There are lots of different IT frameworks out there that you can use to audit the security or reliability of your IT. The ones from NIST, ISO, PCI, and HIPAA are the most popular.
We find these frameworks to be somewhat overly demanding and/or complicated, at least as something that small businesses can do by themselves.
Plus, as with most regulations, there’s a lot of paperwork and documentation involved here. And a lot about formalizing processes and responsibilities between large numbers of people, which aren’t relevant to small businesses.
The XO IT audit checklist is made just for small businesses and busy people that are just starting out with the IT audit process. Those that don’t really need a formal audit but still want to know if they’re following all the key IT best practices.
Let’s get started!
Let’s start with security since that’s the primary focus of a lot of IT frameworks.
Antivirus active and updated
Install antivirus software on all your computers and servers. Make sure they’re working and updated, otherwise they’ll be as worthless at preventing threats as mother birds telling their eggs and cuckoos’ eggs apart.
Use an RMM tool like NinjaRMM to manage and monitor your antivirus remotely.
Firewall implemented and properly configured
Use a network-level firewall to block all unneeded traffic. A firewall with intrusion detection and prevention systems (IDS/IPS) will help you identify and stop cyber attacks as they happen.
Block unnecessary protocols and sites like gambling, gaming, and social media websites. Make sure to allow or “whitelist” useful and stupendously informative resources like the XO blog.
Keep all your software up to date
Use an RMM tool to keep all of your operating systems and applications updated or pay an MSP to do it for you. Many updates and patches remove known vulnerabilities in software.
Famously, the devastating NotPetya ransomware from 2017 targeted a security hole that had already been addressed in a Windows update patch released 3 months earlier. Businesses like FedEx, Maersk, and Mondelez could have collectively saved $10 billion in damages just by keeping their Windows software up-to-date.
Encrypt all your drives
Encrypt all of your devices with technologies like BitLocker (which can be remotely implemented using an MDM tool like Microsoft Intune) or data-at-rest encryption. This prevents thieves from being able to access data off devices they’ve physically stolen.
Employee training
Teach your employees all the IT security basics:
- Be careful clicking on links and attachments in emails
- Pick strong passwords
- Don’t reuse passwords for multiple accounts
- Change your passwords every 90 days or so
- Always log off when stepping away from your computer in a public area
- Stay away from dangerous websites like gambling sites and social media sites when on the company network
- Make sure to follow XO on all social media sites to keep up on all the latest IT news and trends
Just kidding about the last one – we know you’re already following us on Twitter, LinkedIn, Facebook.
Physical security
Let’s assume you’re already doing the common sense things like:
- Having locks on your business’s doors
- Installing security cameras
- Putting expensive equipment like servers and networking hardware in some sort of locked rack
- Keeping non-employees out of sensitive areas
Less obvious measures include ensuring your employees’ screens and keyboards aren’t readily visible from any public areas, disconnecting unused Ethernet wall ports, and installing an access control system with individualized access cards or fobs.
Some regulations like HIPAA and SOX require you to maintain certain types of records for such and such period of time. Of course, it’s generally just a good idea to keep as much of your data as possible as long as possible, for legal reasons and long-term analysis and comparison purposes.
Backups are being done, validated, and are gapped
Some people only do one of these things – the back up part – and end up getting burned by incomplete or corrupt backups or ransomware.
You should set up a process to routinely validate your backups, ensuring they’re backing up all the data they’re supposed to and confirming that they can be successfully restored.
When performing backups, follow the 3-2-1 rule and make sure your backups are “gapped” or you have versioning set up so your backups can’t be encrypted in a ransomware attack.
What should you back up? Files, records, server configurations/backup images, and logs (records of digital activity and events, including the logs in the Windows Event Viewer and website access logs).
For every component of your IT, ask yourself, factoring in both the cost of an outage and of the measures needed to prevent it, what’s the maximum amount of time I could be without this?
If you’re not familiar with them, these are just fancy terms for:
- Things you do to prevent your IT systems from going down (business continuity) so you can keep your business humming as usual
- What you do to get them back up and running if something bad happens to them like a security breach, office fire, office break-in, power outage, etc. (disaster recovery)
What’s your RTO for key IT assets?
Every business is different, so consider your own Recovery Time Objective (RTO) – the maximum amount of time you can allow a certain asset, for example your Internet, POS system, or CRM, to be down.
Your RTO may be half a day, a couple hours, a week, or less than a minute, depending on your budget, how important the given asset is to your business, the cost of it being unavailable, and other variables.
Are you certain you can achieve it?
Now think about the measures you would need to put in place to ensure you met this RTO.
For example, with a CRM, you’d have to think of all the different ways it could fail and how quickly you could fix them.
Let’s say you host it locally and one of your servers breaks down.
- Do you have spare parts or an extra server on hand if the issue is the hardware?
- Do you have automatic failover set up with other servers in the cluster?
- How quickly can your internal resources or an external IT services provider/MSP deal with the issue?
- If your CRM is cloud-based, how quickly will the provider respond to the issue?
- What measures are they using for business continuity and disaster recovery?
Business continuity and disaster recovery can be as simple as having a few extra PCs on hand in a storage room. Or it can be as complex as having a cloud infrastructure with real-time replication and automated failover across the world. It all depends on your business’s requirements.
Are you tracking all of your IT hardware?
Tracking all of your IT hardware is a good idea for multiple reasons, including for budgeting, to ensure that spare parts and devices are available as needed, and to prevent theft.
Use a spreadsheet, RMM software, or an inventory management application.
Is it good enough to keep users happy and productive?
IT frameworks tend not to cover this, perhaps because it’s somewhat subjective and difficult to measure. But having an IT system that’s secure, reliable, and keeps impeccable records isn’t much use if it’s so slow it keeps your users from being productive.
You can use RMM tools to track performance metrics like CPU and RAM usage, bandwidth usage, and storage space. Or you can just ask your users if they’re running into any performance problems, or let them know to tell you if they do.
Most people aren’t shy about complaining about things like a slow PC, but just in case you may want to send out an online survey every once a while.
Typically IT hardware is considered old after 3-5 years, so one way to track performance is to track hardware age and then update or replace as needed.
Are you compliant?
Make sure you have the proper licenses for all the software you use. You can use an RMM tool or network discovery software to help with this process.
Microsoft is the most aggressive software vendor when it comes to ensuring compliance. Oftentimes they’ll send you an email asking you to self-audit and send them a spreadsheet with the results.
From what we hear, this is more of an upselling campaign than an actual attempt at an audit. But they may escalate to actually auditing you themselves or suing you for tens of thousands of dollars if you don’t comply.
Don’t just look at your processes and infrastructure. Evaluate your IT people, too, whether they’re in-house or outsourced or a combination of the two.
Support quality
Is your support team responding quickly enough to support requests? Are they being respectful and polite? Are they always looking to solve root causes and not repeatedly having to fix the same issue over and over?
Monitoring, management, and incident response quality
Are your admins reasonably effective at spotting issues that they should be, such as clear security breach attempts and obvious signs of hardware failure or limitations (spiking CPU, etc.)?
Are they able to restore from backups as needed – or are backups unexpectedly missing when they shouldn’t be?
Do they respond quickly and efficiently to issues such as outages and security breaches?
Are these issues resolved in a reasonable amount of time, do they do a root cause analysis, and take or present reasonable measures to prevent the issue from happening again?
Staffing levels
Are your IT team members having to continually put in excessive overtime just to fulfill their basic duties? Or do some of them seem to have little to do at all?
Proactiveness and responsiveness to change
Does your IT team seem like they’re always on top of things and know all the latest developments in tech?
Are they always coming forward with new solutions and initiatives, or do they wait to be asked?
The NIST Cybersecurity Framework broken down further
Ready to move on to more advanced, formalized frameworks? Here are the top ones to consider:
NIST Cybersecurity Framework: voluntary IT security framework developed by the US federal government
ISO 27001: IT security framework by the International Organization for Standardization; certifications available
PCI DSS: required if you accept payment cards; developed by the Payment Card Industry Security Standards Council which includes Visa, MasterCard, American Express, and Discover
HIPAA: required if you store medical records; part of the Health Insurance Portability and Accountability Act
You should also consider how the coronavirus has affected your IT, as well as (as best as you can estimate, with so much still uncertain) how long these changes will last and to what extent.
Covering all the different ways that the coronavirus could change your IT would take at least another blog post altogether, but here are some things to consider:
- If your office is empty most of the time but you still have expensive hardware there, do you need to strengthen your physical security measures?
- If you’ve downsized or paused operations in response to Covid, should you also reduce your IT staff or consider outsourcing to an MSP?
- How do you deal with employees with slow or unreliable Internet connections? Are you willing to pay at least in part for higher-speed home internet for them?
- How has your business continuity and disaster recovery situation changed? Can you still meet your RTOs, or have things like parts shortages and extra travel and shipping distance made this unlikely?
- What are you doing to prevent “shadow IT” – or preventing users from using non-company applications, services, and storage drives? This may come down to user education – making sure users understand the importance of maintaining consistent security and data backups.