Forum Discussion
SOX, SharePoint and "SDLC"
Has anyone experienced anything similar? We are trying to use one of our homegrown work review systems (100% SharePoint Lists/web part pages) as a management "control" at our company. Our Corp Audit department is insisting we create a "SDLC process" around the business system. We have to have a separate tenant for QA testing and segregation of duties. They want us to remove full control/design access from the business and have IT operate the system through tickets. I've only known SharePoint to be a business tool. In my mind, it would be the same as if someone told me I would have to ask IT to move my Excel spreadsheet data from one to the other. If this is the norm-does anyone know where to find more info about when and when not to treat SharePoint like this?
I assume what they are looking or is process flows, separation of duties, "least necessary privilege", recoverability and so forth. All the typical "risk based compliance" governance. I don't have any "out of the box" answers for you, other than to start by assessing whether your "Services" are considered "Business Critical" and then seeing whether they have standards specific to those criteria.
- thanks!
Amanda OldhamI understand completely what they're asking for because it's what we did 5+ years ago when we formalized our SharePoint implementation. The problem we're running into now, is that those customized access levels don't translate to the modern O365 group-enabled environment. Basically, it's preventing us from moving forward into fully modern SharePoint because of this legacy set up. So now we have this weird hybrid where some stuff is classic and CAN'T be converted to modern without fully migrating the entire site to a new location.
I would start by asking Audit for a specific list of what rights they think a site owner should not have as part of "Full Control". That will let you go back to IT and have them tell you what is technologically possible or not. Having all access rights go through IT would be a mistake. We have that for a limited number of our sites and it's a train wreck, especially when you get sites with multiple permission groups.
We do have an annual system set up for sites that contain highly restricted information where we ask the owners to certify access for each person on the site. Maybe that's something you can offer? But then you'd have to implement some kind of site classification process....
- thanks you for your assistance-it does make me feel better knowing that we aren't the first or only to deal w/ it
