Fumbling with SharePoint? Discover Smarter Compliance Strategies for MSPs
If compliance programs are implemented and maintained through written documents, a successful MSP compliance services program ensures that those documents are secure, accessible, and organized. Which is to say, they’re not managed in SharePoint (unless SharePoint serves as a so-called evidence locker…more on that later).
In this article, we explain the importance of documentation in a compliance program and present our one-stop shop solution for managing them.
Your Compliance Offensive Line
A compliance program without documentation is not a very strong compliance program. Here are three reasons why documentation is integral to compliance as a service (CaaS) for MSPs.
1. Policies, processes, and procedures.
Compliance is more than physical controls like firewalls and encryption. Defining how these controls are tested, updated, and reported is just as important, as are administrative controls like password policies, codes of conduct, incident response plans, etc. On top of all that, people within an organization need to know what their roles and responsibilities are in maintaining compliance.
Accomplishing all the above requires well-defined policies, processes, and procedures, which are, of course, written documents. Actually, they’re living, breathing documents, because they’re updated as frameworks change, or the nature of the organization evolves.
2. Audit requirements.
Written policies, processes, and procedures are an essential part of audits. Along with records and reports, these documents prove that you comply with framework requirements.
Take SOC 2 audits, for example. SOC2 auditors scrutinize an organization's policies, processes, and technology against the Trust Services Principles laid out by the framework. And if you’re found noncompliant? You’ll have to implement the recommended remediation, which may require more audits and inspections. In the case of legal and regulatory frameworks, failing an audit can also mean legal repercussions and fines.
3. Due diligence.
If it isn’t written down, it doesn’t exist. And then who takes the penalty if something goes wrong?
Having documentation that’s authorized by the end client is part of building defensibility in yourself and your customers. If an incident occurs, you can prove that the correct controls were in place, or you can demonstrate with written and authorized proof that you did your due care.
Red Cards for Documentation Management
We’d bet that most organizations out there use either SharePoint, Google Drive, or OneDrive for document management. Although convenient, these systems are incomplete.
When you’ve got multiple end users, documents and folders are too easy to lose, delete, and reorganize. With so many cooks in the kitchen, items become difficult to find, impossible to sort, and hopeless to categorize. There’s no way to track when documents are changed or updated. That becomes an even larger problem in terms of managing permissions, because access controls don’t exist.
What’s worse, let’s say your organization uses SharePoint and a ransomware event happens. All the documents you’ve stored on there are now encrypted and inaccessible. That includes your contact list with phone numbers for your insurance company. It also includes your incident response plan.
How do you respond to an incident, when all the documents you need are stored on that server? You can’t. It’s time to stop using outmoded systems for items that are so essential to your operations.
However, there’s an exception to this that we need to highlight in more detail.
The Evidence Locker Exception
While we have consistently highlighted the shortcomings of SharePoint for document management, it does come in handy for a specific, albeit limited, purpose: serving as an evidence locker. This may seem contradictory to our overall stance, but it's crucial to understand the nuances that differentiate these uses.
Why SharePoint Works as an Evidence Locker
In compliance, an evidence locker is a secure repository for storing finalized documents and records that serve as proof of compliance activities and audits. SharePoint's robust security features and permissions can be effectively leveraged to protect these static, non-editable files from unauthorized access and tampering. The platform's ability to set strict access controls ensures that only authorized personnel can view or retrieve evidence documents, which is crucial for maintaining the integrity of compliance records.
The Limitations of SharePoint for Active Document Management
However, when it comes to the dynamic, ongoing process of document management, SharePoint's limitations become evident. Managing live documents requires frequent updates, version control, collaboration, and real-time tracking—areas where SharePoint struggles. The lack of specialized compliance features means it can't efficiently handle the intricacies of policy updates, procedural changes, or the constant reassessments required to stay compliant with evolving regulations.
Our Balanced Approach
Recognizing these distinct needs, we have introduced the ability to integrate SharePoint specifically for use as an evidence locker within Compliance Scorecard. This integration leverages SharePoint's strengths in secure, static document storage while allowing our platform to manage the active, collaborative aspects of compliance documentation. By compartmentalizing these functions, we provide a holistic solution that addresses the full spectrum of compliance document management needs.
In essence, while SharePoint can act as a secure vault for evidence, its limitations in managing active documents make it unsuitable for the dynamic nature of compliance program management. This is where Compliance Scorecard excels, offering the comprehensive tools needed to manage, update, and track compliance documents seamlessly.
SharePoint for Document Management vs. Evidence Locker
While SharePoint offers several strengths as an evidence locker, such as robust security features, effective access controls, and simplified user management for static documents, it falls short when it comes to dynamic document management. The platform struggles with version control, collaboration, and managing frequent updates, making it difficult to track changes and ensure document integrity. These limitations are particularly problematic for active compliance documentation, which requires constant reassessment and updates.
Therefore, while SharePoint can serve as a secure vault for finalized compliance evidence, it is not equipped to handle the ongoing, collaborative needs of a comprehensive compliance management program. This dichotomy highlights the importance of specialized tools like Compliance Scorecard that can seamlessly integrate with SharePoint for static storage while providing advanced features for active document management.
| Feature/Aspect | Document Management | Evidence Locker |
|---|---|---|
| Purpose | Managing live, frequently updated documents | Storing static, finalized documents |
| Version Control | Limited and cumbersome | Not required for static documents |
| Collaboration | Difficult to manage multiple users' edits and access | Not necessary for static, uneditable files |
| Access Controls | Basic and sometimes inadequate | Effective for restricting access to sensitive evidence |
| Security | Vulnerable to ransomware and other threats | Strong security features can protect static files |
| User Management | Complex, especially with many users | Simplified as access is limited to viewing/retrieving |
| Audit Trail | Limited and hard to track | Effective for tracking access to static files |
| Customization | Lacks specialized compliance features | Not necessary for static storage |
| Efficiency | Inefficient for frequent updates and organization | Efficient for static, non-editable documents |
| Integration | Limited integration with compliance tools | Effective when integrated with compliance platforms like Compliance Scorecard |
A Compliance Process
With all that in mind, managing a compliance program is complicated. And, just like the controls of compliance require policies and processes, so does compliance itself.
The 4 A’s are our process for operationalizing compliance, and it looks a little something like this:
- Alignment: Align the controls of a framework with actual business practices through policies and procedures.
- Authorization: Have those policies and procedures authorized by the client.
- Adoption: Facilitate the adoption of a culture of compliance.
- Assessment: Constantly reassess the gaps, the risks, and the policies and procedures in place to ensure they are compliant.
But we’ll do you one better: Not only have we developed a revolutionary process for operationalizing compliance, but we’ve also built the technology to complement it.
Managing the 4 A’s with Compliance Scorecard
Compliance Scorecard was designed to facilitate the 4 A’s and help you manage a successful compliance program, with all the organization, accessibility, security, and share-ability your documents need (plus way, way more). This is how it works:
Alignment
The challenge with aligning business practices to policies and processes that reflect compliance controls is twofold. Firstly, starting from scratch is time-consuming and, secondly, the templates you grab off the internet are generic and usually not aligned to what your organization is actually doing.
Compliance Scorecard is filled with policy packs and templates to help you align with various frameworks, and they’re created with expert research. You can customize them as needed, duplicate and send them out with one click. We even tell you what information goes in what buckets.
Authorization
These are not your policies and procedures, they’re your clients’. Compliance Scorecard is where they can ask questions, make changes, track versioning and, finally, sign off on documents. Now, all your documents, versions, and authorizations are in one organized place, easily accessed for an audit.
It’s also a space where you can give your clients actionable items they can complete on a regular cadence. Sending tickets, reminders, and notifications to consistently notify your clients about risk is doing your due diligence, and it’s all tracked.
Adoption
What good is all the work you’re doing if the end users aren’t implementing it? Adoption is about getting everybody in the organization on board, so they know what position they play in maintaining compliance.
Compliance Scorecard makes compliance a team sport. It’s where training documents are created, stored, and sent out to the appropriate parties. It also speaks in non-technical terms, so anybody can use it, and anybody can understand it (not just the IT team).
Assessment.
With all the policies, processes and procedures of your compliance program stored and managed in a one-stop shop, assessment is easier.
It’s easier to update documents as a framework changes, because they’re all categorized and organized in one place (a place designed exactly for this). It’s also easier to conduct risk assessments and gap analyses, especially with color-coded scorecards that track your progress over time.
Get the Compliance Scorecard Advantage
Your compliance program is implemented, maintained, and verified through written documents, and those documents are what protects you during an audit or an incident. Meaning, they’re as important as a home team advantage in game 7 of the playoffs – and SharePoint is like playing without your goalie.
For successful compliance, you need a system for managing your policies and processes, obtaining authorization, getting the word out to the team, and conducting assessments. That’s Compliance Scorecard in a nutshell.
Compliance Scorecard was designed to operationalize a streamlined compliance process and bring it to your people. Read the guide on the incredible impact of our 4 A’s on your ability to leverage compliance as a game winner, and then join a live demo to see exactly how the technology works.
Download the Guide Now
"*" indicates required fields
Read More
How Compliance Scorecard Helps Manage SOC 2
The Quick Guide to GRC for MSSPs
What Is an Acceptable Use Policy and What’s In It for MSPs?