework as well as take you through each step to consider will help ensure secure collaboration that is widely adopted.

Download a detailed SharePoint 2010 content checklist.

Because of these updated standards, Canadian Federal government institutions need to make sure they have a plan to meet CLF requirements and have a process to measure success. In addition to meeting international web content accessibility guidelines (WCAG 2.0 A&AA Guidelines), agencies need to achieve these new Usability standards.

Accessibility for people with disabilities is more important now than ever before. The last decade has shown how information technology (particularly the Internet) opens up new worlds for an ever-increasing number of people with disabilities. At the same time, web accessibility standards have also evolved to keep pace. WCAG 2.0 – the most important and influential web accessibility standard worldwide – provides a framework to allow a better accessible experience for users with disabilities.

Driven by a lawsuit from a blind citizen, Canadian government top level external web pages   should have been compliant with WCAG 2.0 by 1 October 2011. But there are also important dates in 2012 by which websites should demonstrate further compliance with CLF. All home pages or pages referenced from website home pages were to be compliant with WCAG 2.0 A&AA guidelines by February 29, 2012. The most used pages and web apps relating to a website need to be compliant by July 31, 2012 and the remaining pages and web apps must be compliant by July 31, 2013.

As well as accessibility CLF addresses usability by mandating a basic structure for government web page layout and design, which makes it easier to find information and services and provides consistency across all federal websites.

The Treasury Board of Canada is overseeing compliance. It recommends the Web Experience Toolkit (WET) that includes tools and solutions for building and maintaining websites that are accessible, usable, and interoperable. These tools and solutions are open source and free for use by departments and external web communities.

Content providers need to clarify what their responsibilities are when providing content for electronic publishing.

HiSoftware is releasing a new set of CLF rules within Compliance Sheriff that will provide an organized checklist to ensure that the new CLF Usability standards are being met; along with automatically testing for WCAG 2.0 Accessibility Guidelines. Using Compliance Sheriff, Agencies will be able to expedite their CLF compliance requirements and remediation efforts.

Because SharePoint makes it is so easy to build new sites, SharePoint systems can grow quickly and become unwieldy. The creation and storage of content in SharePoint introduces risk that information may be accessed by or shared with individuals outside of the regulatory and corporate policies designed to protect sensitive information.

If administered wisely, SharePoint can be a tremendously powerful resource. And that is why a SharePoint governance plan—and the tools to manage and enforce it—are essential.

Join me and Axceler to discuss how you analyze risk and automatically classify and protect this information while implementing a restrict, encrypt, track and prevent approach to SharePoint.

It also said:

“When records are well-managed, agencies can use them to assess the impact of programs, to reduce redundant efforts, to save money, and to share knowledge within and across their organizations. In these ways, proper records management is the backbone of open Government…

…With proper planning, technology can make these records less burdensome to manage and easier to use and share. But if records management policies and practices are not updated for a digital age, the surge in information could overwhelm agency systems, leading to higher costs and lost records.”

The memo outlined that agencies must describe how they will improve or maintain their records management programs, particularly in regard to email, social media and other electronic communications.

Federal Times reported that:

The initiative won praise from leaders of two watchdog groups, OpenTheGovernment.org and Citizens for Responsibility and Ethics in Washington. In a joint statement, the two organizations noted that 95 percent of agencies reported last year that they were at risk of losing electronic records. Obama’s memo “puts in place a structure to begin addressing the problem” they said, but cautioned that lack of money will be a major hurdle.

It’s a scary statistic that almost all agencies are at risk of losing electronic records. This should not be the case.

It’s now four months after the memo was released. We should begin to hear each agency’s current plans for improving records management programs, what obstacles it faces and policies and programs put in place to improve the agency’s records management. I for one want to know how any electronic records with my potential details are being kept safe.

My view is that these government agencies will need to look at, particularly in regard to email and social media as well as SharePoint platforms, how they will handle this unstructured content. All emails and social media posts are records that need to be managed.

If these agencies are to build governance around their records management systems, then it must be content-aware. Content-aware governance enables customised rules. For example, agencies may have a human resources policy that they want to enforce, so that discussions in the social realm don’t get out of hand. Another example is if agencies are collaborating on research they may want to make sure that unpublished findings are not accidentally exposed outside of the research team before it is fully mature.

An effective records management compliance solution should employ a flexible content-aware rules engine that uses regular expressions, pattern matching and key word identification to locate specific risks related to many global regulations including Data Protection Act breaches, HIPAA/HITECH, FISMA, MA 201 CMR 17, COPPA and Section 508 and WCAG 2.0.

Some of these agencies will have a different approach to compliance than others so it should be possible to create custom rules mapped to their approach or to other individually specified regulatory risks.

Read more about content-aware solutions here.

Jonathan Allen is a Senior SharePoint Engineer at HiSoftware.

When you start implementing SharePoint 2010 you need to measure the overall value to show the investment made has been justified. This is easy to say but harder to show.

There are three levels you can measure the value that SharePoint 2010 can bring to your organisation and employees. These are improved productivity, reduced costs, and increased revenue.

1. Improved productivity – Using SharePoint 2010 can help employees solve business problem more quickly. Maybe to solve a problem you have employees who use face-to-face meetings which take time to arrange. Perhaps emails with large documents attached which everyone is editing with their comments in isolation of other changes. Different time zones and location can make phone calls difficult to get everyone on the same call and a vital piece of information is missed. All of these can lead to improved productivity. The challenge is to show what people did with the time saved. More effectiveness rather than more efficiency needs to be demonstrated. You need to clearly show how employees and the organisation have benefited.
2. Reduced costs – SharePoint 2010 can help organisations reduce the overall cost of technology needed. Reducing the range of IT used by employees can have an impact in many areas. Providing your business requirements match what SharePoint 2010 is able to do, it will be a good fit for your organisation’s needs and save costs. That means getting your strategy and priorities right.
3. Increased revenue – It is possible to use SharePoint 2010 to bring in more revenue – something that shows on the financial bottom line of your organisation. This is most valued when justifying investment in technology. If your SharePoint 2010 strategy is closely aligned to your organisation’s strategy you can exploit this opportunity to add overall value that shows through on the bottom line for your organisation.

It is how your organisation uses SharePoint 2010 that will decide the overall value it will bring. Read more on how to measure SharePoint success here. 

Download the SharePoint Content Checklist I worked on in conjunction with HiSoftware which outlines a simple 5 step content strategy aligned to every stage of your SharePoint 2010 deployment.

About Mark Morrell

Mark Morrell is an intranet pioneer combining strategic thinking with implementation skills.  Since 1996, he has developed intranet strategies with first-hand practical experience of implementing major technology and change projects.  As the former BT Intranet Manager, he helped to transform BT’s intranet into one of the best global examples for governance, engagement and collaboration. Mark is an expert in SharePoint and can share his knowledge and experience of the digital workplace and other intranet topics. Mark has established his consultancy Mark Morrell Ltd to help major organisations with their intranet strategy, governance, standards and use of collaboration tools.

Coca Cola Australia launched what it presumably hoped would be a feel-good social media experiment on Facebook inviting contributors to create a happy story. What it actually got, according to news reports, was an outpouring of profane comments.

McDonalds too experienced a social media nightmare this year when its attempts to promote itself through the twitter hashtag #McDStories were hijacked by critics of the company who unleashed a torrent of unfavorable tweets, forcing the fast food purveyor to pull the campaign.

As Coca Cola and McDonalds found to their cost, it is difficult to control what customers share. Enterprises can, however, control what they share with their customers but there are clear indications that many are failing to do so. Symantec’s 2011 Social Media Protection Flash Poll revealed that social media is pervasive within the enterprise, and IT departments have good reason to be worried.

As organizations increasingly share business related information on social networks to communicate with customers, partners and employees, the risk of publishing confidential information also increases.

Symantec found the typical enterprise experienced nine social media incidents, such as employees posting confidential information publicly, over the past year, with 94% suffering negative consequences including damage to their reputations, loss of customer trust, data loss and lost revenue.

The survey found the top three social media incidents that the typical enterprise experienced over the last year were employees sharing too much information in public forums (46%), the loss or exposure of confidential information (41%), and increased exposure to litigation (37%).

More than 90% of respondents who experienced a social media incident also suffered negative consequences as a result, reported Symantec. The statistics are shocking. Some suffered a reduced stock price (average cost: $1,038,401), others had to pay out litigation costs averaging $650,361. Direct financial costs averaged $641,993 and damaged brand reputation and loss of customer trust was said to average $638,496. Lost revenue averaged at $619,360.

Enterprises face a pressing need to train their employees on what is appropriate to post on social media sites and support that with a technology solution that flags any content that is potentially damaging before it is posted. Often commercially sensitive content is posted entirely innocently but this can be addressed with training and content aware solutions. Read more about content aware solutions for social computing.