Skip to content
Office: (416) 621-6611
Emergency: (855) 561-4675
info@balanced.plus
Submit Support Ticket

Author: Maxim Kazachek

Proper IT Governance starts with Proper IT Policies

Posted on by Maxim Kazachek

IT governance and Information Technology policies is not generally a hot topic for SMEs. However, planning business growth and development is impossible without a solid technology platform. Therefore, putting in the proper IT policies and practices to ensure that your infrastructure (be it done internally or outsourced) aligns with your business mission is essential.

In large enterprises and organizations, matters of IT policy are within the competence of the Chief Information Officer (CIO). Such organizations will have quite large and verbose IT policies, often revised by a lawyer for legal purposes. But an IT policy does not need to be a large volume of legalese to be meaningful and valuable for corporate governance.

This article discusses the key aspects that SMEs need to consider when developing their IT policies, including defining scope and responsibility, IT infrastructure documentation, acceptable use of information technology, information security, IT services and standards, IT systems management and maintenance, IT incidents, and information systems.

Defining Scope and Responsibility

The scope of any IT policy should clearly be defined what it enforces, who it applies to, who is the Policy Owner, etc. An important aspect to consider are internal and external governing documents (provincial or federal legislation) that directly applies to IT practices in your industry. For example, institutions dealing with private health information fall under the Ontario Personal Health Information Protection Act (PHIPA).

There may also be certifications that influence IT policies and standards that must be considered. For example, ISO certification mandates certain IT practices to uphold certification.

Each policy should clearly indicate who is responsible for implementing/upholding it (executive, user, external consultant, etc.)

What are the essential IT policies relevant to SMEs?

IT Infrastructure Documentation

IT Documentation is critical for business continuity and knowledge retention about IT systems. The IT infrastructure documentation policy should establish a minimal list of documents to be created and maintained. Some examples of IT documents that are critical for any organisation:

  • IP address distribution table spreadsheet;
  • System and Network diagram;
  • Firewall access control list, or similar list of access rules;
  • Active Directory user audit spreadsheet, including security group membership;
  • etc.

Acceptable Use of Information Technology

The Acceptable Use policy determines what users can or cannot do with IT resources. It touches on things like who may use IT resources (authorisation), users responsibility, and limitation on personal use. 

Areas that are covered by Acceptable use would be:

  • Telephones
  • Computers
  • Internet, including social media, and could platforms
  • Email
  • Printers
  • etc.

Information Security

Arguably one of the highest concerns for some enterprises, as everyone tries to protect data leaks and security breaches due to high liability costs (as we discussed in our article on Cyber Liability). The policy should define and list the information (data) covered by it (Confidential company-owned data, private data, databases, hard copies, etc.) and cover areas like:

  • Domain Access and Accounts;
  • User and administrator passwords;
  • Remote Domain and Computer Access, including access by Third Parties;
  • Network security: firewall, Remote login and Administration, network segregation, wireless networks, etc. (in larger policies, there may be a separate policy on Network Security in addition to Information Security);
  • Antivirus protection;
  • External Storage Devices;
  • Email and Content filtering;
  • Portable computing and Mobile Devices;

IT Services & Standards

This policy should define what services that IT department provides and what standards should be followed. For example, shared network storage and access to it, printing, data retention and backup standards, etc.

IT Systems Management and Maintenance

This policy should deal with things like hardware replacement and rotation (how frequently), managing firmware and software updates, monitoring, day-to-day operations, etc.

IT Incidents

This should talk about how IT incidents are handled at your company, i.e. who is responsible for reporting incidents and to whom, what are the resolution times (SLAs), what are standard procedures in handling incidents, etc.

IT incidents should be differentiated by severity. IT Disaster Events should be separately defined and a separate policy for Disaster Recovery should be written.

Information System

The Information System is a an aggregation of all IT resources (hardware and software) that support key business processes. With respect to the mission of any company with a (moderately) complex value chain, it is important to understand how the information system serves the business process, and how well the two should align. Information system policies should define the standards for developing and auditing key business processes and information systems.

To Conclude

Having the proper IT policies and practices in place is essential for SMEs to ensure business continuity, data security, and compliance with relevant regulations. It can also help companies better manage their IT resources and align them with their business mission.

As an IT consulting company, BALANCED+ can help SMEs develop and implement effective IT policies and practices to improve their IT governance and support their business growth. Contact BALANCED+ today to learn more about our IT consulting services and how we can help your organization achieve its goals through effective IT governance.

Have you been Security Breached?

Posted on by Maxim Kazachek

In today’s digital age, security breaches are becoming more common, and it’s often a matter of when, not if, your business will be targeted. With the amount of personal data exchanged in cyberspace, companies are responsible for complying with regulations and protecting customer information. In the event of a breach, like the one experienced by LinkedIn, the business holding the data is held accountable.

What is cyber liability insurance?

Cyber liability insurance cover (CLIC) has been available on the market since about 2006. CLIC policies cover a business liability for a data breach in which the firms customers personal information, such as Social Security or credit card numbers, is exposed or stolen by a hacker or other criminal who has gained access to the firms electronic network. This insurance allows to mitigate risks related to security breaches, namely, by transferring the risk (quantified in financial value)  insuring against it. Such risks are primarily related to the mandatory data breach requirements in most countries (Canada, US, EU) if you have been breached, you must notify your clients, and the costs of notification can be very high (including loss of revenue, lawsuits, etc.).

Such costs force many business owners to consider CLIC among the other risk management tools flood, fire, theft insurance. Cyber insurance cover is enormously beneficial in the event of a large-scale security incident, as it provides a funding mechanism to recover from major losses, helping businesses return to normal operations.

What CLIC cover from

Presently, CLIC can include:

  • Data breach/privacy crisis management cover (expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance and regulatory fines)
  • Multimedia/Media liability cover (third-party damages, like defacement of website and intellectual property rights infringement)
  • Extortion liability cover (losses due to a threat of extortion, professional fees related to dealing with the extortion)
  • Network security liability (third-party damages as a result of denial of access, costs related to data on third-party suppliers, costs related to the theft of data on third-party systems).

Apart from that, cyber liability cover can include expenses related to mitigating data breach risks, such as security audit costs (BALANCED+ has done such audits for its clients).

Who needs cyber liability insurance?

All businesses carry confidential client information, however there are different classes of such information. For example, breaches related to data such as credit card information, medical information, social insurance numbers will be of higher risk that breaches related to name and address. For example, in Ontario there exists the Personal Health Information Protection Act (PHIPA), which puts very stringent requirements on handling of individuals health information.

Our Thoughts:

Cyber liability insurance is an essential risk management tool for businesses in today’s digital age. BALANCED+ offers security audit services and can help determine the appropriate coverage needed for your business. Contact us to learn more and protect your business from potential cyber threats.

How To Be Prepared for a Microsoft Software Audit

Posted on by Maxim Kazachek

Ever get an email from Microsoft saying they want to check your software licenses?

Microsoft-Audits

If youre a medium-sized business, you might. BALANCED+ has helped enough clients handle Microsoft audits to know that this is a fact of life.

Individuals and small businesses are not typically audited for using legitimate Microsoft software, but large and medium-sized businesses are checked all the time. After all, that is where most of Microsofts revenue comes from.

So what do you need to know about a license audit by Microsoft?

First, Microsoft asks you to fill in a Deployment Summary (see an older version of this document here), indicating how many instances of Microsoft products you have installed in your environment. This document covers pretty much all Microsoft products that still remain relevant today desktop and server operating systems, Office products (all the way down to Office XP), SharePoint, products like SQL server and developer tools like Visual studio, and even Dynamics CRM. They specifically ask for the quantity of each version of software currently installed/in use within your company. For server-based products, they also ask about CALs (client access licenses).

Does this include the software that is still installed on old computers (no longer in use), but has been installed on new computers under the same license? That is a gray area, so use your best judgement to decide.

How to be prepared for a Microsoft license audit

It is obviously in your best interests to be prepared for an audit. The best, and priceless, thing it gives you peace of mind, and may also save you some money.

The information you need to be prepared for a Microsoft audit is:

  • How many of their products you have installed, and where.
  • All proof of licenses (COA stickers, paper certificates, BIOS keys, etc.) and anything that can act as proof of purchase, preferably in one place (for example, a master license spreadsheet).

How to gather required information?

To do an audit of your environment, you will definitely need a PC audit software. There are many good programs available, including freeware. A very simple and powerful tool that Commit100 has used for its clients is Belarc Advisor  it gives you data about the software installed on the machine, as well as hardware, which is useful information that can be a great basis for a full IT system audit. It will also give you the product keys for most of the software that is installed, but it doesnt give you the full product keys for Office 2013 and onwards only the last 5 characters of the key.

To gather the required information about what software is installed and where, run an audit report on the following:

  • all desktops and laptops (mobile devices may or may not be relevant);
  • all physical servers;
  • all virtual machines/virtual servers (note that some individual users may have local virtual machines);
  • Servers should have information about the number of CALs they have installed this information will likely not be given by audit software, but you can check that in the Server Management console under Licensing.
  • Also take note of the number of clients accessing SQL databases and other server-based products (this will tell you how many CALs you actually need).

Centralize this information in a master document, summarizing all software and keys (yes, every key should be in that document for you own sake) for every physical and virtual machine.

The next step is to gather information about all the licenses you actually purchased. This includes COAs (stickers that go on the physical box), invoices, paper certificates, etc. Get a clean picture of all the licenses you have proof of purchase for this should go into the same master document.

The licenses installed vs. licenses purchased should match, but if they do not, you may get an idea as to how much software Microsoft will ask you to pay for.

What then?

After you have completed the deployment summary, send it off to Microsoft. There is typically a deadline established by Microsoft for this, but its not a do or die deadline, its something that can be discussed with Microsoft.

A small piece of advice from our experts at BALANCED+  dont underestimate the time you will need to fill out the deployment summary the more time, the better. If you use it, of course

What’s the worst that could happen?

Microsoft will ask you to pay for the licenses that are installed/in use, but which you did not purchase or have no proof of purchase for. If you are compliant, or compliant for the most part, then you should have no problems.

But this is not the end of a Microsoft audit. In future articles, we will discuss what else is involved in the audit after the deployment summary is sent back.

Conclusion

In conclusion, it’s important for medium and large businesses to be prepared for a Microsoft license audit. Being proactive and having all the necessary documentation in place can save you time, money, and unnecessary headaches.

If you need assistance in preparing for a Microsoft audit, don’t hesitate to reach out to BALANCED+ for expert IT consulting services.