The Best IT Audit Checklist for Small Businesses
There are lots of different IT frameworks out there that you can use to audit the security or reliability of your IT. The ones from NIST, ISO, PCI, and HIPAA are the most popular – as popular as an auditing framework can be, anyway.
We find these frameworks to be somewhat overly demanding and/or complicated, at least as something that most small- and medium-sized businesses can implement by themselves.
Here, for example, are screenshots of sections of the NIST and PCI frameworks:
From NIST 800-171
From PCI DSS Version 3.2.1
You don’t exactly need to be a rocket scientist to understand these, but they’re complicated enough that the average person will probably have to do a decent amount of translating from “auditor-ese” and research to find out exactly what these requirements mean and how to satisfy them.
Plus, as with most regulations, there’s a lot of paperwork and documentation involved here, and a lot about formalizing processes and responsibilities between large numbers of people when there’s probably one person (you) handling these things anyway.
Below is the GeekTek IT audit checklist – made just for small- and medium-sized businesses and busy people that are just starting out with the IT audit process, or that don’t really need a formal audit but still want to know if they’re following all the key IT best practices.
If you’re looking to start out with a simpler IT audit checklist, one that gives you a decent, high-level understanding of the status of your IT without requiring too much time or a mountain of paperwork, and that’s good preparation for the more stringent requirements of the more formal IT frameworks – a “training wheels” or quick and dirty version of NIST, in other words – then you’ve come to the right place.
The NIST Cybersecurity Framework is focused, as you might expect, on cybersecurity
Let’s start with security since that’s the primary focus of a lot of IT frameworks.
☐ Antivirus active and updated
Install antivirus software on all your computers and servers. Make sure they’re working and updated, otherwise they’ll be as worthless at preventing threats as mother birds telling their eggs and cuckoos’ eggs apart. Use an RMM tool like NinjaRMM to manage and monitor your antivirus remotely.
☐ Firewall implemented and properly configured
Use a network-level firewall to block all unneeded traffic. A firewall with intrusion detection and prevention systems (IDS/IPS) will help you identify and stop cyber attacks as they occur. Block unnecessary protocols and sites like gambling, gaming, and social media websites. Make sure to allow or “whitelist” useful and informative resources like the GeekTek blog.
☐ Keep all your software up to date
Use an RMM tool to keep all of your operating systems and applications updated or pay an MSP to do it for you. Many updates and patches remove known vulnerabilities in software. Famously, the devastating NotPetya ransomware from 2017 targeted a vulnerability that had already been addressed in a Windows update patch released 3 months earlier. Businesses like FedEx, Maersk, and Mondelez could have collectively saved $10 billion in damages just by keeping their Windows software up-to-date.
☐ Encrypt all your drives
Encrypt all of your devices with technologies like BitLocker (which can be remotely implemented using an MDM tool like Microsoft Intune) or data-at-rest encryption. This prevents thieves from being able to access data off devices they’ve physically stolen.
☐ Employee training
Teach your employees all the IT security basics: be careful clicking on links and attachments in emails; pick strong passwords; don’t reuse passwords for multiple accounts; change your passwords every 90 days or so; always log off when stepping away from your computer in a public area; stay away from dangerous websites like gambling sites and social media sites when on the company network; and make sure to follow GeekTek on all social media sites to keep up on all the latest IT news and trends. Just kidding about the last one – we know you’re already following us on Twitter, LinkedIn, Facebook.
☐ Physical security
Let’s assume you’re already doing the common sense things like having locks on your business’s doors, locking those locks when you leave at night, installing security cameras, putting expensive equipment like servers and networking hardware in some sort of cage, and keeping non-employees out of sensitive areas. Less obvious measures include ensuring your employees’ screens and keyboards aren’t readily visible from any public areas, unplugging unused Ethernet ports, and installing an access control system with individualized access cards or fobs.
Some regulations like HIPAA and SOX require you to maintain certain types of records for a certain period of time. Of course, it’s generally just a good idea to keep as much of your data as possible as long as possible, for legal reasons and long-term analysis and comparison purposes.
☐ Backups are being done, validated, and are gapped
Some people only do one of these things – the back up part – and end up getting burned by incomplete or corrupt backups or ransomware. You should set up a process to routinely validate your backups, ensuring they’re backing up all the data they’re supposed to and confirming that they can be successfully restored.
When performing backups, follow the 3-2-1 rule and make sure your backups are “gapped” or you have versioning set up so your backups can’t be encrypted in a ransomware attack.
What should you back up? Files, records, server configurations/backup images, and logs (records of digital activity and events, including the logs in the Windows Event Viewer and website access logs).
Business continuity and disaster recovery
For every component of your IT, ask yourself – factoring in both the cost of an outage and of the measures needed to prevent it, what’s the maximum amount of time I could be without this?
If you’re not familiar with them, these are just fancy terms for things you do to prevent your IT systems from going down (business continuity) so you can keep your business humming as usual, or what you do to get them back up and running if something bad happens to them like a security breach, office fire, office break-in, power outage, etc. (disaster recovery).
☐ What’s your RTO for key IT assets? Are you certain you can achieve it?
Every business is different, so consider your own Recovery Time Objective (RTO) – the maximum amount of time you can allow a certain asset, for example your Internet, PoS system, or CRM, to be down. Your RTO may be half a day, a couple hours, a week, or less than a minute, depending on your budget, how important the given asset is to your business, the cost of it being unavailable, and other variables. Now think about the measures you would need to put in place to ensure you met this RTO.
For example, with a CRM, you’d have to think of all the different ways it could fail and how quickly you could fix them. Let’s say you host it locally and one of your servers breaks down. Do you have spare parts or an extra server on hand if the issue is the hardware? Do you have automatic failover set up with other servers in the cluster? How quickly can your internal resources or an external IT services provider/MSP deal with the issue? If your CRM is cloud-based, how quickly will the provider respond to the issue? What measures are they using for business continuity and disaster recovery?
Business continuity and disaster recovery can be as simple as having a few extra PCs on hand in a storage room, or as complex as having a cloud infrastructure with real-time replication and automated failover across the world. It all depends on your business’s requirements.
☐ Are you tracking all of your IT hardware?
Tracking all of your IT hardware is a good idea for multiple reasons, including for budgeting, to ensure that spare parts and devices are available as needed, and to prevent theft. Use a spreadsheet, RMM software, or an inventory management application.
☐ Is it good enough to keep users happy and productive?
IT frameworks tend not to cover this, perhaps because it’s somewhat subjective and difficult to measure. But having an IT system that’s secure, reliable, and keeps impeccable records isn’t much use if it’s so slow it keeps your users from being productive.
You can use RMM tools to track performance metrics like CPU and RAM usage, bandwidth usage, and storage space. Or you can just ask your users if they’re running into any performance problems, or let them know to tell you if they do. Most people aren’t shy about complaining about things like a slow PC, but just in case you may want to send out an online survey every once a while.
Typically IT hardware is considered old after 3-5 years, so one way to track performance is to track hardware age and then update or replace as needed.
☐ Are you compliant?
Make sure you have the proper licenses for all the software you use. You can use an RMM tool or network discovery software to help with this process.
Microsoft is the most aggressive software vendor when it comes to ensuring compliance. Oftentimes they’ll send you an email asking you to self-audit and send them a spreadsheet with the results. From what we hear, this is more of an upselling campaign than an actual attempt at an audit. But they may escalate to actually auditing you themselves or suing you for tens of thousands of dollars if you don’t comply.
You can read some horror stories about Microsoft and their partners at the Business Software Alliance here: https://redmondmag.com/articles/2010/09/01/beware-the-bsa.aspx
IT Support and Management
Don’t just look at your processes and infrastructure; evaluate your IT people, too, whether they’re in-house or outsourced or a combination of the two.
☐ Support quality
Is your support team responding quickly enough to support requests? Are they being respectful and polite? Are they always looking to solve root causes and not repeatedly having to fix the same issue over and over?
☐ Monitoring, management, and incident response quality
Are your admins reasonably effective at spotting issues that they should be, such as clear security breach attempts and obvious signs of hardware failure or limitations (spiking CPU, etc.)? Are they able to restore from backups as needed – or are backups unexpectedly missing when they shouldn’t be? Do they respond quickly and efficiently to issues such as outages and security breaches – are these issues resolved in a reasonable amount of time, do they do a root cause analysis, and take or present reasonable measures to prevent the issue from happening again?
☐ Staffing levels
Are your IT team members having to continually put in excessive overtime just to fulfill their basic duties? Or do some of them seem to have little to do at all?
☐ Proactiveness and responsiveness to change
Does your IT team seem like they’re always on top of things and know all the latest developments in tech? Are they always coming forward with new solutions and initiatives, or do they wait to be asked?
Other IT Audit Checklists / Frameworks
The NIST Cybersecurity Framework broken down further
Ready to move on to more advanced, formalized frameworks? Here are the top ones to consider:
NIST Cybersecurity Framework: voluntary IT security framework developed by the US federal government
ISO 27001: IT security framework by the International Organization for Standardization; certifications available
PCI DSS: required if you accept payment cards; developed by the Payment Card Industry Security Standards Council which includes Visa, MasterCard, American Express, and Discover
HIPAA: required if you store medical records; part of the Health Insurance Portability and Accountability Act
IT Audit Checklist in the Covid Era?
You should also consider how the coronavirus has affected your IT, as well as (as best as you can estimate, with so much still uncertain) how long these changes will last and to what extent.
Covering all the different ways that the coronavirus could change your IT would take at least another blog post altogether, but here are some things to consider:
– If your office is empty most of the time but you still have expensive hardware there, do you need to strengthen your physical security measures?
– If you’ve downsized or paused operations in response to Covid, should you also reduce your IT staff or consider outsourcing to an MSP?
– How do you deal with employees with slow or unreliable Internet connections? Are you willing to pay at least in part for higher-speed home internet for them?
– How has your business continuity and disaster recovery situation changed? Can you still meet your RTOs, or have things like parts shortages and extra travel and shipping distance made this unlikely?
– What are you doing to prevent “shadow IT” – or preventing users from using non-company applications, services, and storage drives? This may come down to user education – making sure users understand the importance of maintaining consistent security and data backups.
GeekTek – Your One-Step IT Audit Checklist
Want an audit that takes just one simple step? Just call or email GeekTek today. We can do a comprehensive audit of your IT for security, reliability, data retention, performance, and more, or help you meet frameworks like NIST, ISO, PCI DSS, or HIPAA in one shot. You’ll save yourself a lot of time and frustration in the process.