IT checklist

Running an IT system can be a headache. Few small businesses can afford the luxury of a dedicated IT department or Help Desk, but they still need to cover their functions.

A small business needs to make sure that those tasks are allocated to someone within the business or to an outside provider. The following checklist will ensure small-business owners and managers have an IT overview and don’t overlook the important things.

IT checklists start with tasks a small business is most likely to perform in-house, to tasks for which a small business should engage an outside provider.

Every business is different and has its own needs. So take appropriate advice about the specific needs of your business before taking action.

1. Maintaining physical security over IT equipment, backup tapes or disks, etc

If someone steals your computers or your backup tapes, you lose not only the equipment but all the data on it. Physical threat is as likely to come from careless or malicious staff as well as outsiders. Make sure you have your hardware and backup tapes or disks secured.

• Have a secure, locked, air-conditioned or well-ventilated space for servers and other equipment that does not need to be out in the open. As few people as possible should have access to this space.
• Someone in the office should be allocated responsibility for securing the area where servers and backup tapes are stored. Arrange for backup person to cover times when the primary person is unavailable because of holidays or illness.
• Backup tapes and disks should be routinely stored off-site in a secure location.
• Where equipment is out in the open, or is left unattended for periods of time, desktop machines should be locked to the desk or to the building structure.
• The business should have a policy on keeping laptops and mobile devices secure when they are out of the office. (Employees should not leave laptops in a car, for example.)

2. Creating and maintaining in-house rules about access, permissions, passwords and other safety, security and administrative rules

Intruders, old employees and kids hacking for fun can access your business’s information unless you have rules for who can access what data.

• Have written rules (perhaps only one page) on who is allowed to access what data, how passwords or pass phrases, are to be formatted, how often they expire, at what intervals they can be recycled and other security issues.
• Ensure no one ever has to share their password with another user. If users share a computer, each person needs an individual profile, user name and password, and it should be made clear to staff that using someone else’s password is like forging their signature.
• The rules in place should define reasonable personal use of computers and internet access.
• Safety issues must be considered, such as ensuring that cables do not run across hallways or walkways, appropriate numbers of power outlets are available for IT equipment and that staff follow appropriate practices in using IT equipment to prevent accidents or injury.
• Develop a communications strategy and allocate responsibility to someone in the office for ensuring that new employees know about the rules.
• Allocate responsibility to someone in the office to keep the rules up to date.

3. Downloading and deploying daily data files for anti-virus software

Viruses are invented daily, so you need to ensure that data files for your anti-virus software are downloaded and installed daily. Viruses in this context include all forms of malware, viruses, trojans, spyware, etc.

• Set up the anti-virus software to update hourly and to send an email alert to the responsible person or, if that person is away on leave or for illness, alerts go to someone else.
• If your business runs seven days a week, have someone to receive and respond to alerts every day.

4. Administration: Maintaining records of software licences, domain names, service contracts for peripherals like printers, liaising with vendors

Your software licences are valuable. It’s easy to install software on a machine and “forget” it is there. It is also easy to forget what service contracts you have in place for your equipment. Finally, it is easy to forget to renew a domain name. Domain names are not expensive, but they are very valuable. If you don’t renew your domain name, someone else can register it and you will struggle to get it back.

• Allocate responsibility to someone to keep a list of what software is installed on every machine, with what licence, to ensure the business is complying with the licence agreements and is protecting the business’s assets.
• Allocate responsibility to someone to keep a list of what domain names and web hosting arrangements you have, with expiry dates. You have a system in place to remind you of when to renew domain names (you should renew them about three months before the deadline).
• Allocate responsibility to someone for maintaining a list of all service contracts. Only one person should be permitted to call a vendor for service.

5. Answering basic questions from users about how to use the software and hardware, and troubleshooting minor problems

Your investment in desktops, laptops and software licences is significant. It is no use investing in these unless your people can use of the hardware and the software. And, although support and advice from colleagues is a good way to learn, you don’t want the entire office to stop work while everyone crowds round one person’s desk as they try to create a table of contents in Word.

• Allocate responsibility to one person (with a backup if necessary) to replenish stocks of paper, toner, etc, for printers and fax machines.
• Devise a process for users to get help in using software and hardware and troubleshooting minor problems (such as a printer not working). For example, an employee might first ask your in-house “power user” for advice. The next move would be to seek free help, such as from online newsgroups; and then to get paid help from an external adviser or trainer.
• Everyone in the business should know the process and you should encourage them to use that process by following it yourself.
• New employees should be told about the system and encouraged to use it.

6. Creating, maintaining and deleting users from the network

New employees need to be added as new users to the network and, just as importantly, people who leave should have their details removed as soon as they depart.

• Give someone the task of being a “network administrator”, perhaps with a backup, to add new users to the network.
• Have a system in place where a new user can be added to the network so they can be productive from their first day, without having to use someone else’s password to access the network.
• Have a process in place to maintain a central registry of passwords to business-critical files or applications, or to retrieve passwords from departing employees. For example, an accounts clerk may have passwords to the online banking, or employees may have password-protected individual documents that the business will need.
• The person who calculates the final pay for an employee leaving the business should inform the network administrator that the employee is leaving. The network administrator should then disable that user’s password from the network.

7. Creating and resetting network passwords

All new users on the network will need a password they can change for their own needs. And whether we like it or not, users forget passwords and can be locked out of the network.

• The network should have a “three strikes and you’re out” policy: users who get the password wrong three times in a row should be locked out of the network.
• The network administrator should be able (within, say, 10 minutes) to reset the password of anyone who is locked out, and there should always be a backup available.
• The network operating system should require users to change their network password regularly, say, every month or every three months.
• Password rules (number of characters, frequency of change) should be appropriate to the circumstances but not so difficult that users are tempted to write them down.

8. Installing new equipment (servers, PCs, laptops, printers, scanners, etc, along with their related drivers)

In a small business, it is tempting to buy new equipment without thinking about how it will be installed. You don’t want the entire business to come to a stop as five people try to install a new scanner “just like the one we have at home”!

• Make sure that the equipment you buy is suitable for a business network environment. Not all equipment suitable for home use will run on a business network.
• If you don’t have an IT professional in-house, when you buy new equipment, consider arranging for the vendor to install it. Whatever it costs will probably be cheaper than having staff fumbling at a task outside their area of expertise.
• To reduce complexity, consider limiting your purchases to a few brands and types of equipment that you trust and are familiar with.
• Make sure that new software drivers, such as printer drivers, are installed when you buy new equipment. Even if the new printer “seems to work” with the old drivers, make sure that everyone is using the same drivers for the same printer.

9. Setting up shared folders, granting / reducing permissions and managing disk quotas

Shared folders allow groups of employees to access the same files. Disk quotas restrict the amount of data that one employee can store on a server. There are security and performance implications for both.

• The business needs appropriate rules in place so people can access the data they need for their job, but data is generally secured.
• Give the “network administrator” the job of managing shared folders and granting permission to individuals or groups to access the files in those shared folders.
• Review permissions to access shared folders regularly (quarterly?) and delete permissions when they are no longer needed (perhaps because someone changed roles).
• If appropriate, impose limits on the space employees’ files can take up on servers. The business server is not the place for employees to store large files they have downloaded from the web!
• All business data should be stored on the server where it can be secured, and it should be backed up.

10. Downloading, assessing and deploying security patches for operating system and applications

As long as malicious users try to breach systems through security holes in software, software vendors will be issuing security patches. In 2003, hundreds of thousands of machines were infected by the Slammer virus, even though Microsoft had issued a security patch that prevented infection more than six months earlier.

• Decide on a policy for installing security patches. For example, you may decide to install all security patches as soon as they are made available. Or, if your line-of-business or back-office systems are old, uncommon or heavily customised, you may have a policy of testing each security patch against your software to ensure it will still work properly.
• Allocate responsibility to one person for downloading, assessing (if necessary), and deploying security patches for the operating system and applications (line-of-business applications, back-office systems and desktop applications).
• Have a process in place (perhaps a routine security audit by an external person) to check that security patches are being deployed appropriately.

11. Setting up and maintaining the connection to the internet and liaising with the ISP when there are connection problems

Internet connections are vital for most businesses. The market remains volatile and ISPs are routinely dropping prices, increasing service speeds and broadening service offerings. You may not want to change ISP every six months but you should stay aware of changes in this market.

• In choosing an ISP, explore a wide range of possible vendors to get the services you need and the best value for money.
• Allocate responsibility for managing the technical aspects of connecting to the internet. This might be the “network administrator”. This person deals with the ISP about connection problems.
• Allocate responsibility for regularly checking competitive pricing and service offerings from ISPs.

12. Making, testing, and restoring backups (from whole servers to single files)

What is your data worth? If you lost everything, how long would it take the business to be up and running again? What would it cost, in time or money, if your business lost the last month’s data? A backup is only as good as what you can restore!

• Have a documented backup process and allocate responsibility to someone for backing up data from servers every day. This includes reviewing the backup log for any issues relating to the success or failure of the backup, and responding to those issues. Ensure someone is available, and is trained, to cover if your main person is away.
• Have a documented process for restoring data from your backups and conduct regular — monthly or quarterly — tests to ensure the process works.
• At least some backup media should be stored off-site. For example, if you back up every day, you might store every second day’s data off-site. It may be appropriate to keep regular permanent backups offsite, such as a backup of financial data after each end-of-month procedure is completed.
• Devise a policy that requires users to store business-critical data on the server. If a user stores a file in a desktop computer, that file will not be included in the normal backup process.

13. Disaster recovery, such as after prolonged power failure, fire, flood, theft

Your business may depend on your IT system, and so you need to know that the business will survive even if the IT system is destroyed or damaged.

• Guard against disasters by installing surge protectors, power conditioning and uninterruptible power supplies. Have software in place to enable a controlled shutdown of servers and perform regular tests on these systems.
• Have a contingency plan for getting your business up and running again. Some businesses have an arrangement with a similar business to act as a “warm site” so that there is at least one computer in their office that you could use to load your backup and get your business running again.
• Write out the steps to be followed after a disaster. Remember that as owner or manager, you may not be available after a disaster to perform work like this, or even direct it.
• Ensure that the relevant employees in the business know where to find the disaster recovery instructions and how to follow them. That probably means the procedures will need to be printed out and, preferably kept away from potential disaster areas.
• Practise your disaster recovery steps at least once with the current team of people.

14. Troubleshooting network problems involving the WAN or LAN (including routers, firewalls, bridges, switches, cabling, wireless access points and devices etc) and setting up and maintaining systems for remote users to log in to the network from home or while travelling

Perhaps the most frustrating IT problem is when the network fails. It can be difficult to pin point the source of the problem and unless you have a networking expert in-house, you may need external help.

• Consult with an expert in security related to your operating system, and make sure they are confident your network is secure. This is particularly important if you have a wireless network.
• The network administrator should write down the all the user names, passwords and settings for all network-related equipment. The information should be kept secure, but available to those who may need it to repair network problems.
• Arrange that at least one person is available at all times with basic knowledge of how the network operates, and for a network expert to write down basic trouble-shooting steps for your in-house person to follow in case of problems.
• Established a working relationship with an external specialist who is familiar with your business and your network set up, and can be available at short notice to fix urgent network problems.

15. Deploying existing software to new users, setting up new software and deploying new software to existing users

This task needs to be undertaken with some care; first, to ensure that the software is installed and set up appropriately; and, second, to ensure that licensing arrangements are followed.

• If you have an IT professional in-house, discuss with them how software is to be deployed and set up.
• If you do not have an IT professional in-house, establish a working relationship with one who can guide you in deploying and setting up software. You should have a clear understanding within the business of when tasks will be done in-house and when you will call in outside help.

16. Training users in how to use new software and hardware

The more your users know about the software they use every day, the more productive they can be. You don’t want office staff wasting time on page numbering every time they have to produce a word document when a brief training session would teach them how to do it. Few users manage to teach themselves anything beyond the basics, but sending people to generalist “Introduction to X” or “Intermediate Y” courses often doesn’t help. To be effective, you have to be specific.

• Talk to employees and write down the tasks they need to perform using their software.
• Plan to get appropriate information or training for them to perform those tasks effectively and efficiently.
• Have a way of checking back with employees soon after training about whether they can now perform the relevant tasks. If skills learned in training are not used on the job immediately, they may be lost and the training will have been wasted.

17. Cleaning up machines that have been infected with viruses, trojans, worms or other malware

In spite of your best efforts, some machines will become infected with viruses or other malware. (Laptops are more vulnerable than desktop machines.) You need them cleaned up properly; in the case of severe infection, this is a job for an expert.

• Decide how you will isolate infected machines from the network, and ensure employees know when to tackle the clean-up job themselves and when to call in an expert.
• If you don’t have an IT Pro on staff, establish a working relationship with an IT professional who can be available to clean machines at relatively short notice.

18. Customising software to suit the needs of the business

“Customising” can mean lots of things: writing a quick macro in PowerPoint; creating a stand-alone application based on Excel; or writing customisations that live within your line-of-business application or accounting system. Sooner or later, most small businesses will do one of these. Some can be done in-house by “power users”, but if it is something that is important to the business (and not just important to the user), you need a professional.

• Decide what customisations are appropriate for your business and, in general terms, how they will be created. When is it appropriate to let the in-house “power user” have a week or two to work on some Word macros, and when will you call in an expert?

19. Server management (mail server, web server)

Even micro businesses may run a server to manage mail, but many small businesses will run print servers, mail servers, and maybe web servers for intranet or internet sites. Server administration is a specialist skill and few small businesses would have an in-house expert.

• Consult with an expert administrator of your servers to write out the routine steps to follow for good administration of the database.
• Make someone responsible for undertaking those routine steps.
• Ensure you know what can be done in-house and when to call in an expert and have communicated this to staff.
• Establish a working relationship with an external specialist who is familiar with your business and your server set up and can be available at short notice to fix urgent server problems.

20. Database administration (eg, SQL server)

Very small or micro businesses may not run a significant database. But most line-of-business applications and medium-to-large accounting systems rely on an underlying database. Database administration is a specialist skill and small businesses would have an in-house expert.

• Consult with an expert administrator of your database (Microsoft SQL Server, MySQL, etc) to write out the routine steps to follow for good administration of the database including securing the database and backing it up.
• Appointed someone as being responsible for undertaking those routine steps.
• Know what you can do in-house and when to call in an expert, and communicate this to staff.
• Establish a working relationship with an external specialist who is familiar with your business and your database set up. Arrange for that specialist to run brief regular (quarterly? six-monthly?) checkups and be available to fix urgent database problems.