Because ‘information technology audit’ sounds cooler than ‘MIS audit’ or ‘computer audit.’
By Erik J. Heels
First published 3/1/2006; Law Practice magazine, “nothing.but.net” column; American Bar Association
I know how to measure marketing: by the sales it produces. I know how to measure administration: by how much money the firm makes. I know how to measure client satisfaction: by how many other clients they refer. But I don’t know how to measure technology success. What I looked for on the Internet – and failed to find – was an information technology self audit. Something that I could refer to periodically to see how I’m doing technology-wise. So I created my own. But organizing the audit became problematic. So many computer problems, so little time. How does an anal-retentive hacker organize his information technology audit? Alphabetically, of course.
Asset Management. Keep track of each piece of computer hardware that you own. Include the purchase date and price and the relevant features. Put this information in a spreadsheet or database. This will help you plan to replace old equipment before it needs repairing. For example, I keep PCs on average for about three years, Macs on average for about six.
Backup. Backup your key data, onsite and offsite, in a manner that makes it easy to restore data if and when you need to. For example, I back up each PC’s “Documents and Settings” folder daily with Connected.com (http://www.connected.com/). About onece per month, a file or folder is accidentally deleted, and restoring data with Connected.com is quick and painless. Backups are useless if you can restore easily.
Computers. Keep a spare computer for emergencies. I enjoy installing, testing, and uninstalling software. This works fine on Linux and Mac OS X machines, but on Windows XP machines, the registry will invariably get so messed up that certain programs will no longer run. In the latest instance of this problem, the USPTO’s software that I use ceased working due to registry issues. The only solution was to reinstall Windows, which I opted not to do. The easier solution was to replace that computer (it was just over 3 years old) with two new Dell computers. I keep one as a development machine, the other as a production machine. I log all changes to each computer. If you are sure that you can keep your Windows machine from getting corrupted, then don’t bother keeping a spare one around.
Desktop OS. Do you really need to run FreeBSD, Linux, Mac OS, and Windows? You can simplify your computing life by minimizing the number of operating systems that you have to support. For example, my long term plan is to bring my web and email servers, which are currently running under FreeBSD, in house and replace them with a Linux server. Until then, I put Linux on the shelf. I can get my UNIX-like OS fix from FreeBSD and Mac OS X.
Emergency Planning. If the sprinklers went off in your building and shorted out all of your computers, who would you call? If your web server gets hacked while you are away on vacation, would your office know what to do? We do not outsource any of our IT support, but we do have IT vendors as backups in case of emergency. As our firm continues to grow, it will likely make sense to outsource more functions as well.
Firewalls. You should use a hardware-based firewall, a software-based firewall, or both. I personally find Windows Firewall annoying, so we use a hardware-based firewall.
Gigabytes. How much disk space are you using on your computers? Will you have enough during the three-year life of your computer? Do you know how much disk space you use per year? It is easy to buy to little – or too much – disk space. The good news is that disk space is cheap and is only getting cheaper. Terabyte disks are already on the market and are becoming more common.
Hosting. Is your website up today? How do you know? If your email host goes offline, do you have a contingency plan? It pays to use a service provider with good service and a good track record. I have been using Verio () for about a decade and am always impressed that they notify me in advance of even the smallest routine maintenance issues.
Internet Access. I have a router that provides broadband connectivity via DSL with a dialup backup. So if my broadband connection goes down, I could get my office online via the dialup backup. I have never had to use a backup Internet access provider, and I could certainly use two broadband providers to minimize the risk of an outage. But I have been spoiled by reliable connectivity. (I keep an AOL disk in my backpack just in case.)
Junk Email. How do you handle spam? Do you filter and delete it on your server? Or do you deliver it to your client computers and let them deal with it? Because I do not want any false positives, I filter all email on the server with SpamAssassin (http://spamassassin.apache.org/) and the subject of subjected spam messages are rewritten. On the client side, Eudora (http://www.eudora.com/) can check for both the SpamAssassin-tagged messages and can use its own junk mail rules to filter out spam.
Keys. Who has keys to your office? When were the locks last changed? Have they been changed since you moved in? Physical security is often overlooked, and it can be the weak link in any computer security system. It does you no good to have rock-solid passwords if someone can walk into your office and walk out with a server.
Licenses. You should maintain hard and soft copies of all of your software licenses and receipts. In our technology library, I have one shelf for each computer (and one box or envelope for each piece of software) with all of this information.
Memory. Like disk space, you should buy what you need. It is easy to get carried away with buying too much. It is also easy to try to cut corners and not buy enough. I generally have about six applications running ant any given time. My old machine had 1.5 GB of RAM, but I was rarely using more than a third of that. My new computer has “only” 1.0 GB of RAM, and (you can check my math) I rarely use more than half of that.
New Software Versions. With the exception of anti-virus and anti-spyware utilities (which update and scan daily), I do not automatically update my software. You can waste a lot of time updating from version 1.4 of something to version 1.5. My plan for this year is to update systems quarterly. You can use software such as VersionTracker Pro (http://www.versiontracker.com/) to keep track of updates, but I found VerstionTracker’s user interface to be annoying, intrusive, and non-intuitive.
Old Computers. It is less expensive to replace computers every three years than to deal with maintenance and upgrades. The best way to get rid of old computers is to sell them on eBay or donate them to charity. Be sure to wipe the hard disks clean before you do so. Dell will also let you ship one clunker back to them (for about $25 extra) for each new system you purchase.
Passwords. A good password is one that you can remember, that others can’t guess, and that doesn’t have to be written down. I have been the victim of IT policies that required me to change passwords every so often or required goofy combinations of letters and numbers, sometimes that I wasn’t even allowed to choose. Under such policies, you could always find a co-worker’s password by opening his/her top draw and finding the sticky note with their password on it. Here is one good password-generator that gets it right: http://www.multicians.org/thvv/gpw.html.
QWERTY Keyboards. Are you using a ergonomically evil straight keyboard, or a carpal tunnel syndrome avoiding curved keyboard? (OK, I had a hard time coming up with the “q” item.)
RTFM. Your computing qualify of life will increase dramatically if you read the (ahem) friendly manual. You know, there are people who actually document software for a living. You should read what they have to say.
Spyware. You should run anti-spyware software daily and update the software itself daily. Read the documentation to learn how to run the program from the command-line. Then you can set up a scheduled task (in Windows) or a cron job (OS X, Linux) to automate the task. Better yet, run two programs. For example, I run Ad-Ware SE Professional (http://www.lavasoftusa.com/software/adawareprofessional/) and Spybot (http://www.safer-networking.org/) daily.
Telecommuting. You can use VNC software, which is free and cross-platform, to remotely connect to one computer from another. You can tunnel a VNC connection over SSH to set up a secure way to access work computers from home, which is ideal for telecommuting. For more info, see http://www.erikjheels.com/?p=470.
UPS. If the power goes out in your building, are your computers protected by an uninterruptible power supply? If you use laptops, the battery provides a built-in backup for power failures, but desktops can be vulnerable. I admit that this has been on my “to do” list for a long time. But we have been spoiled with good electric service.
Viruses. Last year I switched from Norton AntiVirus to McAfee (http://www.mcafee.com/us/) after Norton started acting like a virus itself. Every day, on every computer, I scan for viruses and update the anti-virus software. McAfee is not perfect (too many URLs, updates are non-intuitive, requires IE for some features to work), but it will do.
Wireless Networks. If you are using a wireless network at work, make sure the network is not wide-open. Unprotected networks can be used by neighbor or hacked into. Change the password from something other than the default password, turn on WEP encryption, and turn of the service set identifier (SSID) so you are at least no broadcasting the name of your network to the world.
XML. Do you care about your data? Are you storing your data in proprietary data formats? Or are you storing your data in future-friendly XML-based formats such as those used by OpenOffice (http://www.openoffice.org/), a free replacement for MS Office?
Y2K. Are you still using (or worse, buying) software whose vendor touts that it is Y2K-compliant? If so, time to upgrade.
Zombies. Zombies are computers that are infected with malware and are poised to strike at certain times. If you have zombie computers in your office, you’ve got problems that even an A-to-Z technology audit can’t fix.