In the article Check your IT infrastructure, I already addressed the need to hold occasional checks in your IT environment. I have described that in many IT environments there have been moments where something was solved with “digital duct tape. In addition, organizational and social developments move fast. This means that an average IT environment is no longer sufficient. An ICT scan can provide you insights, but how do you do that? In this article, I explain how and give you tips to perform an ICT survey.
An ICT survey consists of 3 parts:
1) Administrative, how is the administration around the infrastructure regulated?
2) Functional, does the infrastructure functionally still reflects the needs of the organization?
3) Technically, do the ICT components still work well technically?
It is not always possible to maintain a clear line, but it’s good to clearly describe the three components.
Administration consists of various things. High-level you can look at the various processes: how to carry out a change, what happens when an incident occurs, what steps to take when a new employee starts? You identify the used processes and hold it against ITIL, MOF or ASL / BISL processes. Do you use any of these standards? This provides insight into the maturity of the organization and its IT processes.
Even if the processes are documented, this does not mean they are actually implemented. You can easily check this by looking at ‘ghost’ accounts for example, user accounts of employees who left. If the processes are well set up and followed, you will hardly find ghost accounts. If the process is set up, but you can still find many ghost accounts (more than 10% of the total accounts), then this could be a sign that the process is not being followed.
Another indicator is the extent to which the environment is standardized. An environment where ICT objects are named according to a tight schedule, indicates a good administration. Servers, all of which are installed the same way, point to a standardized environment.
Proper management of your IT environment with clearly defined processes ensure that it is clear who is allowed to do what, which objects there are and who is entitled to what information. An administrative healthy ICT environment provides insight. This insight is even more important for things like ISO 270001 certification, when you must show who has what authority.
Administrative health says nothing about the technical or functional state of the environment. On the other hand, when administration is not properly managed, this could have an impact on the technical condition of ICT components. Good administration of an ICT environment is not only the responsibility of the IT department, but of an entire organization.
An ICT infrastructure is implemented to offer the organization a number of digital functions that users need to optimally perform their jobs. These functions are determined based on the needs of the organization. However, this need is not static, but changes according to social and business developments. ICT should move with these changes.
Determination of functional health is not as easy as the technical and administrative part. For example, cloud and associated features are ‘hot’, at least if we believe the media, but must you then necessarily want it? If a company does not use the cloud, it is not necessarily functional unhealthy. There may be very good reasons for not going to the cloud.
What is functional unhealthy? A well-known example is the desire of users to have remote access to the office via a VPN connection. If the technique does not allow this, users will put the data, which they still need, on an unprotected USB stick. This is what we call a functional unhealthy ICT environment. In this case, the “ill healt” is a security risk to the organization.
Functional health is determined by the needs of the organization. You can do this quite extensively by keeping a complete user needs survey, in which all users are interviewed. But you can start by talking to a number of core users.
Functional health says nothing about the technical condition of an ICT component or the administration of the IT environment. However, it says something about the desired availability and security. If high availability is a functional need of an organization, it must be supported by the ICT infrastructure. An organization with very old software and hardware can be functional healthy and an organization with the latest products can be functional unhealthy.
The ICT infrastructure consists mainly of technical components such as servers, routers, firewalls, etc. For the technical health, look at the log files. Are there many warnings or errors, and what kind are they? How are the servers set up, were the supplier guidelines followed or not? How often does a component have issues? Are components set up according to a standard or is each part different? A standard set up says something about the administrative health of an IT environment. You can have a standard on paper, which is not followed in practice.
Also check the update status. Are the latest updates available? In particular, the security updates are of great importance. In line with this is support and/or end-of-life (EOL). The moment a product is EOL, a vendor will no longer provide updates. This means that important zero-days exploits are not covered and the ICT component is at risk.
An ICT component may be functionally healthy, but technically too old.
Scope of the ICT survey
In an ICT survey you can look at many aspects, so it is also important that you draw up a clear scope in advance. The scope is defined by the answers to the following questions:
1) What is your objective? Which question do you want to answer?
2) What elements are you mapping? Administrative, functional or technical?
3) Which IT components will you look at? Everything, only the Windows servers or just the network?
The first question is the most important, what do you want to achieve? As an illustration, some examples:
You will take over the service management of another party. Then you want to know where you will be responsible for. You then look into the environment, what interfaces are there, can or will you take responsibility? Here, the technical condition is the most important, but you’ll certainly look at things like administrative and functional.
You want to know the general status of your IT environment. Does it still meet the current standards and is everything still working properly? In that case, you will first look at the technical and administrative status.
You want to determine the ICT budget for the next two years. You will then look primarily at the functional status, does it still meet the needs of the organization? Is the technical status good enough for any changes that are needed? On that basis you can then look at where you want to go and prepare a roadmap.
For the first two examples, a risk assessment will help to reflect both the status of the entire ICT environment and the individual IT components. Conducting a risk assessment, you can make it as complex or simple as you want. The idea behind the risk analysis is that you determine the risk of failure for each component.
Before you start, you define a minimum and maximum value you assign to a risk. The value is then determined by the chance of failure as well as the impact on the organization. Zero risk does not exist; there is always a risk, the so-called residual risk, which you will have to accept. You can determine until which value the risks are acceptable and from which value you want to take action. The greater the risk, the more important it is that something is done about it. The following items can be included:
- Is the system single or redundant? A single system is more likely to fail than a fully redundant system.
- How important is the system for the organization? Important systems will have a higher impact on the core processes of an organization.
- The technical and administrative status of the system. The better it is, the smaller the chance that something happens to the system.
- The location of the system, can the system be accessed directly from the Internet? This affects the probability of hacking.
- Knowledge and skills of the administrators. Well skilled administrators will be able to better manage the system.
- Are patches and passwords up to date?
In this article, I have not addressed security as a separate subject. This is logical, since security is always an integral part of the ICT survey. Risks and the security status of a product are closely related. You can choose to carry out an ICT-scan for only the security risks. Here you mainly look at potential risks based on the security profile.
An ICT survey provides insight into your IT infrastructure, what is good and less good. You can also use an ICT survey to determine your budget for an upcoming period. Conducting an ICT survey requires you clearly know what you want to achieve and how you will measure. This helps to later determine the follow-up activities.
Martijn Bellaard has worked for three years as a lead architect at TriOpSys. Since March 2017, he followed his dream and he became a lecturer at the Utrecht University of Professional Education. This article was published on 29-01-2015.