I polled IT professionals from the ForeSite team and beyond to determine what key things every business owner, director of a school or nonprofit should know about their network.  My goal was to create a checklist that will help “nontechnical” people who have the ultimate responsibility of making technology related business decisions and protecting sensitive data to better understand what questions to ask of their IT professionals - whether you rely on an internal IT staff or a technology firm.

Some of the questions are obvious, such as making sure that your critical data is being backed up and that you know important passwords.  But there were also questions that could be eye-opening, such as “what remote access is being allowed?”.  I think back to a meeting with a Head of School when this question was asked, and it was determined that a former vendor and two former employees still had remote access to their server (and the data residing on the server)  simply because no one had thought to regularly audit the remote access and disable accounts that were no longer valid.

We hope this checklist will help you to get the information you need to make informed decisions about your network.  Your comments and questions are welcome!

Good news!  In response to concerns voiced by many small business owners in Massachusetts, the Office of Consumer Affairs has announced revisions to the identity theft regulations that were set to take effect on January 1st 2010.

New language in the regulations includes risk-based in implementation -  requiring safeguards that are more appropriate to the size of the business, the amount of personal data stored (client or customer data and employee files), and the type of business.

The revised regulations are more consistent with Federal law, and therefore an appropriate guideline for businesses and other types of organizations in Connecticut to measure their risks and identify what steps they can take to minimize their exposure to security breaches and the potential remediation and litigation that follows a breach.

A public hearing will be held on the changes on 9/22/09 at the Transportation Building, 10 Park Plaza in Boston at 10 a.m.

Click the link below for a copy of the compliance checklist: 

http://www.foresitetech.com/forms/download_compliance

I was opening my email one morning and noticed that the “out of office” message from an IT Manager of a local small business that said he was out of the office for the next two months. This was a company I had called on 8 months earlier and the company’s president had referred me to the IT Manager as their technology resource, so I looked up the company president’s name and gave him a call.

The President took my call. He explained that the IT Manager had been in an auto accident, and would be out for at least two months, and maybe longer. They didn’t have anyone else internally that knew the network, and he was concerned, but wasn’t sure what to do. He couldn’t replace an employee who would be coming back at some point, but what would he do if an issue came up in the meantime?

I suggested a Network Health Review to allow us to get an overview of his setup and any initial concerns without any cost or obligation. We both agreed that this would be a good starting point. I set up a review for the following day, and two days later, sat down with the management team to go over the findings. Overall, things were in decent shape. We identified some potential issues that we could easily fix, including:

• Incomplete backups which included data, but not the system state (registry and other system information that needs to be restored in the event of a hardware loss)
• Battery backup software was not configured to shut down the server gracefully in the event of a prolonged power outage.
• Lack of system documentation – No network diagram, no inventory of hardware/software, no master password list, etc.

We also came up with some other questions that no one in the room knew the answer to. This discussion led to us assigning a systems engineer to the company on a weekly basis for the duration of the IT Manager’s sick leave. We addressed the issues we had uncovered in the review, we found the answers to the questions about how the network was configured, and what the contact and account number information was for their key vendors. We set up Help Desk coverage for his staff so they had a resource to resolve issues on the days when we were not on site. This was critical to maintaining their productivity since they were accustomed to having someone else to ask for help and were not IT savvy.

About 3 months later, the IT Manager was ready to come back part time. He was able to quickly come up-to-speed on the changes we had made from our documentation. The management team was so pleased with the information that we provided to them, the level of support, and our ability to work well with their IT Manager that they decided to keep us on board with a scaled back schedule. Now they know that they have a backup resource when needed who is familiar with them and their setup.

8 months earlier when I contacted the President of the company, he was all set, he had someone handling his network. You never know when things could change, but you can be prepared by knowing where you stand BEFORE it happens.

Call it what you will; business resumption plan, disaster recovery plan or emergency plan, any business that relies upon technology for any single process should have one in place. These plans can be anything from a simple call list of contacts to very extensive documents outlining each and every move made by each and every player ensuring the most efficient recovery possible. So what is right for your business? Here are some things to consider:

• Is there a system or systems that you rely so heavily upon that without it your business will not function?
  

This type of system is usually noted as a business critical system, and should be well documented with the amount of time it can be down and the exact steps necessary to bring it back up to a functional status. Additionally, each system like this should have a single point person who is responsible for the plan as well as clearly spelled out tasks and responsible persons for the pieces of the recovery. With a system this important, leave nothing to chance.

• For systems that are not business critical, how long can each of these be down before they begin to affect your business?

You should make an exhaustive lists of your systems and prioritize the order in which they should be recovered. This will avoid the loss of valuable time during the crisis trying to make these decisions. Then, a plan should be put into place for each system based upon how a recovery can be executed. Again, list everyone’s responsibilities here so there is no confusion on recovery day.

• Update your plan

Your technology environment, as well as your staff, changes on a regular basis. When staff come and go, be sure to update the plan and ensure that the new people know what their responsibilities are in the event the plan must be put into place. Also, as you get new systems, these must be accounted for in the plan so nothing slips through the cracks in a crisis situation.

• Test your plan!

Going through the exercise of creating a plan is great, but if it does not actually work in the event of a disaster, it will not do you much good. A plan should be tested on a regular basis (at least annually) to make sure that it is still an effective way for your business to recover from a disaster.

Having a BR plan is like having insurance. You hope you never have to use it, but when you do, you sure will be glad you had it.