Welcome to Microsoft/Office 365

Key takeouts

Online, ‘anywhere, anytime, any device’ is here and now

Organisations are implementing Office 365 as part of new licencing agreements

SharePoint Online is no longer standalone but a core part of Office 365

You can manage records in SharePoint Online in line with most of ISO 16175 Part 2

You may need to learn more about SharePoint Online in the context of Office 365

What is Microsoft / Office 365?

Software as a Service (SaaS) – Office apps

Platform as a Service (PaaS) – Development environment

Infrastructure as a Service (IaaS) – Microsoft servers

Licensing will determine what software and options you can access.

The (sad) digital reality

Records everywhere

Outlook (multiple ‘personal’ folders)

Office (installed)

Network and home drives (duplication, out of control folders), USBs, and cloud-based DM systems

Personal messaging apps

Personal social media

Maybe an EDRMS

Printed copies

Paper files

Microsoft / Office 365 - Home page

Office 365

One interface for everything

• Outlook Online

• Office apps (Word, Excel, PowerPoint, OneNote)

• SharePoint - replaces network file shares, USBs, and cloud systems

• OneDrive - replaces home drives, USBs and cloud systems

• MS Teams - replaces Skype (and other messaging apps)

• Yammer - replaces other social media

Plus a lot more (Office 365 Groups, Flow, Forms, Stream, Sway) accessible on any device

Microsoft / Office 365 – What goes where

Why Office 365?

For IT:

• Reduced storage costs (data centres or licensing)

• Reduced overhead costs (server support and maintenance)

• Provides true anywhere access

For staff:

• Latest Office features

• Office, mobile or home access

• More features

• More efficient

Records management in Office 365

Some settings (e.g., external access, retention policies) are configured in Office 365 Admin

Records are stored mostly in both Outlook and SharePoint (not in OneDrive)

We need to think differently

You may want to consider a third-party product but keep in mind that:

• Records people often don’t have IT skills

• IT people rarely have RM skills

You don’t know what you don’t know (or may not have enough knowledge).

What you need to know

Microsoft own and manage the platform

IT will configure certain settings, ideally with your input

Records managers should learn about:

• The Office 365 ecosystem

• Office 365 Groups

• SharePoint Online

• Managing records in Office 365 / SharePoint Online / Exchange Online

• The role/s you need to have

• Site collection administration

• Collaboration in Office 365

Starting point

IT has acquired (or now has access to) Office 365

It’s being implemented with or without 3rd parties

You don’t or may not have the access you need

You may have (and/or manage) an EDRMS such as TRIM/CM

SharePoint is probably going to replace your EDRMS – but it’s not an EDRMS

Office 365 Governance and Administration

Office 365 Admin - Home page

Office 365 Admin – User licences

Any of these can be disabled so they don’t appear in the Office 365 menu

Office 365 Admin – Customised administrator

Office 365 Admin - Groups

Office 365 Admin - Office 365 Groups

Office 365 Admin - Services and add-ins

Office 365 Admin – Admin portals

Office 365 Admin – SharePoint Admin

Office 365 Admin – Security and Compliance

Permissions > roles (Records Management)

Classifications > labels (retention and disposal, information security)

Data loss prevention (DLP) (for sensitive information types, e.g., credit cards)

Records management > File plan, Events, Dispositions

Data governance > Dashboard, Import, Archive (mailboxes), Retention

Search > Content search, Audit log search

eDiscovery (Cases)

Office 365 Admin – Security and Compliance – Retention labels

Office 365 Admin – Security and Compliance – Labels/File Plan

Office 365 Admin – Security and Compliance – Labels/Settings

SharePoint - Retention model

Retention for corporate ‘dark’ data (Joanne Klein)

Office 365 Admin – Security and Compliance – Notification

How it works (including metadata retention) and the role of records managers

Office 365 Admin – Security and Compliance – Dispositions

Office 365 Admin – Security and Compliance – Decision

Office 365 Admin – Exchange Online - Labels

Exchange – Retention model

Teams – Retention Model

Office 365 Admin – OneDrive - Retention

Office 365 Admin – Audit Logs

Office 365 Admin – eDiscovery

Summing up

Office 365 Admin includes a range of configuration settings that require input from records managers

Records managers need to understand Office 365 Groups

Records managers should have specific roles which may include SharePoint Administration and the ‘Records Management’ role

Records managers should configure retention policies and have responsibility for disposal actions

Records managers may need to access the audit logs or be involved in eDiscovery cases

Welcome to SharePoint Online

The duality of SharePoint

Team sites (classic vs modern, with O365 Groups) (plus OneDrive)

• These are the functional replacement for network file shares (and home drives)

Communication sites

• These are the functional replacement for intranet and publishing sites

The governance

‘balance’

SharePoint governance -

roles

Who is responsible for what

• Who? Promotion and adoption

• Office 365 Global Administrators (and other roles)

• SharePoint Administrator (O365 Service Account role) – managing SP

• Site Collection Administrator (Records manager/s) –managing site collections > why records managers?

• Site Owners – managing sites

Essential to consider – who can create Office 365 Groups?

SharePoint architecture

All SharePoint Online sites exist under one of two paths under the tenant name (https://tenantname.sharepoint.com/):

• /teams/ >> logical organizational elements (incbusiness function)

• /sites/ >> cross organizational information

Metadata.

Documented naming conventions.

Retention model.

Configuration settings should be documented, any changes should be approved

See - https://docs.microsoft.com/en-au/sharepoint/sharepoint-online

SharePoint - Simple Architecture Model

Information Technology (HUB) Finance (HUB)

Finance AP Finance AR

Legal

Executive

Human Resources (HUB)

Recruitment (GRP) Training

Property

IT Ops (GRP)

Business Function Business Function

Office 365 Groups -

avoiding feral SharePoint

sites

Implement a control process (for example a SP list to request a new site/MS Team or O365 Group)

If the options are not controlled:

• Office 365 Groups created via the ‘Create Group’ in Outlook will create the group with an associated SharePoint sites, can be linked to MS Teams.

• A new SharePoint site created via the ‘Create Site’ option in the user’s SharePoint portal will create an Office 365 Group (that can be linked with MS Teams).

• A new Team created via the ‘Create Team’ in MS Teams creates an Office 365 Group with an associated SharePoint site.

• A new Yammer group creates an Office 365 Group with an associated SharePoint site (and can be linked to MS Teams).

SharePointGovernance

Document

All SharePoint settings, the ‘design decision’ for each based on the reason behind them, and who is responsible, should be documented and this documentation should form part of your governance arrangements.

For example, External Access

• Is it allowed in the O365 Admin setting?

• If it is allowed, who decides if a SPO site should be accessible externally (including access controls)?

• What setting will be changed in SPO?

SharePoint or OneDrive?

SharePoint• Ours• Files others need if you leave• Records management features• Long-term storage, retention and disposal• Group/team-based permissions by default• Protection• Unlimited storage

OneDrive• Yours• Files nobody would need access to when you

leave• Simply a convenience• Short-term storage• Default permissions restricted only to you• No iTunes, family photos• Up to 1TB

Implementing SharePoint as a

recordkeeping system in line with ISO 16175 Part

2

ISO 16175 part 2

Create

• Capture

• Metadata

• Aggregations

• Identifiers

• Classification

Maintain

• Authentic and reliable

• Access and security

• Hybrid records

• Retention and disposition

Disseminate

• Search, retrieve

• Render

Administer

What is a record?

Evidence of business activities, often (but not exclusively) in the form of a document or object, in any form. A record will usually have some form of metadata. (ISO 15489, Archives Act 1983 (Cwlth))

The essential attributes of any record, according to ISO 15489, are its:

• Authenticity

• Reliability

• Integrity

• Usability

An effective recordkeeping system should ensure that these attributes are maintained, in the relevant business context, in order preserve the evidence of business activities for as long as the record must be kept.

Classification:Functions

(5.3)

Functions

• SharePoint sites can broadly map to business functions (which may sometimes be the same as the actual business unit name).

• This provides a way to aggregate ‘like’ content under the function. Multiple sites in the same function may cross-linked, including by using the hub/spoke capability.

• Functions can also be applied via retention policies (as seen in the Security and Compliance Portal)

Create: Aggregations

(5.1.4)

Folder: function or series level

File: activity level

The ‘folder’ level in SharePoint is the Site collection.

The ‘file’ level in SharePoint is a document library.

It is important to have document library naming conventions.

Classification:Activities

(5.3)

Activities

• Document libraries

• These should be named after the activity to which they relate, and ideally include a year –for example ‘XYZ Committee Meetings 2018’, rather than have a single library called ‘Meetings’ then use folders to break up the content.

Function and activity combined:

• https://tenant.sharepoint.com/teams/financeAP/invoices2019

Create: Capture

(5.1.2, 5.1.8)Links

(5.1.4-24/25)

Office-based records (Word, Excel, PowerPoint) can be created directly in SharePoint, or from the relevant application and then saved directly to SharePoint (no need to use NFS).

Create link to other documents.

Both the Save and Save as dialogues show OneDrive and SharePoint first, then the other options.

Drag and drop to sync’d library.

Emails: drag and drop email, attachment, or both to sync’d library, use Flow, or leave in place.

Emails remain unchanged.

Create: Versions(5.1.2-7)

SharePoint document libraries have versioning enabled by default.

Versions are specific to a library or list item.

Any previous version can be viewed or restored, subject to permissions.

To view a previous version, click the date/time.

To restore a version, click the down arrow to the right of the date/time.

Create:Metadata

(5.1.3)

Almost unlimited metadata is possible.

Site columns or local columns.

Managed metadata service.

All document libraries include:

• System generated and unalterable metadata (File Type, Created by, Created (date), Modified by, Modified (date) etc.

• Dublin Core metadata(Title, Subject, etc)

• New metadata (via site columns or local library columns)

Metadata can be mandatory or optional and can also be exported at any time using the ‘Export to Excel’ option on every library menu.

Create:Metadata:

Content types

Kind of similar to TRIM/CM ‘record types’

Site and library content types

When to use them

Linked with document templates

Why to avoid them

Deprecated functionality - retention and disposal connectivity

Records Center – copy to capability loses document integrity

Create:Metadata:List views(5.1.3-14)

All metadata columns can be displayed in the list view.

When a record has been selected, the properties pane displays the metadata properties for each record.

Every Office document (Word, Excel, PowerPoint) retains the library metadata in the document properties, including when it is ‘saved as’ somewhere else.

Metadata properties (such as document ID) can also be displayed in the document body.

Create:Identifiers &

Identification(5.1.3-20, 5.2)

Document ID feature:

• Site acronym (e.g. FinanceAP)

• Library Unique ID (e.g., 1233212)

• Document ID (next in sequence)

Document IDs and any other metadata remain embedded in Office documents (‘metadata payloads’)

Libraries and folders have unique GUID numbers.

• 3ce2112e-d1fc-45c7-ad53-96fff8c10bb1

Create:Bulk Importing

(5.1.5)

Bulk importing can be achieved in multiple ways.

Simplest is via File Explorer, set up columns as required and import or set the metadata.

Can use products like ShareGate.

Maintain: Import, export

of records(5.4.7-125

Records in SharePoint, along with their metadata, can be migrated in multiple ways.

Commonly this would be by using File Explorer but other export tools can be used as well.

Maintain: Controls and

security(5.4.1-5.4.7)

Access to records in any site is restricted by default to the members of three permission groups: Site Owners, Site Members (add/edit), and Site Visitors (read only).

These groups can be modified as required by Site Owners only, and new permission groups can be created. Records can be restricted to an individual person if required.

The ability to delete a record is enabled by default. It can be disabled per site or library.

Data Loss Prevention (DLP) policies can be used to monitor or prevent the unauthorised exfiltration of records.

Information security classifications (e.g., Confidential, Secret) can be applied as labels.

Maintain:Audit trails(5.4.8-131-

133)

Audit logs record all activity undertaken on a SharePoint site.

Site audit logs are retained for 7 days but can be exported.

Audit logs for the entire system are retained for 90 days. These are accessed from the Office 365 Security and Compliance Admin Centre under the ‘Search and Investigation’ section, accessible only to Global Admins and Security Admins.

Maintain: Hybrid:

Managing paper records

(5.5)

Paper records can be managed in SharePoint lists, with as much metadata as required.

Maintain:Retention and

disposal(5.6)

Records retention classes are set in the Office 365 Security and Compliance Admin Centre under the ‘Classifications’ section.

When published, these become available in document libraries and lists in SharePoint as well as in Outlook. Classification policies are more likely to be applied in team site libraries as each library may have different type of content. Question – who applies them?

If applied, content cannot be deleted.

A retention policy may also be applied to the entire site as a Site Policy. This is more likely to be used where the entire site can be subject to a single retention policy, for example, project sites.

Maintain:Legal holds

and eDiscovery(5.6.1-162)

Office 365 includes an eDiscovery option in the Security and Compliance Centre. This option allows records to be placed on hold (not destroyed), pending the outcome of the legal hold.

Once the legal hold is lifted, the records resume whatever retention policy was applied.

Understanding ‘signals’

- The Office Graph

What is it?

Powers Delve and Discovery in OneDrive

Affects search results using AI

Disseminate: Search

(5.7.199-225, 5.7.232))

Users can find anything they have access to (new – Microsoft Search)

Search may be customized to the individual

Search can also find text in images

Disseminate:Render and

Redact(5.7.1, 5.7.3)

SharePoint supports the display of over 300 document types.

SharePoint includes check out/in capability, where required. It also supports co-authoring.

Redaction would require additional add ons)

Administration(5.8)

SharePoint includes a range of administration functions, including for reporting purposes.

Back-up and recovery is provided through the Recycle Bin and versioning options.

As a hosted system, organisations have no ability to restore the system to a previous point after updating.

Final points

End user experiences

Mobile and home PC access

Save as (SharePoint or OneDrive)

Sync to File Explorer

Share (instead of attach), with restrictions

Collaboration, including co-authoring and MS Teams

External access

Change is constant

Office 365 is updated constantly

Re-thinking documents (Fluid)

What is a record?

https://techcrunch.com/2019/05/06/microsoft-wants-to-reinvent-documents-with-its-new-fluid-framework/

https://www.microsoft.com/en-us/microsoft-365/blog/2019/05/06/build-2019-people-centered-experiences-microsoft-365-productivity-cloud/

https://www.microsoft.com/en-us/microsoft-365/roadmap

https://techcommunity.microsoft.com/

Final thoughtsRecords managers and IT need to work together

You need to learn about SharePoint Online as part of Office 365 – it really is not hard

You need to be part of this

Learning and training

resources

https://support.office.com/en-us/article/sharepoint-online-video-training-cb8ef501-84db-4427-ac77-ec2009fb8e23?ui=en-US&rs=en-US&ad=US

https://docs.microsoft.com/en-us/sharepoint/sharepoint-online

https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Office-365-Retention-Disposal-amp-Archiving-Frequently-Asked/ba-p/504158

https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies

https://docs.microsoft.com/en-us/office365/

https://www.microsoft.com/en-us/microsoft-365/blog/2019/05/06/build-2019-people-centered-experiences-microsoft-365-productivity-cloud/

https://office365itpros.com/