Every Organization Needs IT Policies Keeping a business’s data secure requires not only good technology but good policies. User carelessness is the biggest cause of breaches, and technical measures can’t stop people from making dangerous mistakes. A set of policies that employees and contractors understand, together with training in how to apply them, should be a basic part of the strategy of any organization that has important data which it needs to protect. A well-written policy is clear and specific, but not so loaded with unnecessary detail that it takes a lawyer to decipher it. If it’s too hard to read, people will just skim over it without understanding. The essentials in a policy need to include what it requires, whom it applies to, and a broad overview of how to carry it out, as well as possible penalties for non-compliance. How strict the policies have to depend on the kind of organization. Offices that hold personal health information, handle credit cards or do classified work need especially tight policies. Any organization that handles money or personal information needs reasonably strict policies, though. There’s no such thing as an organization that is too small for attackers to pay attention to it; in fact, some criminals specialize in small organizations on the assumption that they have lax security. We can broadly divide policies into those which apply to all users and those which concern only IT personnel. Let’s look at a few in the first category, as examples. Email policy. The policy should state to what extent it allows personal communication using company email, if at all. It should explain retention requirements, indicate what kind of language and commentary it prohibits, and spell out what use of third-party email services it allows or doesn’t. It should notify users that their mail may be monitored and they have no expectation of privacy. Password protection policy. This has to place specific requirements on the formation of strong passwords, prohibit password sharing and reuse, and list specific practices (writing down passwords or hints, giving them over the telephone, etc.) that users have to refrain from. If the company does any password guessing to test compliance, the policy needs to let the users know. Remote access policy. Instructions on how users may access the organization’s systems from outside go here. Requirements may include coming in only through the VPN, protecting their VPN passwords, not simultaneously connecting to other networks, and having antivirus software. Other policies are specific to management and IT personnel. Let’s look at a few examples.   Disaster recovery plan policy. This doesn’t specify the contents of the plan but states what kinds of contingency plans the staff has to create. It places requirements for reviewing the plan periodically and conducting tests. Server security policy. The requirements of this policy should include registering all servers, designating the primary person responsible for each one, specifying requirements for generating and retaining logs, maintaining access control (including physical access), keeping the software up to date, and reporting security incidents. Equipment disposal policy. This policy has to cover such issues as wiping disk drives before disposal, tracking and identifying equipment that has been cleared for disposal, and recycling. It needs to identify the kinds of equipment which it covers. The SANS Institute’s website offers a broad range […]

We have been at this for a long time, and we understand the value of following proven systems and processes. According to Wikipedia… “A standard operating procedure, or SOP, is a set of step-by-step instructions compiled by an organization to help workers carry out routine operations. SOPs aim to achieve efficiency, quality output and uniformity of performance while reducing miscommunication and failure to comply with industry regulations.” At White Mountain. we follow SOPs for everything that we know will be a task or series of tasks that will need to be repeated in a defined and consistent manner.  We generally follow industry-standard best practices for general IT management functions, and develop our own, as they relate to our unique processes and clients systems.  When we onboard a new client we follow SOPs for every step of the process, and as we get to know your workflow and internal procedures, we help develop custom SOPs specific to managing and supporting your technology. Examples of customized client-specific SOPs that we create and maintain: Employee on-boarding and separation procedures Security Event and Major Incident Response procedures Emergency Lock-down procedure Notification procedure for key teams, executive, management, all staff After hours outage, notification and response SOPs for all key failover events (internet, phones, email etc) Without being disciplined about following SOPs, how can anyone consistently achieve consistent, exceptional services for your users? If each person doing the work takes the liberty of doing it “their own way”, I can guarantee that it will result in poor service and frustrated users.  Not adhering to SOPs  leads to: Inconsistent and unreliable results Unnecessary security risks Lack of standards, which frustrates users, and makes ongoing support more difficult Callbacks and repeated interruptions for your users Excessive IT support costs This is a perfect example of the advantage of working with a Managed IT Service Provider that is experienced enough and large enough to be committed to professional IT management.  It’s not easy to do, we often spend more time documenting and following up on an issue than we did actually fixing it.  But we make up for it in the long run, with increased efficiency across our entire client base. In order to be able to maintain this level of excellence, your tech team needs CONSTANT professional guidance, oversight, and management, which is why doing IT support in-house without qualified, dedicated management staff can be such a disaster.  Anyone delivering IT services without a full time dedicated management team will have a hard time maintaining this level of service. Consistently following and maintaining SOPs is nearly impossible to achieve if you are depending on:  A single employee, or even two or three internal employees, without dedicated IT management An IT service provider without a dedicated management team (dedicated managers don’t do the tech work!) An individual part-time employee, or a neighbor, friend, or IT guy down the street If you think that you could use some help instituting SOPs in your company, give us a call anytime. Professional IT Management Service and Support Management Project Management Standard Operating Procedures IT Policies Systems Documentation Technology Consulting Cyber Security Training Reporting and Metrics Co-Managed IT Services Engineering & Support Help Desk Services Onsite Services Server Support Network Management Data Backup Disaster Recovery System Engineering Network Operations Network Security Project Work Staff Augmentation Cloud […]

Getting complex IT Projects done on time, and under budget, requires getting all stakeholders on-board early, and keeping them involved, informed, and in the loop. On our end, that means all technical, management and consulting resources. On the client’s end we typically engage with upper management, department managers, and other key personnel to assist with workflow, deployment, scheduling and testing procedures.  Then, of course, we need to include any third party suppliers, vendors, and contractors that may be involved.