SCT Consulting – IT Running

You have set up the anti-virus software to update hourly, run a full scan each week and send an email alert to the responsible person or, if that person is away on leave or for illness, alerts go to someone else.

If your business runs seven days a week, make sure there is a way to address alerts each business day.

Your anti-virus software addresses viruses, trojans, spyware, key-logging software and warns against suspect web pages.

You have a spam filter in place to ensure most dangerous unsolicited email is not downloaded onto your network.

Your users know to be vigilant for "phishing" emails that may contain trojans and check suspect emails with others.

You have acted to prevent disasters by installing surge protectors, power conditioning and uninterruptible power supplies. You have software in place to enable a controlled shutdown of servers and you have tested these systems.

You have a plan in place for how to get your business up and running again. For example, some businesses make an arrangement with a similar business to act as a "warm site" so that there is at least one computer in their office that you could use to restore your backups.

You have written out the steps to be followed after a disaster. Remember that as owner or manager you may not be available after a disaster to perform work like this, or even direct it.

You have ensured that the relevant employees in the business know where to find the disaster recovery instructions and how to follow them. Procedures are printed out at a different location.

You have practised your disaster recovery steps at least once with your current team.

You are able to access passwords to online services that the business uses through some sorts of password management software.

You have written rules (perhaps only one page) on who is allowed to access what data, how passwords or pass phrases are to be formatted, how often they expire, at what intervals they can be recycled and other security issues.

Your rules mean that no-one ever has to share their password with another user. If users share a computer, each person should have an individual profile, user name and password. People in the office know that using someone else's password is like forging their signature.

The business rules address safety issues such as ensuring that cables do not run across hallways or walkways, appropriate numbers of power outlets are available for IT equipment and that staff follow appropriate practices in using IT equipment to prevent accidents or injury.

You have developed a communications strategy and have allocated responsibility to someone in the office for ensuring that new employees know about the rules.

You have allocated responsibility to someone in the office to keep the rules up-to-date.

You have allocated responsibility to one or two people to add new users to the network (this will be the "network administrator").

You have a system in place where a new user can be added to the network so they can be productive from the day they start work (without having to use someone else’s password to access the network).

You have a process in place to maintain a central registry of passwords to business critical files, online services, or applications, or to retrieve passwords from departing employees. For example, an accounts clerk may have passwords to the online banking, or employees may have password-protected individual documents that the business will need.

You have a process in place to change online passwords when employees depart.

The person who calculates the final pay for an employee leaving the business is responsible for informing the network administrator that the employee is leaving. The network administrator is responsible for disabling that user from the network as soon as they receive notice.

The network has a "three strikes and you're out" policy: if a user gets the password wrong three times in a row, the user is locked out of the network for a longer period of time (say, 20 minutes).

The network administrator can reset the password of someone who is locked out within a very short time (say, 5 minutes after violating the password policy) and would like to get back to the network as soon as possible.

The network operating system is set up so as to require users to change their network password regularly (say, every month or every three months).

Password rules (e.g. how long a password must be, and how frequently it must be changed) are appropriate to the circumstances but are not so difficult that users are tempted to write them down.

Secure your wireless network. You have changed the default password on your Wi-Fi network's equipment (e.g. routers/wireless hubs) and have implemented encrypted security channels rather than an open Wi-Fi connection.

The business has appropriate rules in place so that people can see the data they need for their job, but data is generally secured.

System and application access rights are reviewed and removed from people who no longer need it due to changed roles or leaving the company – limit system and application access rights to what is needed.

Administrator privileges are provided on an as-needs basis, even to their own mobile devices.

Someone (the "network administrator") has been allocated the job of managing shared folders and granting permission to individuals or groups to see the files in those shared folders.

Permissions to access shared folders are reviewed regularly (e.g. quarterly) and permissions are deleted when they are no longer needed (perhaps because someone has changed roles or left the company).

If appropriate, disk quotas are in place that limits the space that employees' files can take up on servers and cloud services. Employees should not store large files unless needed.

All business data should be stored on the server or managed cloud data service where it can be secured and backed up.

Cloud data services such as DropBox, iCloud, OneDrive and Google Drive are implemented in full awareness of the potential risks and benefits of such services – do not implement these lightly.

You have talked with the staff of the business and written down what tasks they need to perform using their software.

You have made plans to get appropriate information or training for them to perform those tasks effectively and efficiently.

You have a way of checking back with employees soon after training about whether they can now perform the relevant tasks. If skills learned in training are not used on the job immediately, they may be lost and the training will have been wasted.

You are aware of the risks involved in using free software. For example, you have considered using a private YouTube channel to create videos of how to perform tasks using your current software – this way a new employee can use these videos to understand how to carry out tasks essential to your business if the usual person is on leave or departs the business. Free software is available but check that this free software does not itself introduce malware. Be sure that no passwords are included on the video.

You have an acceptable use policy that has been reviewed by, or provided by, an industrial relations expert that sets out what users can and cannot do with your IT equipment.

The rules in place identify what personal use of computers and internet access is reasonable in the circumstances for the business.

Do not use USB or external hard drives from an unfamiliar source without the device being scanned on a known secure machine that is disconnected from the network.

Online social media tools such as Facebook and Twitter may be used by employees and inadvertently affect your business reputation. Your acceptable use policy makes it clear to employees what they can and cannot do when using online social media tools.

Online social media tools may be used by employees to "cyber-bully" co-workers. Your responsibility to maintain a safe workplace means that your acceptable use policy makes it clear to employees that such behaviour is unacceptable.

All staff must be vigilant regarding the information shared on social media – try to keep personal information private, and ensure employees are aware that such data may be used to "socially engineer" access to your data or to undertake "spear phishing" attacks.

Your acceptable use policy also addresses what people can do with business data (e.g. copy it, share it) on their BYOD (bring your own device) such as iPads, iPhones, and Android devices.

Your users know to be careful when using public wireless networks. Online transactions are not carried out using public wireless networks.

You have decided how you will isolate infected machines from the network and employees know when to tackle the clean-up job themselves and when to call in an expert.

If you don't have an IT professional on staff, you have established a working relationship with an IT professional who can be available to clean machines at relatively short notice.

You have allocated responsibility to one person (with a backup if necessary) to replenish stocks of paper, toner etc. for printers and fax machines.

You have devised a process for users to get help in using software and hardware and troubleshooting minor problems (such as a printer not working). For example, the process might be that an employee first asks your in-house "power user" for advice and, if that person can’t help, the employee seeks free help (from online newsgroups) or paid help (e.g. from an external advisor or trainer).

Everyone in the business knows the "getting help" process and you encourage them to use that process by following it yourself.

New employees are told about the "getting help" system and are encouraged to use it.

You have a secure, locked, air conditioned or well-ventilated space for servers and other equipment that does not have to be out in the open. As few people as possible have access to this space.

Someone in the office has been allocated responsibility for locking up the area where servers and backup tapes are stored. A backup person is organised to cover times when the primary person is unavailable because of holidays, illness etc.

Backup tapes and disks are routinely stored off-site in a secure location as "cold" backups.

Where equipment is out in the open, or is left unattended for periods of time, desktop machines are locked to the desk or to a portion of the building structure.

The business has a policy on security of laptops and mobile devices when out of the office (for example, employees may not leave laptops in a car). This policy includes the security of mobile data devices such as iPads and iPhones that have business data on them. Devices are not left unattended.

Critical business data is not stored on easily-lost USB sticks or external hard drives.

You are able to remotely "wipe" any mobile device your business owns that has your business data on it. You are also able to remotely "wipe" your employees’ mobile devices where they have sensitive business data you do not want others to find.

You have a documented backup process that provides for off-line, incorruptible and disconnected backups. You have allocated responsibility to someone for backing up data from servers every day. This includes reviewing the backup log for any issues relating to the success or failure of the backup and responding to those issues. Someone is available, and is trained, to cover for your main person's absence.

You have a documented restore process and you regularly (e.g. monthly or quarterly) test that you can restore data from your backups.

At least some backup media are stored off-site. For example, if you back up every day you might store every second day’s data off-site. It may be appropriate to keep regular permanent backups off-site, such as a backup of financial data after each end-of-month procedure is completed.

You have a policy that requires users to store data that is crucial to the business on the server. If a user stores a file on a desktop computer, that file will not be backed up during the normal backup process.

You have consulted with an expert administrator of your database (e.g. Microsoft SQL Server, MySQL, etc.) to write out the routine steps to follow for good administration of the database including securing the database and backing it up.

You have appointed someone as responsible for undertaking those routine database administration steps.

Regarding administering database, you know what you can do in-house and when to call in an expert and have communicated this to staff.

You have established a working relationship with an external specialist who is familiar with your business and your database set up. You have arranged for that specialist to run brief regular (e.g. quarterly) check-ups and be available to fix urgent database problems.

In choosing an ISP you explore a wide range of possible vendors to get the services you need and the best value for money.

Someone has been allocated responsibility of managing the technical aspects of connecting to the Internet. This might be the "network administrator". This person deals with the ISP about problems with the connection.

Someone has been allocated responsibility for regularly checking competitive pricing and service offerings from ISPs.

If you use cloud computing, you have a backup means of accessing the internet (for example, an TPG broadband account as well as a Telstra Wi-Fi hotspot) in case one provider’s services become unavailable.

You have consulted with an expert in security related to your operating system and are confident that your network is secure. This is especially important if you have a wireless network.

The network administrator has written down all the user names, passwords and settings for all network-related equipment. That information is kept securely but is available to those who may need it to repair network problems.

You have arranged that at least one person is available at all times with basic knowledge of how the network operates. You have arranged for a network expert to write down basic trouble-shooting steps for your in-house person to follow in case problems arise.

You have established a working relationship with an external specialist who is familiar with your business and how your network is set up and can be available at short notice to fix urgent network problems.

You have considered whether a cloud equivalent to your existing servers (e.g. Microsoft 365 – which would provide mail servers and file servers) would be more suitable for the business.

You have consulted with an expert administrator of your servers to write out the routine steps to follow for good administration of the server(s).

You have appointed someone as responsible for undertaking those routine server management steps.

Regarding administering server, You know what you can do in-house and when to call in an expert and have communicated this to staff.

You have established a working relationship with an external specialist who is familiar with your business and your server set up and can be available at short notice to fix urgent server problems.