Regularly checking up on your IT, from what is plugged in where to how many licences of MS Office you have, can seem to some like a waste of time. “We’ve done that already” you protest, “why do it again?” We’ll hopefully convince you that regularly diarising to follow a check-listed review of your IT domain will help you to more easily stay on top of your IT responsibilities with regards to security, compliance, policy adherence and making sure your IT is fit for purpose.
One of the greatest mistakes made in IT is assuming that once you have addressed any IT issues such as security or compliance at a particular point in time that the job is complete. The world of IT is in a constant state of evolution and flux, and your own IT is no different. Changes on your network may introduce security vulnerabilities, or changes in legislation may affect your compliance responsibilities and duties. The cycle of reviews, audits and general navel gazing that surrounds successfully managing your IT never ends.
Both external and internal factors will influence the necessity of reviewing your systems, policies and records on a regular basis.
External factors that impact upon your IT
There’s a lot that can happen outside of your control which require you to review and possibly change your IT in terms of strategy, configuration and policy – and budget.
- external factors include software vendors tightening up on their licencing and audit regime, requiring their clients to furnish more and more detailed information on their products ownership and usage
- the government can amend legislation to do with e.g. data protection and management of client and staff records
- regulatory bodies can add new rules regarding compliance with their regulations as regards data processing, storage and management for adherence to industry specific practices
- technological innovations may present themselves that change the way you work or your relationship with your data, and regular outward facing reviews of what systems, services or technologies are available to enhance your systems or address known deficiencies are recommended
- what your competitors are doing – are they using IT to their advantage (or your detriment) in new ways?
- the range and impact of external IT security threats is now a mainstream media issue – organisations are well advised to make this a topic for regular review on its own, not least as it is also directly related to changes internal to your organisation.
Software licencing is a large area in itself which requires close attention, not least as the main vendors seem to make a habit of constantly changing how their products are licenced as they grapple ever harder for your organisation’s hard-earned cash and also move between desktop, cloud and other delivery models.
Recent changes in data protection legislation, the GDPR, have meant that some organisations now have no choice but to put regular reviews of their corporate data and how it is managed on senior management’s agenda.
As technological proliferation continues, bringing with it corresponding issues and threats, this won’t be the last time there are far reaching and impacting changes to legislation and how it affects your consumption and use of IT.
Internal factors that impact upon your IT
Internal factors are much more numerous, and more often than not more nebulous. Business plans can change, budgets can be reduced due to external factors like a perceived downturn in the economy, recruitment strategy may change and changes in accounting and financial policy may e.g. affect the view taken on the lifespan of equipment.
Operational issues such as new systems added to the network or systems being reconfigured, or changes in key personnel over time, may introduce technical challenges which need to be reflected in policy, documentation and areas such as security and backup configuration, access control and role demarcation.
Adding new servers or software packages or upgrading existing ones on your network can also introduce unintended changes which may not be caught outside of an explicit review.
While not exhaustive, since your last audit you should pay attention to
- anything added to or replaced in your systems
- any configurations changes to your systems, reviewing their potential impact on security
- any personnel changes and their potential impact on IT security
- any headcount changes and the potential impact on IT requirements
- whether the infrastructure and software still fit for purpose
- changes in business objectives, plans and accounting policy
- are IT security process and controls still adequate
- have any incidents been logged and reviewed against process, control and documentation
- how any of the above affects documentation – does it need updating?
- are the right people doing a good enough job, whether internal resources or an outsourced team.
Some of these tasks can be automated using software tools, and some will require specialised input from your IT team. Some will just require good old-fashioned checklist reviews, reviewing documentation and shoe leather.
IT Policies need to change with the times
At the simplest level you should ensure your policies stay up to date to reflect the internal and external challenges faced by your organisation. For instance, the invention of new cloud technologies provides new avenues for data leakage from an organisation, and social media constantly presents new challenges to managing the corporate reputation and brand.
Any recent technological innovations you can think of can disrupt the calm you have carefully crafted in some way or another. The pace of the introduction of these disruptive advances is increasing as well, which needs to be borne in mind when considering the frequency of your review. At a very minimum reviews should be carried out annually with the more diligent potentially carrying out separate quarterly reviews for policy, security and plan/budget changes impacted by any pertinent recent events.
On a technical level we would urge you to carry out regular security reviews ensuring that what was once secure remains so and that no changes have been introduced that bring with them vulnerabilities and that your defences meet your current requirements.
On a commercial level, regularly ensuring that you are compliant with your industry's regulatory bodies, that your software licencing is up to date, and ensuring that your businesses' IT strategy is still aligned with your overall business strategy and plans.
Make sure that the audits and reviews, with their dates and recurrence clearly scheduled, are also enshrined in the implementation and documentation policies detailing when they should be carried out, what should be reviewed and by whom. Ensure a log is kept of all these reviews and most importantly their outcomes. You should document what issues or changes were identified and the remedial action to be taken, noting to update the relevant documentation whether it be policy, technical documentation or otherwise accordingly.