SharePoint for CFR Part 11 Compliance

Recently we had a prospect who contacted us to evaluate how SharePoint can help in meeting the requirements of 21 CFR part 11. The evaluation was done at multiple level including analysis of the regulation, evaluation of compliant environments and talks with subject matter expert. With aggressive marketing, SharePoint’s adoption is increasing in life sciences and related industries for content management.  I thought of collating the findings to save time for those who will undertake such evaluations in future.

  1. Process and Technology– The regulations main intend is to encourage organizations to implement processes that pins responsibility on individuals. This translates to two components- process and solution to supplement the process. Process are internal definitions created by organization and solutions can help in capturing metrics to verify if the process is followed. Therefore there is no IT solution that can help an organization to be part 11 compliant as process definition is at the core of the compliance.
  1. Identify the Content– Not all content in an organization needs to comply with part 11 clauses. So as first activity you have to identify the content to focus on and understand how it is being managed in the organization. Primarily the following content needs to be compliant
    1. Electronic format of documents which needs to be maintained under predicate rule

o    Where electronic document replaces physical doc

o    Where electronic document along with physical doc but electronic document is used for regulated activities

  1. Records submitted to FSA in electronic format
  1. SharePoint Features– SharePoint has enough features to build a solution with required checks and balances in place to help be compliant. The following features should be utilized
    1. Authentication and authorization- Limiting system access is one of the most important requirements. SharePoint helps in implementing claims or FBA based authentication along with user group driven authorization to content.
    2. Auditing- SharePoint can be configured to capture and report usage metrics e.g. opening, downloading or moving documents, deleting content, changing authorization and permissions. In SharePoint it can be configured at a collection, site or repository level
    3. Versioning- Document versioning in SharePoint captures the timestamp of change and also the actual change made, which helps in building traceability on changes
    4. Workflows- SharePoint workflow help in being process compliant through the implementation of BPM solutions for identified processes. Workflows automatically capture audit trail for each action taken which helps with compliance reporting
    5. Record management- Once a content is approved its important the system has feature in place that ensures that it cannot be modified. Record management feature (in place and record center) helps meet this requirement
    6. Security – the following security consideration should be evaluated and implemented in SharePoint

o    Content access- Properly planned and designed information architecture should be implemented to have user group based access to content

o    SSL implementation- Ensure communication between client and server is encrypted

o    DB level- It’s possible for a direct access and change to values in DB. This is tough to track and prevent without custom scripts. Scripts can be deployed to track changes made in DB and timer job can identify records which were modified and send them for approval

o    Right management service – Helps control doc edit outside the SharePoint environment

  1. Digital signature – Due to the tight coupling between Office and SharePoint, there are solution available to capture electronic signature in document but due to various legal requirement, digital signature issued by third party are preferred. There are numerous vendors with various solution available to meet this requirement.
  1. System Validation– The regulation also places importance on proper validation of the implemented system. This translates to use of mature development and implementation process with focus on documentation. Primarily, it requires release note, deployment note, and logging for installation, test cases, and test plan and acceptance criteria. The process should allow trace into the specific actions taken to validate the system
  1. Training– User training on the system is mandatory for compliance and therefore a more formal approach is required to meet the training requirement
  1. Miscellaneous
    1. SOP on content usage- this is the internal process that needs to be designed by the organization. SharePoint document management along with approval workflow provides a formal mechanism to maintain and access this content
    2. Governance- System implemented should have a governance plan in place for administration

When it comes to regulatory compliances, SharePoint has features to build framework for your organization. However, the eminent flexibility that SharePoint offers can also pose challenges if a wholly haphazard approach is taken. It’s always better to consult a trusted partner who have technical expertise and process maturity to guide you along the compliance journey. At Trigent, our Microsoft certified experts work closely with your team to understand compliance specific requirements and can fast track implementation. If you have any queries, do let us know for a no-obligation meeting.

Data Security in Office 365 (SharePoint Online)

The concern on where the data resides goes with all Cloud solutions. The data storage as part of the agreement is at the discretion of the service provider (usually unless particularly called out). The data security requirement differs between regions and there is an array of regulations that apply to the data depending on the location of the subscriber and the industry that they belong to.
Regulations apply to particular type of data (e.g. HIPPA), so the data needs to be understood and segregated to apply required safeguard.

If your primary focus is where the data resides, then Microsoft provides data maps (vague but available) that’s shows the region where the data resides based on your subscription. It’s important that you specify the correct location in your subscription because data store is solely based on that. This also is the biggest drawback of Office 365. In scenarios where users in a single tenancy reside in multiple geography, the data is stored based on the location specified in the Office 365 setting (single location). This can lead to data compliance issues especially if a set of your users reside in EU due to the EU safe harbor clause. To overcome this you can choose a EU location and ensure that the data resides with EU thus complying with the norm but then the performance will be highly degraded for users in other region. This is one of the biggest data related drawback of Office 365

To quote from Microsoft website – Microsoft Office 365 supports the following where applicable and/or possible:

  • ISO 27001 (International Organization for Standardization)
  • FISMA (Federal Information Security Management Act)
  • HIPAA, with Business Associate Agreement memorializing implementation of physical, technical and administrative safeguards, and breach notification requirements of ARRA/HITECH
  • EU Safe Harbor
  • EU Model Clauses
  • Data Processing Agreement

You have to ensure that you sign the relevant contracts to ensure your subscription covers a particular compliance. You can get further details at http://office.microsoft.com/en-in/business/office-365-trust-center-cloud-computing-security-FX103030390.aspx

Email data at rest is encrypted by default in Office 365 but other content (e.g.) SharePoint online content is not encrypted. Email encryption is also available with non-federated, enabling ad hoc encryption services with any recipient. For the other content, you can identify and set encryption using the Rights Management Service (RMS) in Office 365. Office 365 is very comprehensive when it comes to data security and compliance.

SharePoint Customization – Is it a development platform or an application suite?

When is SharePoint Customization required ?
The feature set and flexibility provided by Microsoft in SharePoint platform often gets us to this on the topic- Is it a development platform or an application suite. This is entirely dependent on the persons perspective and the ease of the person is using SharePoint as either medium. But at the heart of this question is a simple query, when to apply customization in SharePoint. This article is based on our experience executing various SharePoint projects and looks at some scenarios where its justified to customize.

SharePoint Customization scope

Trigent, being a Microsoft Gold Certified Partner and considering our extensive skills and experience in .NET development, customization of SharePoint to meet business requirements is an easier choice. However we strongly believe that just because you can doesn’t mean you should. Our primary focus is long term maintainability of the application. Design is an extensive exercise undertaken for every project where each requirement is evaluated and corresponding solution is identified. The emphasis is on utilizing out of the box features to meet the functional requirements to the extent possible. If the requirement cannot be met using out of the box features, then it is documented, informed and a collective decision is taken to use alternatives (customization). At Trigent customization is considered based on four factors

  1. Business value derived out of the customization
  2. Skill-set of the client’s IT support staff
  3. Effect on application performance
  4. SharePoint next upgrade plans/timeline

Our Views on SharePoint Customization

Trigent recommends customization only if it brings substantial benefit to the business, the impact on performance is minimal and if our client has the required support staff. If there is an immediate plan to upgrade SharePoint then the recommendation is to postpone customization until the upgrade is complete.

There are definite scenarios where customization is necessary to derive complete value by meeting the business requirements like business processes (workflows), business intelligence (insights) and integration (events on external data). On the other hand, there are identified functionalities in SharePoint that we do not recommend customization at all e.g. changing base content types.

Customization helps in faster adoption of the application as the exact specifications can be made available in the application. SharePoint projects involves considerable upfront investment in infrastructure, licensing and execution (planning, design, development, testing). Customization can help in deriving better value and therefore improves the return on investment.

Customization is discouraged for the following reasons

  • Microsoft does not support extensive customizations resulting in discontinued support.
  • Customizations, especially done to UI layer, can cause performance issues.
  • Major impact of customization is observed when subsequent service packs are installed or when the version is upgraded. Customizations can interfere with the upgrade or can fail to work after upgrade.
  • Also, in the absence of proper documentation and source code, enhancements to current customizations can be cumbersome.

Compared to this, out of the box features have undergone rigorous testing (functional and load) by Microsoft and therefore brings the required stability to the application. Out of the box features can be maintained easily by any non-technical resource who understands the working of SharePoint as a “product”.

But it should be remembered that, these features are also governed by the limits (size, structure, volume, etc.) identified by Microsoft, extending which can cause serious performance degradation. One such instance is when large volume of external data is brought into the application using business connectivity services.

If you wish to discuss any specific scenario in detail, please get in touch with us

What are SharePoint’s Pros and Cons ??

SharePoint Benefits

SharePoint strength is in the breath of functionality that it provides out of the box. Individually there might be comparable and better products in the market for a specific functionality but all put together there is no other application/product/platform that provides the same range of functionality available with SharePoint.
Some of the best in class features available in SharePoint are:

Authentication and authorization– SharePoint provides various authentication methods out of the box and provides the flexibility to use different types of providers. Authorization is implemented through user groups and permission which is very comprehensive in its coverage.

Connectors for integration with external application– SharePoint‘s BCS provides means to bring in data from any external source on SQL platform. Along with it SharePoint also comes with out of the box available connectors of other sources like MS Exchange, Lotus Notes etc. These connectors make integration matter of hours of configuration as compared to days of development.

Enterprise Search– FAST search’s integration with SharePoint has not provided enterprise search as part of the standard package. The two stage algorithm includes indexing and run time ranking to ensure that the right content shows up at the top of the result list. This along with data connector provides a platform to establish a search application which can search through the entire enterprises content.

Quicker time to market– Easy installation and out of the box functionalities which satisfies most of the business requirement reduces the time to market drastically when compared to a custom developed application.

SharePoint is in the active development plans of Microsoft and they have committed significant investment in developing this platform and furthering its capability. The future versions will definitely have additional productive feature and prolonged support for the coming years.

Native integration with office applications– Incorporation of openXML standard into SharePoint has led to seamless integration with other Office application. The latest edition of SharePoint allows users to drag and drop emails from Outlook to SharePoint libraries, save attachment to libraries, check in/out documents from client application etc. If you are a Microsoft shop then the lines between applications like SharePoint, Lync, Outlook, Word etc., is blurring, by providing user related content from different application in the same interface.

User friendly – SharePoint comes with the familiar ribbons and interface which the users on Microsoft base are used to. This improves the adoption and acceptance rate of the application drastically.

SharePoint Cons

The following are the limitations/weaknesses that we at Trigent observed in the latest version of SharePoint

Out of the box connectors allows us to integrate multiple applications with SharePoint but due to the underlying architecture, the performance deteriorates when dealing with millions of record.

WCM requirement– SharePoint lacks some of the advanced functionality and usability which is available in other WCM solutions like Kentico due to which we believe that its not a good platform for WCM

Uniformity between multiple instances of SharePoint– From an enterprise perspective, the various instances of SharePoint should have the same security policy governing them. Currently the only way to do it is the manually replicate the policy which makes it prone to errors.

Data storage– SharePoint stores all documents in SQL which makes it a bad solution for storing millions of documents of low usage.

Managing permission– Permission in SharePoint are implemented using user groups. User groups flow down the hierarchy of SharePoint with the possibility of making changes at any level. This makes it challenging to maintain the user groups and to accurately maintain the access level on a library or content.

Administration– Due to the breath of functionality available, SharePoint administration is a job in itself with its own certification. Getting an appropriate administrator with in depth knowledge can be expensive or difficult.

Limitation and boundaries– The main limitation is that of content database size which is recommended by Microsoft to be kept under 200 GB for active content. In today’s age of extensive storage of digital content, and maintain multiple versions of the same content, 200 GB limitation can be easily reached.

There are workaround available that we at Trigent have been using to overcome these limitations depending on specific requirement and the overall proposed design.

In short, as described in a blog that i once read, SharePoint is the Swiss knife for IT professional- handy, compact, helpful but has its limitation too. If you want to discuss in detail, get in touch with us

Design SharePoint Site – Responsive web design in SharePoint 2013

There are approximately 250 odd unique screen sizes in mobile itself in production (the smallest being a Nokia phone with 94×44 screen size). Add to this all the sizes available in desktops and laptops, why stop, include TV sizes too as people adopt to “smart”TV.

So where do you start, what size do you build the site for, how many sizes do you plan to test the site in?

Life was easier a couple of years back. The moment the statement is read- break the project into two- UI for desktop/laptop & UI for mobile devices. If the project is in SharePoint, then that translates to 2 sets of UI components, but the challenge still was in identifying and accurately redirecting the user to the appropriate set based on the device. Microsoft worked “hard” and have included the device channel feature in the latest release SharePoint 2013. Does that really solve the problem at hand.

Device Channel in simple term- when a user browses a SharePoint site from a mobile device, the mobile browser submits to the site an HTTP GET request that includes a user agent string. This string contains information about the type of device that is trying to access the site. Based on that device sub string, the device browser can be redirected to a specific master page view which will have its set of css which optimizes view for the user (additional reading). This takes care of the questions- where to start but we still need to plan and create master pages and device channels for the possible screen sizes. This is a very open ended scope. Sure you can do your analysis to identify the most popular sizes and identify the sizes specifically in scope of the project, but that means crappy experience for the select few (like me) who have not upgraded to the latest and greatest. The fact that there are new mobile devices releasing every month with different screen resolutions makes this approach good but not the best.

Whats a better approach, you ask, RESPONSIVE DESIGN.

Responsive Web Design (RWD) adapts the layout to the viewing environment by using fluid, proportion-based grids, flexible images,and CSS3 media queries and pushes a client-side solution presenting an entirely different page structure to different devices, with some original elements hidden or moved around. The key is to keep all elements size relative. Easier said than done in SharePoint, as you have to bring in the responsiveness to various components (navigation, ribbons, layouts…). Plus you have the main issue of rendering images in multiple sizes too.

How to make your life easier. Try below mentioned suggestions

  • Use 3rd party front end framework that supports RWD e.g. Twitter Bootstrap, SimpleGrid, Zurb etc.
  • Test the design and layout for various sizes using simulators like Responsinator, Adobe edge inspect
  • Use responsive image rendition feature of SharePoint 2013.
  • If you are not happy with the native feature, you can try 3rd party tools like adaptive images to help you with rescaling images for screen size.

If you need elaboration on any aspect of RWD or SharePoint 2013 Consulting, get in touch with us