IT Audit – Let’s begin with the lack of definition
IT audit is a broad term and no consistent standards of the service itself have not been specified so far. This is perfectly evident on the example of requests for tender addressed to Support Online. One the one hand, we have a quite large (and at the same time interesting) range of vocabulary used by customers:
- IT system audit;
- IT infrastructure audit;
- information technology audit;
- IT environment audit;
- IT security audit, including information security audit;
- including also: audit of computer hardware, LAN, licence conformity, computer network etc.
On the other hand, customers voice a very broad spectrum of requirements, which are difficult to describe here. Perhaps IT audit will be categorised in detail in the future, just like in the case of e.g. audit of financial statements.
It is a positive aspect that the majority of IT companies have established their own, very precise definitions of IT audit based on their experience. This state of affairs forces the customers to check the specification of the service itself carefully at an early stage of service provider selection. Let’s see what Support Online has to offer in this regard.
IT AUDIT – HOW? WHERE? WHO SHOULD USE IT?
Support Online carries out IT audits most often in two cases. The first, and at the same time the most frequent situation, is establishment of cooperation as part of end-to-end IT support. In this case the IT audit is an opening balance and at the same time sets the direction of changes in the customer’s IT infrastructure for the coming 3–5 years.
This is a critical moment for Support Online, because the IT outsourcing constitutes our fundament of business. Even a small error in the diagnosis of the customer needs and/or selection of IT solutions can result in a failure during further cooperation. Every enterprise for which IT support for business is the primary pillar of the revenue has to focus on long-term relationships, because only them guarantee further business development.
The second case involves customers that review the operation of their in-house IT departments. The objective here is to review both operational tasks and long-term concepts of business IT development, which should originate from the IT department. Very often we discuss and propose such ideas as:
- company digitalisation, i.e. implementation of solutions that enable switching to remote work, e.g. terminal services;
- consolidation of the IT system as part of a single ecosystem, e.g. Office 365 (Microsoft 365);
- implementation of tools from the “cloud solutions for business” catalogue: private cloud, cloud replication, or cloud backup,
- preparation and launch of DRC: disaster recovery centre (business continuity plan for IT systems);
- increase in the organisation’s resistance to cyber attacks through, among others, anti-phishing training;
IT AUDIT BY SUPPORT ONLINE – CORE POINTS
In both above-mentioned cases the IT audit procedure contains a few core components, which are of great importance from the point of view of the company owner or management board. It is worth using the following list while looking for a prospective IT audit provider and verifying whether each topic was discussed in detail.
1. checking whether backup copy is created
We begin with checking whether the backup copy is created at all and whether it is possible to recover the operation of the enterprise’s key IT systems within a specified time based on the existing backup.
2. preparing a backup policy
More than 70% of the customers for which we carried out an IT audit did not have any backup copy or the condition of the copy did not allow data recovery. This is why we establish a backup policy from scratch. Such a document must contain the following information:
- what resources (i.e. physical servers, virtual servers) are covered by the backup copy procedure;
- how backup is created – we always recommend an end-to-end approach, i.e. copying whole servers;
- in what locations and on what devices backup is stored;
- what is the backup copy creation schedule;
- how often test data recovery should be performed.
3. determination of time of business operation restoration in case of critical failure
This is a key piece of information for every company owner or management board. Unfortunately, in many cases they become interested in this topic only when an IT disaster occurs and the whole organisation simply no longer operates.
Time of business operation restoration in case of critical failure can be determined based on the implemented backup copy policy. Of course, this will be an approximate time but giving a meaningful impression of the capabilities of the IT department.